Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lmateus
Staff
Staff

Created on ‎03-31-2010 05:12 AM Edited on ‎06-09-2022 09:28 PM By Anonymous

Article Id 195636

Troubleshooting Tip : Message msg="HWaddr-xx:xx:xx:xx:xx:xx is in black list, drop" in a "diagnose debug flow" output

Description
When troubleshooting connectivity issues through a Fortigate, the "diagnose debug flow" command output may show that all sessions from a host are blocked by the Fortigate because the host MAC address is being blacklisted.

Example :

2010-03-20 07:10:53 id=36870 trace_id=30 func=resolve_ip_tuple_fast line=3273 msg="vd-root received a packet(proto=17, 10.40.144.11:123->10.132.2.21:123) from internal."
2010-03-20 07:10:53 id=36870 trace_id=30 func=resolve_ip_tuple line=3395 msg="allocate a new session-00000ca5"
2010-03-20 07:10:53 id=36870 trace_id=30 func=vf_ip4_route_input line=1609 msg="find a route: gw-10.8.40.1 via wan1"
2010-03-20 07:10:53 id=36870 trace_id=30 func=fw_forward_handler line=299 msg="HWaddr-30:00:01:02:03:04 is in black list, drop"


A traffic violation message is logged by Fortigate at the same time (traffic log) :

device_id=FWF50B3G08500642 log_id=3 subtype=violation type=traffic timestamp=1269964125 pri=warning itime=1269964124 vd=root src=10.40.144.11 srcname=10.40.144.11 src_port=123 dst=10.132.2.21 dstname=10.132.2.21 dst_port=123 service=123/udp proto=17 app_type=N/A duration=0 rule=0 policyid=0 sent=0 rcvd=0 src_int=internal dst_int=wan1 SN=2169 carrier_ep=N/A vpn=N/A status=deny user=N/A group=N/A

 

 

 


Scope

 

 

 


Solution
This is due to the activation of ipmacbinding feature in conjunction with DHCP server in the Fortigate ingress interface.

In this example:

config system interface
    edit "internal"
        set vdom "root"
        set ip 10.40.144.70 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set gwdetect enable
        set detectserver "10.40.100.70"
        set ipmac enable      <<<<<<<<
        set type physical
        set alias "LAN-Office"
    next


*and*

config system dhcp server
     edit "LAN"
        set default-gateway 10.40.144.70
        set dns-server1 10.40.100.60
        set domain "lab.com"
        set interface "internal"
        set netmask 255.255.255.0
        set end-ip 10.40.144.200
        set start-ip 10.40.144.100
    next



With this configuration,the ipmacbinding table will be populated automatically with all DHCP clients from the internal network. All other hosts with a static IP configuration will have their MAC address "blacklisted" by the FortiGate.


There are two possibilities to fix the problem

1- Disable ipmac in the internal interface:

  config system interface
      edit internal
      unset ipmac
  end



OR...

2 - Create manual entries in the ipmacbinding table for each host with a static IP address in the network. For example:

config firewall ipmacbinding table
        edit 1
         set ip 10.40.144.11
         set mac 30:01:02:03:04:05
         set name my_network_device
        set status enable
end



For more information about the macip feature please consult the CLI guide.

 

 

Related Articles

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

Labels:
5228
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.