Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Stephen_G
Community Manager
Community Manager

Created on ‎04-06-2023 06:50 AM Edited on ‎04-11-2023 03:06 AM

Article Id 251500

Technical Tip: Receive alert messages for MAC conflicts in an HA environment

Description This article explains how to push alert messages to the administrator when a MAC conflict is detected in an HA environment.
Scope

FortiGate HA.
Solution

Consider a scenario where one organization is configured in HA. This organization is connected with all other organizations in the same network through an ISP L2 Link. On that same network, L2 VPN is used for a banking service with all other organizations.

 

In this scenario, one organization is unaware of other organizations' HA configurations. As a result, a coincidence may result in having the same group ID and virtual cluster ID during HA configuration. This could possibly result in a duplicate MADaddress conflict, which can impact the network and bring down running services.

 

So to identify the issue as soon as possible, it is possible to automate MAC address conflict detection and notify the administrator with an alert email message.

 

Stephen_G_0-1680787047359.png

 

When FortiGate in NAT mode is configured for the HA cluster, the FGCP assigns a different virtual MAC address to each primary unit interface. Each interface HA virtual MAC address is set according to the group ID. Exception being Management and HA heartbeat interfaces that are not assigned with virtual MAC addresses.

 

If any one of these interfaces is connected in the same broadcast domain using the same group ID with another FortiGate HA Cluster, a MAC address conflict can occur. To avoid the disruption caused by a conflict, it is recommended that each cluster in the same network and broadcast domain uses a unique group ID.

 

Refer to this link for information on troubleshooting a virtual MAC address conflict issue.

 

Display the Virtual MAC address of each interface using following commands:

 

# diagnose hardware deviceinfo nic <intf>

 

# get hardware nic <intf>

 

# get hardware nic wan

...

Current_HWaddr       00:09:0f:09:00:00    ← Virtual MAC

Permanent_HWaddr     04:d5:90:ee:91:fa

...

 

# show system interface wan

# config system interface

edit "wan"

set ip 172.16.16.101 255.255.255.0

next

end

 

 

To quickly detect neighboring MAC changes, enable the neighbor event command in the log settings through the CLI:

 

# config log setting

set neighbor-event enable

end

 

When enabled, a new log message is recorded every time a MAC address entry is added to the ARP table, as well as when a MAC address is removed.

 

Afterwards, configure the stitches to alert the administrator whenever a neighbor event is triggered.

 

Stitches

 

In the GUI:

 

Stephen_G_1-1680787078288.png

 

Stephen_G_2-1680787078297.png

 

In the CLI:

 

Run the following:

 

# config system automation-stitch

edit "Stitches-Duplicate MAC Detected"

set trigger "Trigger-Duplicate MAC Detected"

# config actions

edit 1

set action "Alert-Duplicate MAC Detected"

set required enable

next

end

next

end

 

Triggers

 

In the GUI:

 

Stephen_G_3-1680787078303.png

 

Stephen_G_4-1680787078305.png

 

In the CLI:

 

Run the following:

 

# config system automation-trigger

(automation-trigger) # edit "Duplicate MAC Detected"

(Duplicate MAC De~ted) # show

# config system automation-trigger

edit "Duplicate MAC Detected"

set event-type event-log

set logid 51000

# config fields

edit 1

set name "msg"

set value "MAC address 00:09:0F:09:00:00 is added to neighbor table"

next

end

next

end

 

Use the filter field by mapping the interface MAC address of the L2 ISP link. In this case, the WAN interface MAC address.

 

# get hardware nic wan

…..

Current_HWaddr       00:09:0f:09:00:00

Permanent_HWaddr     04:d5:90:ee:91:fa

…..

 

To view the router event log file, go to System Events -> Router Events and select the Download button.

View the log in notepad.

 

Example:

 

[ msg="MAC address 00:09:0F:09:00:00 is added to neighbor table"]

 

 

When assigning 'Field name', use 'msg' as the value. When assigning the trigger 'Value', enter the MAC address of the ISP L2 connected interface link.

 

Stephen_G_5-1680787078315.png

 

 

To set up the automatic sending of an alert message, provide the administrator email in the email address field:

 

Action

 

Stephen_G_6-1680787078321.png

 

Stephen_G_7-1680787078322.png

 

 

# config system automation-action

edit "Alert-Duplicate MAC Detected"

set action-type email

set email-to "admin@myorg.com"

set email-from "test@test.com"

set email-subject "Duplicate MAC Detected"

next

end

 

 

When a duplicate MAC address is detected from a neighboring IP, the automation stitches are triggered. For alert messages, a notification will be sent through the secondary FortiGate of an HA cluster.

 

Stephen_G_8-1680787078328.png

 

The IP address that the virtual MAC address conflicts with will be provided.

 

bijay_8.png
 
 

Related document:

Cluster virtual MAC addresses - Fortinet documentation
2710
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.