Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acp
Staff
Staff

Created on ‎09-05-2016 03:25 PM Edited on ‎05-26-2025 03:57 AM By Community Manager

Article Id 193155

Technical Tip: Transparent mode with VRRP, HSRP or Network Load Balancer

Description

 
This article describes how to configure a VRRP, HSRP, or Network Load Balancer in FortiGate for transparent mode.
 
Scope
 
FortiGate.
 
Solution
 
When a VRRP, HSRP, or Network Load Balancer exists in the network with a FortiGate in Transparent mode, a Static MAC entry may be required.
When a client sends an ARP request to retrieve a MAC address, those servers may respond with an ARP reply
that indicates the Virtual MAC address in the payload. However, that ARP reply packet from the server contains the physical MAC address as a source MAC address.

 

Because the FortiGate MAC address table is updated with the physical MAC address and the virtual MAC is unknown, FortiGate floods the frame to all the ports due to an 'unknown destination MAC' when the packet arrives at FortiGate for the destination as a virtual MAC.

 

Because of this, FortiGate does not create a session, meaning there is no stateful firewall session entry. This can cause issues including (but not limited to) reply packet drops, and an inability to perform an antivirus scan.

 

 

To prevent this behavior, configure a static MAC entry on the FortiGate. This will inform the FortiGate where the virtual MAC is connected.
 
Related CLI and Configuration example.
Solution 1:
  • The 'config system mac-address-table' command allows the configuration of a static MAC entry.
 
Syntax.
 
config system mac-address-table
     edit <mac-address_hex>
         set interface <if_name>
         set reply-substitute <mac-address_hex>
end
 

Note: This command is available only if the VDOM is in Transparent mode and is only allowed if the interface is in the forward domain 0, which is the default behavior.
 
 
Solution 2:
  • Disable the src-check to the port that is connected with the HSRP.

 

config system interface
    edit <interface>
        set src-check disable
end

 

In some cases, this change becomes necessary after upgrading from v6.4 to v7. x branch. V6.4 may not offload multicast traffic in transparent mode. Beginning with FortiOS 7, multicast traffic is offloaded, which prevents the kernel from processing certain packets, such as HSRP or VRRP.


Consequently, the virtual MAC entry expires after five minutes due to the kernel's lack of visibility. When the MAC entry expires, existing sessions continue to pass traffic, but new sessions cannot be established. These new connection attempts are dropped by the FortiGate with a 'No session matched' error.


If a firewall policy is modified, FortiGate reevaluates the active sessions governed by that policy. During this process, it may repopulate the MAC address table using information from the still-active sessions.

 

Related documents:

Technical Tip: Transparent mode with VRRP, HSRP or Network Load Balancer

Mirroring SSL traffic in policies - FortiGate administration guide

Labels:
16118
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.