Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Shilpa1
Staff
Staff

Created on ‎08-15-2020 07:30 AM Edited on ‎08-31-2022 09:07 AM By Anonymous

Article Id 192502

Technical Tip: Verifying physical and HA Virtual MAC addresses of FortiGate interfaces

Description


This article describes how to verify the MAC addresses assigned to FortiGate interfaces.

Solution


1) The following commands display the current and permanent hardware addresses for a standalone FortiGate.
- Used without any option, the command below will list all interfaces available:

# diagnose hardware deviceinfo nic

Usage:

# diagnose hardware deviceinfo nic <nic name>

The following NICs are available:

port4-ha
port3
port2
port1

-  Used with the interface name, the command will give the MAC address information:

# diagnose hardware deviceinfo nic port1
[...]
System_Device_Name port1
Current_HWaddr 00:09:0F:85:AD:8B
Permanent_HWaddr 00:09:0F:85:AD:8B
[...]

2) During HA operation, the current hardware address becomes the HA Virtual MAC address as shown below for a FortiGate in a cluster.

# diagnose hardware deviceinfo nic port1
[...]
System_Device_Name port1
Current_HWaddr 00:09:0F:09:00:00
Permanent_HWaddr 00:09:0F:85:AD:8B
[...]

Note 1: In the following examples, two MAC addresses are used:

- Current_HWaddr: this is current hardware address of the interface and the one seen in the network.  This address can be changed from the CLI when the FortiGate is running standalone mode.
- Permanent_HWaddr: The MAC address programmed by the NIC manufacturer for the Vendor ; also called burnt-in MAC address. This address cannot be changed.

By default, the Current_HWaddr is the same as the Permanent_HWaddr.
When configuring HA mode active-active or active-passive, all interfaces MAC addresses are modified with the corresponding virtual mac address (based on vdom id, port, ha group)

Note 2: How to change a MAC address of a physical interface (standalone mode only):

# config system interface
    edit "port1"
        set macaddr 00:01:02:03:04:05
    next
end

 

Furthermore, the 'diagnose sys ha mac' command displays the Physical and Virtual MAC of the Master and Backup HA cluster unit interfaces.

 

