Staff

Technical Tip: Transparent mode with VRRP, HSRP or Network Load Balancer

Forum|Forum|9 years ago
September 5, 2016
0 replies
18324 views

Description

This article describes how to configure a VRRP, HSRP, or Network Load Balancer in FortiGate for transparent mode.

Scope

FortiGate.

Solution

When a VRRP, HSRP, or Network Load Balancer exists in the network with a FortiGate in Transparent mode, a Static MAC entry may be required.

When a client sends an ARP request to retrieve a MAC address, those servers may respond with an ARP reply that indicates the Virtual MAC address in the payload. However, that ARP reply packet from the server contains the physical MAC address as a source MAC address.

Because the FortiGate MAC address table is updated with the physical MAC address and the virtual MAC is unknown, FortiGate floods the frame to all the ports due to an 'unknown destination MAC' when the packet arrives at FortiGate for the destination as a virtual MAC.

Because of this, FortiGate does not create a session, meaning there is no stateful firewall session entry. This can cause issues including (but not limited to) reply packet drops, and an inability to perform an antivirus scan.

To prevent this behavior, configure a static MAC entry on the FortiGate. This will inform the FortiGate where the virtual MAC is connected.

Related CLI and Configuration example.

Solution 1:

The 'config system mac-address-table' command allows the configuration of a static MAC entry.

Syntax.

config system mac-address-table

edit <mac-address_hex>

set interface <if_name>

set reply-substitute <mac-address_hex>

end

Note: This command is available only if the VDOM is in Transparent mode and is only allowed if the interface is in the forward domain 0, which is the default behavior.

Solution 2:

Disable the src-check to the port that is connected with the HSRP.

config system interface
edit <interface>
set src-check disable
end

In some cases, this change becomes necessary after upgrading from v6.4 to v7.x branch. V6.4 may not offload multicast traffic in transparent mode. Beginning with FortiOS 7, certain multicast traffic, such as HSRP or VRRP, is offloaded to the NP, preventing the kernel from processing these packets and updating the MAC address table.

Consequently, the virtual MAC entry expires after five minutes due to the kernel's lack of visibility of periodic multicast advertisements. When the MAC entry expires, existing sessions continue to pass traffic, but new sessions cannot be established. These new connection attempts are dropped by the FortiGate with a 'No session matched' error.

If a firewall policy is modified, the FortiGate re-evaluates the active sessions governed by that policy. During this process, it may repopulate the MAC address table using information learned from still-active sessions.

To resolve this issue, configure a multicast firewall policy that matches HSRP traffic and disable hardware offloading so that multicast packets remain visible to the kernel.

config firewall multicast-address
edit "224.0.0.x_HSRP"
set start-ip 224.0.0.x <----- 224.0.0.x - 224.0.0.2 for HSRPv1, 224.0.0.102 for HSRPv2.
set end-ip 224.0.0.x
next
end

config firewall multicast-policy
edit 0
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "224.0.0.x_HSRP"
set auto-asic-offload disable
next
end

Related document:

Mirroring SSL traffic in policies - FortiGate administration guide