Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbanica
Staff
Staff

Created on ‎01-26-2026 07:01 AM

Article Id 427871

Technical Tip: Change of HA group-id and Layer-2 network behavior

Description

This article describes how modifying the high availability (HA) group-id in a FortiGate cluster directly changes the virtual MAC addresses (VMACs) used by the cluster and how this influence on Layer-2 forwarding must be considered during maintenance. FortiGate HA virtual MAC addresses are derived from the configured HA group-id; therefore a group-id change results in a new set of VMACs being installed on all cluster traffic interfaces.
Scope This article applies to FortiGate HA clusters operating in active-passive mode (FGCP). The information is relevant when planning or executing changes to the HA group-id in production environments where the cluster is connected to Layer-2 switches.
Solution

This section describes the virtual MAC address determination in FortiGate HA:

 

FortiGate HA uses virtual MAC addresses for traffic interfaces on the primary unit. These VMACs are determined algorithmically based on the HA group-id, cluster parameters and interface index. The group-id value is converted to hexadecimal and incorporated into the virtual MAC address format used by FGCP.

 

FG10E1-2 # config system ha

FG10E1-2 (ha) # set group-id

group-id Enter an integer value from <0> to <1023>.

 

When the HA group-id is changed:

  1. All HA virtual MAC addresses currently in use by the cluster are recalculated
  2. The primary unit installs the new VMACs on its interfaces
  3. This operation occurs regardless of whether a secondary unit is connected

This section describes the Layer-2 forwarding impact:

 

Because the current hardware MAC address of each interface becomes the HA VMAC seen on the network, replacing the group-id and committing the change causes the VMACs on all FortiGate traffic interfaces to change.

 

Layer-2 switches connected to those interfaces will:

 

  1. Detect the new MAC addresses immediately after the commit

  2. Age out or flush the old MAC entries for the affected ports

  3. Relearn the new MAC addresses on the relevant VLANs

During this MAC relearning process, traffic forwarding pauses until the switches update their MAC tables and complete ARP resolution. The MAC change is a deterministic outcome of a group-id update; it always influences Layer-2 forwarding in any broadcast domain where the FortiGate cluster interfaces are connected.

 

This section describes the operational impact of changing the HA group-id:

 

Because a group-id change inherently modifies the VMACs on all traffic interfaces, this must be treated as a planned, disruptive change within a maintenance window.

 

This section describes the operational impact and it includes:

  1. Brief loss of connectivity on managed interfaces until MAC tables are updated.

  2. Reestablishment of ARP state and forwarding entries on connected Layer-2 devices.

  3. Potential disruption of stateful sessions (for example, SSL VPN) during the transition.

 

Related articles:

Technical Tip: HA Cluster virtual MAC addresses 

Technical Tip: Verifying physical and HA Virtual MAC addresses of FortiGate interfaces
69
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.