Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
RBA
Staff
Staff

Created on ‎02-28-2025 01:35 AM

Article Id 379496

Troubleshooting Tip: MAC address-based policy issue on Active Secondary firewall in A-A HA setup

Description This article describes the MAC address-based policy issue in Active-Active HA setup.
Scope FortiGate.
Solution

MAC address-based policy would not work in Active Secondary firewall in A-A setup when load-balance-all is enabled under HA Config.

 

config system ha
    set group-id 6
    set group-name "ha"
    set mode a-a
    set password ENC QKIwEFpX/SN+K1
    set hbdev "ha" 0
    set override disable
    set load-balance-all enable
end

 

Source MAC is used as a filter in policy. Traffic passing through Active Primary would not face any issue as source MAC matches the policy.

 

config firewall policy

    edit 3
        set name "MAC_Policy_9"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "00_6b_72_79_22_03"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "default"
        set logtraffic all
        set nat enable
    next
    edit 1
        set name "Policy_10"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

Flow Debugs:

 

2025-02-10 01:40:49 id=65308 trace_id=10001 func=print_pkt_detail line=5932 msg="vd-root:0 received a packet(proto=1, 10.xx.xx.xx:1->8.xx.xx.xx:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=67."
2025-02-10 01:40:49 id=65308 trace_id=10001 func=init_ip_session_common line=6124 msg="allocate a new session-000053ff"
2025-02-10 01:40:49 id=65308 trace_id=10001 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-10.xx.xx.xx via port1"
2025-02-10 01:40:49 id=65308 trace_id=10001 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=4"
2025-02-10 01:40:49 id=65308 trace_id=10001 func=get_new_addr line=1274 msg="find SNAT: IP-10.xx.xx.xx(from IPPOOL), port-60418"
2025-02-10 01:40:49 id=65308 trace_id=10001 func=fw_forward_handler line=1001 msg="Allowed by Policy-3: SNAT"
2025-02-10 01:40:49 id=65308 trace_id=10001 func=ip_session_confirm_final line=3131 msg="npu_state=0x1000, hook=4"
2025-02-10 01:40:49 id=65308 trace_id=10001 func=ids_receive line=466 msg="send to ips"
2025-02-10 01:40:49 id=65308 trace_id=10001 func=__ip_session_run_tuple line=3464 msg="SNAT 10.xx.xx.xx->10.xx.xx.xx:60418"
2025-02-10 01:40:49 id=65308 trace_id=10002 func=print_pkt_detail line=5932 msg="vd-root:0 received a packet(proto=1, 8.xx.xx.xx:60418->10.xx.xx.xx:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=60418, seq=67."
2025-02-10 01:40:49 id=65308 trace_id=10002 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-000053ff, reply direction"
2025-02-10 01:40:49 id=65308 trace_id=10002 func=__ip_session_run_tuple line=3477 msg="DNAT 10.xx.xx.xx:0->10.xx.xx.xx:1"
2025-02-10 01:40:49 id=65308 trace_id=10002 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-0.0.0.0 via port2"
2025-02-10 01:40:49 id=65308 trace_id=10002 func=npu_handle_session44 line=1342 msg="Trying to offloading session from port1 to port2, skb.npu_flag=00000000 ses.state=00012204 ses.npu_state=0x00001008"
2025-02-10 01:40:49 id=65308 trace_id=10002 func=fw_forward_dirty_handler line=444 msg="state=00012204, state2=00000001, npu_state=00001008"
2025-02-10 01:40:49 id=65308 trace_id=10002 func=ids_receive line=466 msg="send to ips"

 

Source MAC matches with the PC's MAC address:

 

Screenshot 2025-02-28 142535.png

 

Since load balance, all is enabled under HA config. A Round Robin algorithm is being utilized. Traffic reaches the Primary and load balanced to the Secondary. Now, the traffic would not match the MAC-based policy and hit the IP-based policy below.

 

id=65308 trace_id=5 func=print_pkt_detail line=5932 msg="vd-root:0 received a packet(proto=6, 10.xx.xx.xx:62314->2.xx.xx.xx:443) tun_id=0.0.0.0 from port2. flag[S], seq 3004952835, ack 0, win 64240"
id=65308 trace_id=5 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0000eb60, original direction"
id=65308 trace_id=5 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-10.xx.xx.xx via port1"
id=65308 trace_id=5 func=__iprope_fwd_check line=810 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=5 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=4"
id=65308 trace_id=5 func=__iprope_check_one_policy line=2140 msg="checked gnum-100004 policy-2, ret-no-match, act-accept"
id=65308 trace_id=5 func=__iprope_check_one_policy line=2140 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
id=65308 trace_id=5 func=__iprope_check_one_policy line=2140 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=65308 trace_id=5 func=__iprope_user_identity_check line=1903 msg="ret-matched"
id=65308 trace_id=5 func=__iprope_check line=2404 msg="gnum-4e20, check-ffffff800070bad4"
id=65308 trace_id=5 func=__iprope_check_one_policy line=2140 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=5 func=__iprope_check_one_policy line=2140 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=5 func=__iprope_check_one_policy line=2140 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=5 func=__iprope_check line=2421 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=5 func=__iprope_check_one_policy line=2374 msg="policy-1 is matched, act-accept"
id=65308 trace_id=5 func=__iprope_fwd_check line=847 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=65308 trace_id=5 func=fw_strict_dirty_session_check line=279 msg="SNAT mismatch policy 1 (nat 0, must nat 0, ip 10.xx.xx.xx), drop"

 

Source MAC would not match the MAC address configured in policy as the 7818 ec47 196d address would be actually the address of port2 on Active Primary.

 

diag ha deviceinfo nic port2
Description :FortiASIC NP7LITE Adapter
Driver Name :FortiASIC Unified NPU Driver
Name :np7lite_0
pid :0
oid :2
vid :3
macid :2
eif_id :0
promiscous :1
mtu :1500
netdev oid :2
dev-flags :1103
dev-promis :1
Current_HWaddr 00:09:0f:09:05:03
Permanent_HWaddr 78:18:ec:47:19:6d

 

Screenshot 2025-02-28 142830.png

 

Traffic is load balanced to Active-Secondary where the source MAC would be replaced with Mac of Primary FortiGate. This is expected if there are any L3 devices in the path as the source MAC would be changed to the MAC of the L3 device.
117
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.