FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to fix a conflict HA virtual MAC address issue when there is more than one HA cluster in the system and how to configure and use more than one HA cluster in the same network environment.
When there is more than one HA cluster operating in the same network, it may happen that one FortiGate may not be able to join the expected HA, or it shares the same HA virtual MAC addresses used in the existing HA cluster. This may cause the conflict MAC address issue in the system.
Due to different reasons, operating multiple HA clusters under the same Security fabric also requires unique HA group-ids, even if they don't reside on the same network.
Example: There are FortiGates A, B, C, and D. FortiGate A and B joined as HA1 (A is Active) FortiGate C and D joined as HA2 (C is Active) The problem that occurs is that units A and C from different HA groups have the same virtual MAC address. To fix this issue, consider changing the group ID of HA1 and HA2 to be different by using the following CLI commands.
Start with the passive units (B and D). Changing the group-id will cause the cluster to disconnect.
So the connection to these units will be lost until the group-ID is also changed in the active units A and C.
At HA1 FortiGate (repeat for HA2, and use a different value):
config system ha set group-id XX <----- ( XX is an integer value from 0-255). end
At HA1 FortiGate with VDOM setting (repeat for HA2, and use a different value).
config global config system ha set group-id XX <----- ( XX is an integer value from 0-255). end end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.