Technical Tip: Understanding how ip-conflict-detect works on FortiGate

mhemambika · ‎12-26-2024

Description

This article describes that from v7.6, a new feature called ip-conflict-detect has been introduced. This feature helps in troubleshooting by detecting and resolving IP address conflicts within a network. This article will explore how this feature aids in the troubleshooting process.

Scope

FortiGate v7.6.X and above

Solution

By default the feature is disabled.

Related document:

New features or enhancements

Active Detection will be triggered when:

(a) System start.
(b) miglogd restart.
(c) interface status change to up.
(d) New interface with valid IP.
(e) Interface gets IP from DHCP server or else.
(f) Interface IP is edited by the user.

Alongside the above, the firewall will keep monitoring the Gratuitous ARP packet, and if a device connected to FortiGate is trying to use an IP that is already in use, a log will be generated.

In the lab firewall, set the ip-conflict-detection to enable:

kvm25 # config system global

kvm25 (global) # set ip-conflict-detection enable

kvm25 (global) #
kvm25 (global) # end

Tried to change the IP of the firewall on port3 to the same as one of the machine's IPs connected on the firewall interface port3. Once the IP conflict is detected, the firewall generates a log at Log&Report -> System Events -> General System Events as below:

date=2024-12-25 time=04:23:26 eventtime=1735129406434351939 tz="-0800" logid="0100032701" type="event" subtype="system" level="error" vd="root" logdesc="Detected IP conflicts on FGT interfaces." msg="Duplicate IP address 10.171.5.9X of MAC 00:7X:6e:69:0X:0X was detected on interface port3, also in use by port3 (00:6X:61:78:1X:0X)"

Technical Tip: Understanding how ip-conflict-detect works on FortiGate

You are leaving our website