FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
rsingla
Staff
Staff

Description
When FortiWeb devices are in HA mode, a Virtual MAC address is assigned on the interfaces (except HA heartbeat Interface and Reserved Management Interface) of the Active Device.

 
This helps in seamless & quick shifting of the traffic from Active to Passive Device in case of HA failover, as the same Virtual MAC address becomes active on New Active (Passive before the failover) device.
 
In some scenarios, due to security reasons or in Virtual Machines (VM) environments, there might be MAC binding done for the FortiWeb Virtual MAC addresses. This works fine, as the Virtual MAC address calculation occurs based on a fix formula till version 6.2.
 

But starting from version 6.2, the Virtual MAC address Calculation formula changed, as a new HA mode "active-active high volume" was introduced.
Due to the change in the formula of the Virtual MAC address Calculation, the Virtual MAC addresses will change when the devices will be upgraded from an older version to 6.2 and higher.
This can cause connectivity issues if the Network has any MAC bindings to the old MAC addresses.
Solution
In versions older than 6.2, the formula to calculate the Virtual MAC address was as below

1)The first four bytes are fixed:0x00, 0x09, 0x0f, 0x09;
2)The fifth byte is the HA group ID;for example, if group id is 8, change to 0x08:
3)The sixth byte is interface id. for example,port2 change to 0x02;

So In versions older than 6.2, the Virtual MAC address for port2 on Active FortiWeb Device with HA group ID as 8 will look like "00:09:0F:09:08:02"

However, Starting from 6.2 and newer versions, the formula to calculate the Virtual MAC address has been changed as below

1)The first four bytes are fixed:0x00, 0x09, 0x0f, 0xa0;
2)The top 6 bits of the fifth byte is the group ID;for example,group id is 8, change to 0x20: ( 8 in Binary is 1000, Changing top 6 bits will look like 00100000, which is 20 in Hexadecimal )
3)the rest of other bit is interface id. for example,port2 change to 0x02;

So Starting from 6.2 and newer versions, the Virtual MAC address for port2 on Active FortiWeb Device with HA group ID as 8 will look like "00:09:0F:A0:20:02"


Please note this change of MAC address calculation, even for the same device and same configuration, may cause connectivity issues after upgrade from an older version to 6.2 and above, if the Network devices connected to FortiWeb has any MAC binding to the previous MAC address.

So the solution to avoid any connectivity related issues in such cases, is to update the MAC addresses binding on the devices connected to FortiWeb, during the Upgrade process. The MAC addresses can be calculated in advance before the upgrade using the above formula.
 
 
The Virtual MAC addresses on the Active Device can be checked with this command
 
# diagnose system ha mac
name=port4, phyindex=6, 00:09:0F:A0:20:04, linkfail=1
name=port3, phyindex=5, 00:09:0F:A0:20:03, linkfail=0
name=port2, phyindex=4, 00:09:0F:A0:20:02, linkfail=0
name=port1, phyindex=3, 00:09:0F:A0:20:01, linkfail=0
 

The Physical MAC addresses on the Active Device can be checked with this command.
# diagnose system ha interface-macinfo
4 interface
port1 origin mac 0:68:61:64:5d:1
port2 origin mac 0:68:61:64:5d:2
port3 origin mac 0:68:61:64:5d:3
port4 origin mac 0:68:61:64:5d:4
On Passive unit , We always see Physical MAC addresses, as the Virtual MAC addresses are only visible and active on Active Device.
 

 

Contributors