FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

When troubleshooting connectivity issues through a Fortigate, the "diagnose debug flow" command output may show that all sessions from a host are blocked by the Fortigate because the host MAC address is being blacklisted.

Example :

2010-03-20 07:10:53 id=36870 trace_id=30 func=resolve_ip_tuple_fast line=3273 msg="vd-root received a packet(proto=17,> from internal."
2010-03-20 07:10:53 id=36870 trace_id=30 func=resolve_ip_tuple line=3395 msg="allocate a new session-00000ca5"
2010-03-20 07:10:53 id=36870 trace_id=30 func=vf_ip4_route_input line=1609 msg="find a route: gw- via wan1"
2010-03-20 07:10:53 id=36870 trace_id=30 func=fw_forward_handler line=299 msg="HWaddr-30:00:01:02:03:04 is in black list, drop"

A traffic violation message is logged by Fortigate at the same time (traffic log) :

device_id=FWF50B3G08500642 log_id=3 subtype=violation type=traffic timestamp=1269964125 pri=warning itime=1269964124 vd=root src= srcname= src_port=123 dst= dstname= dst_port=123 service=123/udp proto=17 app_type=N/A duration=0 rule=0 policyid=0 sent=0 rcvd=0 src_int=internal dst_int=wan1 SN=2169 carrier_ep=N/A vpn=N/A status=deny user=N/A group=N/A








This is due to the activation of ipmacbinding feature in conjunction with DHCP server in the Fortigate ingress interface.

In this example:

config system interface
    edit "internal"
        set vdom "root"
        set ip
        set allowaccess ping https ssh snmp http telnet
        set gwdetect enable
        set detectserver ""
        set ipmac enable      <<<<<<<<
        set type physical
        set alias "LAN-Office"


config system dhcp server
     edit "LAN"
        set default-gateway
        set dns-server1
        set domain ""
        set interface "internal"
        set netmask
        set end-ip
        set start-ip

With this configuration,the ipmacbinding table will be populated automatically with all DHCP clients from the internal network. All other hosts with a static IP configuration will have their MAC address "blacklisted" by the FortiGate.

There are two possibilities to fix the problem

1- Disable ipmac in the internal interface:

  config system interface
      edit internal
      unset ipmac


2 - Create manual entries in the ipmacbinding table for each host with a static IP address in the network. For example:

config firewall ipmacbinding table
        edit 1
         set ip
         set mac 30:01:02:03:04:05
         set name my_network_device
        set status enable

For more information about the macip feature please consult the CLI guide.



Related Articles

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...