FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tnaik
Staff
Staff
Article Id 195893
Description
This article describes the Virtual MAC (VMAC) changes post major firmware version upgrade in HA cluster.

Solution
Please refer below document for calculating VMAC:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverVMAC...

While upgrading the major firmware versions in FortiGate like 5.4 to 5.6 or 5.6 to 6.0, it is possible to see virtual MAC address changes.

Below is the CLI output showing current VMAC for firmware Major Version 5.4 with VMAC address for primary as 00:09:0f:09:00:16
Primary FortiGate before upgrade:
Fortigate-100D-Primary # get sys status
Version: FortiGate-100D v5.4.10,build1220,180821 (GA)
Fortigate-100D-Primary # get hardware nic  wan1
Driver_Name            e1000e
Driver_Version              3.2.4.2-NAPI
MAC_Type                    3
IRQ                                       16
System_Device_Name          wan1
Current_HWaddr        00:09:0f:09:00:16
Permanent_HWaddr        00:09:0f:9d:5d:8e
Fortigate-100D-Primary (ha) # show full | grep group-id
    set group-id 10
After upgrading the FortiGate from major version 5.4 to 5.6, the primary FortiGate changed VMAC as 00:09:0f:09:0a:16.

Primary FortiGate Unit After upgrade:

Fortigate-100D-Primary # get sys status
Version: FortiGate-100D v5.6.9,build1673,190513 (GA)
Fortigate-100D-Primary # get hardware nic wan1
Driver_Name            e1000e
Driver_Version              3.2.4.2-NAPI
MAC_Type                    3
IRQ                                        16
System_Device_Name          wan1
Current_HWaddr        00:09:0f:09:0a:16
Permanent_HWaddr        00:09:0f:9d:5d:8e
Fortigate-100D-Primary (ha) # show full | grep group-id
    set group-id 10
It is an expected behavior that VMAC will change post major firmware version upgrade in HA cluster.
Note.
Virtual mac address calculation has been once again changed in 6.0.2 GA and 6.2.0 GA, any previous FOS will encounter this behavior when they upgrade and pass this releases. However, the behavior will not be present  when upgrading from 6.0.2 or later to newer builds.

For best practice refer to the KB in the field 'Related Articles'.


Related Articles

Technical Tip: HA Cluster virtual MAC addresses

Contributors