NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Article Id 197506



This article describes steps to verify the FortiNAC appliance is receiving and processing the MAC notification syslog in FortiSwitch Link Mode integrations.



- Host online status is not updated dynamically when connecting to FortiSwitch.

- Online status updates properly after L2 poll.


Note: MAC Learned or Removed events will not be generated in FortiNAC for FortiAPs that are connected/disconnected from the FortiSwitch. This is expected behavior.


For integration details, see the FortiSwitch Integration reference manual in the Document Dibrary.



Versions: FortiNAC 8.x,  FortiNAC 9.x,  FortiGate 6.x, FortiGate 7.x.



1) Review FortiGate and FortiSwitch configurations to verify Syslog messages are configured properly.


2) Using tcpdump, confirm syslog messages are reaching the appliance when client connects. In appliance CLI type:

tcpdump -nni any host <FortiGate IP address> and port 514 -vvv | grep Switch-Controller -B3

Press Ctrl-C at any time to stop the tcpdump.  


Syslog packet examples:


MAC Add (0100032615) > [udp sum ok] SYSLOG, length: 354
Facility local7 (23), Severity info (6)

logid="0100032615" type="event" subtype="system" level="information" vd="root" eventtime=1557866683718722489 logdesc="FortiSwitch MAC add" user="Switch-Controller" ui="cu_acd" msg="xx:xx:xx:xx:xx:xx discovered on interface port2 in vlan 99 on Switch XXXXXXX"


MAC Delete (0100032616): > [udp sum ok] SYSLOG, length: 338
Facility local7 (23), Severity info (6)

logid="0100032616" type="event" subtype="system" level="information" vd="root" eventtime=1557866683718877671 logdesc="FortiSwitch MAC delete" user="Switch-Controller" ui="cu_acd" msg="xx:xx:xx:xx:xx:xx deleted from vlan 100 on Switch XXXXXXX"


MAC Move (0100032617): > [udp sum ok] SYSLOG, length: 372
Facility local7 (23), Severity info (6)

logid="0100032617" type="event" subtype="system" level="information" vd="root" eventtime=1557866623120174894 logdesc="FortiSwitch MAC move" user="Switch-Controller" ui="cu_acd" msg="xx:xx:xx:xx:xx:xx moved from interface port5 to interface port6 in vlan 100 on Switch XXXXXXX"


If syslog messages are not being received, see KB article 242279.


3) If syslog is reaching the appliance, enable debug logs (written to /bsc/logs/output.master):

nacdebug –name BridgeManager true
nacdebug –name Fortinet true
nacdebug –name SyslogServer true


4) Start tcpdump:


tcpdump -nni eth0 host <IP of FGT listed in Topology> and port 514 -vvv | grep Switch-Controller -B3 | tee /bsc/logs/tcpdumpFGTSyslog.txt

5) Have the client connect/disconnect/move ports. Verify tcpdump shows the syslog message received.


Press Ctrl-C at any time to stop the tcpdump.


6) Once troubleshooting is complete, disable debugging:

nacdebug –name BridgeManager false
nacdebug –name Fortinet false
nacdebug –name SyslogServer false

Contact Support for further assistance. Open a support ticket and provide the following:


- Software version (x.x.x.x).

- FortiGate version.

- FortiSwitch version.

- Detailed description of behavior.

- Troubleshooting steps taken.

- IP address of the FortiGate.

- tcpdumpFGTSyslog.txt in /bsc/logs directory.

- System logs (For instructions see KB article 190755).

- Screen capture showing the MAC Learned and MAC Removed event's configuration.

- Screen capture showing the event generated (if generated).