This article describes configuring VRRP between two devices using the FortiGate Firewall.
FortiGate.
In a typical Virtual Router Redundancy Protocol (VRRP) configuration, two devices are connected within the same broadcast domain, facilitated by a Layer 2 switch.
This article outlines the process of leveraging an existing Layer 3 device, specifically a FortiGate Firewall, to function as a Layer 2 device for transmitting VRRP packets.
Configuration :
FortiGate-A and FortiGate-B could be any other L3 device. Here in the current scenario, FortiGate Firewall and configured VRRP between them are used.
Fortigate1 is a transit device between two VRRP devices (FortiGate-A and FortiGate-B).
Fortigate1:
config system interface
edit "port1"
set vdom "root"
set type physical
set snmp-index 1
next
end
config system interface
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
end
To enable VRRP packet transmission through the firewall, configure the software-switch or switch-interface accordingly.
Note: Ensure that the software switch interface member does not have an IP address assigned. Otherwise, the interface will not be able to be added to the switch-interface.
config system switch-interface
edit "test"
set vdom "root"
set member "port1" "port3"
next
end
config system interface
edit "test"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set type switch
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 15
next
end
Configure the VRRP on FortiGate-A and FortiGate-B.
FortiGate-A :
The 'wan' interface of FortiGate-A is connected to port1 of FortiGate1.
config system interface
edit "wan"
set vdom "root"
set ip 192.168.1.3 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set vrrp-virtual-mac enable
config vrrp
edit 1
set vrgrp 10
set vrip 192.168.1.100
set priority 128
next
end
set role wan
set snmp-index 1
next
end
FortiGate-B :
The 'wan' interface of FortiGate-B is connected to port3 of FortiGate1.
config system interface
edit "wan"
set vdom "root"
set ip 192.168.1.2 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set vrrp-virtual-mac enable
config vrrp
edit 1
set vrgrp 10
set vrip 192.168.1.100
next
end
set role wan
set snmp-index 1
next
end
Verification :
FortiGate-A # get router info vrrp
Interface: wan, primary IP address: 192.168.1.3
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1
HA mode: master (0:0:1) VRRP master number: 1
VRID: 1 verion: 2
vrip: 192.168.1.100, priority: 128 (128,0), state: MASTER
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:01
vrdst:
vrgrp: 10
FortiGate-B # get router info vrrp
Interface: wan, primary IP address: 192.168.1.2
UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:0:1) VRRP master number: 0
VRID: 1 verion: 2
vrip: 192.168.1.100, priority: 100 (100,0), state: BACKUP
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:01
vrdst:
vrgrp: 10
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.