MAC address changes on default gateway -> sessions not updated

This behaviour would be very odd, as the MAC is at the hardware level. Are you sure its not the checkpoint dropping the sessions during the failover? In the past when i worked on checkpoints, they used to use a virtual MAC address anyway, so this couldn' t happen. Does sound to me like the checkpoint is the more likely cuplrit. Else its a very bizarre fault.

I don' t think its Checkpoint. because TCP sessions (like SSH and HTTP) are working fine. but not ICMP. the customer is now trying with UDP (TFTP). it' s reproducable: a Ping -t won' t work after a Checkpoint failover anymore, but it starts to work again just after a manual session kill on the Fortigate. the Checkpoint doesn' t seem to use a virtual MAC but a virtual IP. at a cluster failover I can see a MAC change on the gateway IP: normal 10.19.219.4 0 00:0e:0c:80:c0:e4 port6 (virtual IP?) 10.19.219.5 0 00:04:23:ce:01:00 port6 (member1) 10.19.219.6 0 00:0e:0c:80:c0:e4 port6 (member2) Failover 10.19.219.4 0 00:04:23:ce:01:00 port6 10.19.219.5 0 00:04:23:ce:01:00 port6 10.19.219.6 0 00:0e:0c:80:c0:e4 port6

I still think you will find this is a checkpoint issue. firewall failover normally have limitations like this. If TCP is working fine, then surely cust isnt going to notice anyway. You could do a packet sniff on the internal interface of the fortinet, this will prove whether its even seeing the traffic coming in.

I' ll try sniffing next week... (" diag sniffer packet" if I remember ?)

" normally" a Cluster should send out a GARP when switchover occurs. I also recall that CHKPT _can_ use some strange Multicast based HA (Unicast IP with Multicast Mac) (although in your example they look unicast :) When sniffing - keep an eye on ARPs, if you see a GARP being sent out. Otherwise it' s " normal" that the FGT will not relearn the Address until the MAc Table times out. You can verify this by manually clear ARP cache on FGT after CHKPT Failover happens. -R.