FGT # diagnose sys ha mac

HA mac msg
serial#=FGXXXXXXXXXXXX1 Primary
prio=0, phy_index= 0, itf_name= mgmt, mac=90.6c.ac.fb.b3.75, vmac=00.09.0f.09.64.00, linkfail=0
prio=0, phy_index= 1, itf_name= ha, mac=90.6c.ac.fb.b3.74, vmac=00.09.0f.09.64.01, linkfail=0
prio=0, phy_index= 2, itf_name= wan1, mac=90.6c.ac.fb.b3.80, vmac=00.09.0f.09.64.02, linkfail=0
prio=0, phy_index= 3, itf_name= wan2, mac=90.6c.ac.fb.b3.81, vmac=00.09.0f.09.64.03, linkfail=0
prio=0, phy_index= 4, itf_name= port1, mac=90.6c.ac.fb.b3.82, vmac=00.09.0f.09.64.04, linkfail=0
prio=0, phy_index= 5, itf_name= port2, mac=90.6c.ac.fb.b3.83, vmac=00.09.0f.09.64.05, linkfail=0
prio=0, phy_index= 6, itf_name= port3, mac=90.6c.ac.fb.b3.84, vmac=00.09.0f.09.64.06, linkfail=1
prio=0, phy_index= 7, itf_name= port4, mac=90.6c.ac.fb.b3.85, vmac=00.09.0f.09.64.07, linkfail=1
prio=0, phy_index= 8, itf_name= port5, mac=90.6c.ac.fb.b3.86, vmac=00.09.0f.09.64.08, linkfail=1
prio=0, phy_index= 9, itf_name= port6, mac=90.6c.ac.fb.b3.87, vmac=00.09.0f.09.64.09, linkfail=1
prio=0, phy_index=10, itf_name= port7, mac=90.6c.ac.fb.b3.88, vmac=00.09.0f.09.64.0a, linkfail=1
prio=0, phy_index=11, itf_name= port8, mac=90.6c.ac.fb.b3.89, vmac=00.09.0f.09.64.0b, linkfail=1
prio=0, phy_index=12, itf_name= port9, mac=90.6c.ac.fb.b3.76, vmac=00.09.0f.09.64.0c, linkfail=1
prio=0, phy_index=13, itf_name=port10, mac=90.6c.ac.fb.b3.77, vmac=00.09.0f.09.64.0d, linkfail=1
prio=0, phy_index=14, itf_name=port11, mac=90.6c.ac.fb.b3.78, vmac=00.09.0f.09.64.0e, linkfail=1
prio=0, phy_index=15, itf_name=port12, mac=90.6c.ac.fb.b3.79, vmac=00.09.0f.09.64.0f, linkfail=1
prio=0, phy_index=16, itf_name=port13, mac=90.6c.ac.fb.b3.7a, vmac=00.09.0f.09.64.11, linkfail=1
prio=0, phy_index=17, itf_name=port14, mac=90.6c.ac.fb.b3.7b, vmac=00.09.0f.09.64.11, linkfail=1
prio=0, phy_index=18, itf_name=port15, mac=90.6c.ac.fb.b3.7c, vmac=00.09.0f.09.64.12, linkfail=1
prio=0, phy_index=19, itf_name=port16, mac=90.6c.ac.fb.b3.7d, vmac=00.09.0f.09.64.13, linkfail=1
prio=0, phy_index=20, itf_name=port17, mac=90.6c.ac.fb.b3.7e, vmac=00.09.0f.09.64.14, linkfail=1
prio=0, phy_index=21, itf_name=port18, mac=90.6c.ac.fb.b3.7f, vmac=00.09.0f.09.64.15, linkfail=1
serial#=FGXXXXXXXXXXXX2 Secondary
prio=1, phy_index= 0, itf_name= mgmt, mac=e8.1c.aa.aa.80.7f, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 1, itf_name= ha, mac=e8.1c.aa.aa.80.7e, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 2, itf_name= wan1, mac=e8.1c.aa.aa.80.8a, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 3, itf_name= wan2, mac=e8.1c.aa.aa.80.8b, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 4, itf_name= port1, mac=e8.1c.aa.aa.80.8c, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 5, itf_name= port2, mac=e8.1c.aa.aa.80.8d, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 6, itf_name= port3, mac=e8.1c.aa.aa.80.8e, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 7, itf_name= port4, mac=e8.1c.aa.aa.80.8f, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 8, itf_name= port5, mac=e8.1c.aa.aa.80.90, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 9, itf_name= port6, mac=e8.1c.aa.aa.80.91, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=10, itf_name= port7, mac=e8.1c.aa.aa.80.92, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=11, itf_name= port8, mac=e8.1c.aa.aa.80.93, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=12, itf_name= port9, mac=e8.1c.aa.aa.80.80, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=13, itf_name=port10, mac=e8.1c.aa.aa.80.81, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=14, itf_name=port11, mac=e8.1c.aa.aa.80.82, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=15, itf_name=port12, mac=e8.1c.aa.aa.80.83, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=16, itf_name=port13, mac=e8.1c.aa.aa.80.84, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=17, itf_name=port14, mac=e8.1c.aa.aa.80.85, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=18, itf_name=port15, mac=e8.1c.aa.aa.80.86, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=19, itf_name=port16, mac=e8.1c.aa.aa.80.87, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=20, itf_name=port17, mac=e8.1c.aa.aa.80.88, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=21, itf_name=port18, mac=e8.1c.aa.aa.80.89, vmac=--.--.--.--.--.--, linkfail=1

 

Related link:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Cluster-virtual-MAC-addresses/ta-p/1942...

17481
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.