FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tnaik
Staff
Staff
Article Id 195893

Description

 

This article describes the Virtual MAC (VMAC) changes post major firmware version upgrade in HA cluster.

 

Scope

 

FortiGate.

Solution

 

To calculate VMAC, see this document.

While upgrading the major firmware versions in FortiGate like 5.4 to 5.6 or 5.6 to 6.0, it is possible to see the virtual MAC address change.

 

The following is the CLI output showing the current VMAC for firmware Major Version 5.4 with a VMAC address for the primary as 00:09:0f:09:00:16.

 

Primary FortiGate before upgrade:

 

Fortigate-100D-Primary # get sys status
Version: FortiGate-100D v5.4.10,build1220,180821 (GA)
Fortigate-100D-Primary # get hardware nic  wan1
Driver_Name            e1000e
Driver_Version              3.2.4.2-NAPI
MAC_Type                    3
IRQ                                       16
System_Device_Name          wan1
Current_HWaddr        00:09:0f:09:00:16
Permanent_HWaddr        00:09:0f:9d:5d:8e
Fortigate-100D-Primary (ha) # show full | grep group-id
    set group-id 10

 

After upgrading the FortiGate from major version 5.4 to 5.6, the primary FortiGate changed VMAC as 00:09:0f:09:0a:16.

Primary FortiGate Unit After upgrade:

 

Fortigate-100D-Primary # get sys status
Version: FortiGate-100D v5.6.9,build1673,190513 (GA)
Fortigate-100D-Primary # get hardware nic wan1
Driver_Name            e1000e
Driver_Version              3.2.4.2-NAPI
MAC_Type                    3
IRQ                                        16
System_Device_Name          wan1
Current_HWaddr        00:09:0f:09:0a:16
Permanent_HWaddr        00:09:0f:9d:5d:8e
Fortigate-100D-Primary (ha) # show full | grep group-id
    set group-id 10

 

It is an expected behavior that VMAC will change after a major firmware version upgrade in an HA cluster.

 

Note: Virtual MAC address calculation has been once again changed in 6.0.2 GA and 6.2.0 GA. Any previous FortiOS version will encounter this behavior upon upgrading to or past these versions. 

For best practices, see the related article below.


Related article:

Technical Tip: HA Cluster virtual MAC addresses