FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff
Article Id 253937

Description

This article demonstrates via packet capture how FGCP High- Availability informs the layer 2 switch the virtual mac address of the FortiGate new master in the events of HA failover via Gratuitous ARP.

Scope

FortiGate.

Solution

Scenario:
Consider two FortiGates that are configured on an FGCP High-Availability setup, and it is wanted to trigger a failover from FGT_1 to FGT_2 and gratuitous ARP is enabled in HA configuration.

 

FGT_1:

 

Gratuitous ARP is enabled.

 

FGT_1 (global) # config sys ha

FGT_1 (ha) # get | grep -f grat

gratuitous-arps     : enable  <---

FGT_1 (ha) #

 

- Port4 deviceinfo details (port4 is the LAN interface in this scenario). That will show the virtual MAC address of PORT 4 in FGT 1 HWaddr: 00:09:0f:09:64:03.

 

FGT_1 (global) # diag hard deviceinfo nic port4

Name:            port4

Driver:          virtio_net

Version:         1.0.0

Bus:             0000:00:09.0

HWaddr:          00:09:0f:09:64:03  <-

Permanent Hwaddr:00:4b:61:6e:0b:04

State:           up

Link:            up

Mtu:             1500

Supported:

Advertised:

Auto:            disabled

RX Ring:                 256

TX Ring:                 256

Rx packets:              154

Rx bytes:                9250

Rx compressed:           0

Rx dropped:              0

Rx errors:               0

  Rx Length err:         0

  Rx Buf overflow:       0

  Rx Crc err:            0

  Rx Frame err:          0

  Rx Fifo overrun:       0

  Rx Missed packets:     0

Tx packets:              6

Tx bytes:                394

Tx compressed:           0

Tx dropped:              0

Tx errors:               0

  Tx Aborted err:        0

  Tx Carrier err:        0

  Tx Fifo overrun:       0

  Tx Heartbeat err:      0

  Tx Window err:         0

Multicasts:              0

Collisions:              0

 

- Port 4 interface IP address:

 

FGT_1 (root) # show sys inter port4

    # config system interface

        edit "port4"

            set vdom "root"

            set ip 10.116.2.86 255.255.240.0  <-

            set allowaccess ping https ssh http telnet

            set type physical

            set snmp-index 4

        next

    end

 

 

FGT_2:

 

- Gratuitous ARP is enabled:

 

FGT_2 (global) # config sys ha

FGT_2 (ha) # get | grep -f grat

gratuitous-arps     : enable  <---

FGT_2 (ha) #

 

- Port4 deviceinfo details ( port4 is the LAN interface in this scenario ). That will show the virtual MAC address of the PORT4 in FGT_2  HWaddr:00:41:6c:7a:0c:04.

 

FGT_2 (root) # sudo global diag hard deviceinfo nic port4

Name:            port4

Driver:          virtio_net

Version:         1.0.0

Bus:             0000:00:09.0

HWaddr:          00:41:6c:7a:0c:04  <-

Permanent Hwaddr:00:41:6c:7a:0c:04

State:           up

Link:            up

Mtu:             1500

Supported:

Advertised:

Auto:            disabled

RX Ring:                 256

TX Ring:                 256

Rx packets:              73316

Rx bytes:                5883076

Rx compressed:           0

Rx dropped:              0

Rx errors:               0

  Rx Length err:         0

  Rx Buf overflow:       0

  Rx Crc err:            0

  Rx Frame err:          0

  Rx Fifo overrun:       0

  Rx Missed packets:     0

Tx packets:              26

Tx bytes:                1920

Tx compressed:           0

Tx dropped:              0

Tx errors:               0

  Tx Aborted err:        0

  Tx Carrier err:        0

  Tx Fifo overrun:       0

  Tx Heartbeat err:      0

  Tx Window err:         0

Multicasts:              0

Collisions:              0

 

- Port 4 interface IP address:

 

FGT_2 (root) # show sys inter port4

    # config system interface

        edit "port4"

            set vdom "root"

            set ip 10.116.2.86 255.255.240.0  <-

            set allowaccess ping https ssh http telnet

            set type physical

            set snmp-index 4

        next

    end

 

In this example, this capture is run on FGT_2 'diag sniff packet port4 ‘ ‘ 6 0 a' then triggers a failover from FGT 1 to FGT 2.

 

Here is the output of the sniff done on the FGT_2. In this screenshot shows that the FGT2 sends GARP to advertise its virtual mac address to switches using its IP address 10.116.2.86 so that the switch will learn the virtual mac address of 10.116.2.86 which is the virtual mac of FGT_2 and will now forward traffic to FGT_2 which is now the newly elected master.

 

acvaldez_0-1682495847826.png