Description
This article describes how to configure a VRRP, HSRP, or Network Load Balancer in FortiGate for transparent mode.
Scope
FortiGate.
Solution
When a VRRP, HSRP, or Network Load Balancer exists in the network with a FortiGate in Transparent mode, a Static MAC entry may be required.
When a client sends an ARP request to retrieve a MAC address, those servers may respond with an ARP reply
that indicates the Virtual MAC address in the payload. However, that ARP reply packet from the server contains the physical MAC address as a source MAC address.
Because the FortiGate MAC address table is updated with the physical MAC address and the virtual MAC is unknown, FortiGate floods the frame to all the ports due to an 'unknown destination MAC' when the packet arrives at FortiGate for the destination as a virtual MAC.
Because of this, FortiGate does not create a session, meaning there is no stateful firewall session entry. This can cause issues including (but not limited to) reply packet drops, and an inability to perform an antivirus scan.
To prevent this behavior, configure a static MAC entry on the FortiGate. This will inform the FortiGate where the virtual MAC is connected.
Related CLI and Configuration example.
Solution 1:
- The 'config system mac-address-table' command allows the configuration of a static MAC entry.
Syntax.
config system mac-address-table
edit <mac-address_hex>
set interface <if_name>
set reply-substitute <mac-address_hex>
end
Note: This command is available only if the VDOM is in Transparent mode and is only allowed if the interface is in the forward domain 0, which is the default behavior.
Solution 2:
- Disable the src-check to the port that is connected with the HSRP.
config system interface
edit <interface>
set src-check disable
end
Related documents:
