Am I the only one that has noticed this.
If the Fortigate reboots, all of the PC's that connect to it (if connected directly through Wifi or Ethernet think that it is a new network on reconnect.
How do I fix this?
Mike Pruett
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No one has experienced this? or has any ideas? Happens on FortiWIFI's too
Mike Pruett
I had this problem. I think i solved it by configuring a domain.name for the network. Given by the DHCP option on the Fortigate unit.
Are you using the DHCP server on the fortigate unit or a separate DHCP server like Windows Server or Linux Distro?
mail@jeroenmelis.nl wrote:I had this problem. I think i solved it by configuring a domain.name for the network. Given by the DHCP option on the Fortigate unit.
Are you using the DHCP server on the fortigate unit or a separate DHCP server like Windows Server or Linux Distro?
I am using the DHCP built into the Fortigate.
Mike Pruett
Only time I have heard about something like this happening is back in the old XP days with certain 3rd-party security software and/or 3rd party firewalls installed.
Personally, I would treat this as a Network Location Awareness issue and troubleshoot accordingly. Unfortunately, I do not know enough about the actual process that Windows uses to detect a new network connection -- the linked article just touches briefly on it (creating a GUID for the connection); see also this article on NLA. A Google search brings up some ESET/McAfee and other issues, with possible workarounds.
The closest forum posts I have came across is this one (lots of comments) on what actually may be going on.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave Hall wrote:Only time I have heard about something like this happening is back in the old XP days with certain 3rd-party security software and/or 3rd party firewalls installed.
Personally, I would treat this as a Network Location Awareness issue and troubleshoot accordingly. Unfortunately, I do not know enough about the actual process that Windows uses to detect a new network connection -- the linked article just touches briefly on it (creating a GUID for the connection); see also this article on NLA. A Google search brings up some ESET/McAfee and other issues, with possible workarounds.
The closest forum posts I have came across is this one (lots of comments) on what actually may be going on.
Yeah, it does this for all clients regardless of base windows install, soft firewall (on or off) base windows firewall, domain, domain configured on the fortigate, pretty much all configurations. We deploy a good number of these things and this has always been something that kinda irked me about it. If it directly connects to the fortigate or fortiwifi, if the device (fortigate) is rebooted the network connection increments. as such: increment-network.gif
The network is named Lermins. The Fortigate has been rebooted 15 times over the networks life (due to FW upgrades etc)
Mike Pruett
Hello Mike,
First: better late than never
I found this post because I have the problem at home (FortiWifi 60E), my network has a domain name and it still happens.
Thank's to Dave's mention of NLA I read about it and found that my FortiGate changes it's "internal" MAC address every time i reboot. Moments ago it was 00-ff-29-7e-70-33, now it's 00-ff-d8-15-f2-83. If you take a look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged, you'll see all those network stacking up, and the only difference is the MAC address.
My "internal" interface is a switch that bridges another switch (the lan ports) and the wireless network:
config system virtual-switch edit "lan" set physical-switch "sw0" set span disable config port edit "lan1" set speed auto set status up set alias '' next edit "lan2" set speed auto set status up set alias '' next edit "lan3" set speed auto set status up set alias '' next edit "lan4" set speed auto set status up set alias '' next edit "lan5" set speed auto set status up set alias '' next end next end config system switch-interface edit "internal" set vdom "root" set member "lan" "wifi hydra" next end config system interface edit "internal" set vdom "root" set ip 172.20.1.1 255.255.255.0 set allowaccess ping https ssh capwap set type switch set device-identification enable set fortiheartbeat enable set role lan set snmp-index 7 next end
HTH.
Posting this workaround in case someone stumble upon this problem: as you can see, I have a physical switch with the ethernet ports, and then a switch interface that joins the former switch with the WiFi SSID.
I found out that FortiWifi's internal interface took the MAC address from the WiFi SSID, and that MAC was kinda random (I dont know how it's built).
The solution was to configure a fixed MAC address:
config system interface edit "wifi hydra" set vdom "root" set type vap-switch set role lan set snmp-index 11 set macaddr 00:ff:9c:d3:3e:7f next end
And voilá, no more "Dormammu, I found a new network" everytime I reboot the FortiWifi.
Tested on FortiWifi 50e + FortiOS 6.0.3.
Agents 1994's solution worked for me when I was on 6.0.x, however, after upgrading to 6.4.x, it stopped.
Is there a new option to prevent Fortigate from randomizing MAC addresses at boot?
Details: FWF # show system interface wire_less_ssw config system interface edit "wire_less_ssw" set vdom "root" set ip 192.168.1.2 255.255.255.0 set allowaccess ping https ssh fabric set type switch set device-identification enable set role lan set snmp-index 8 next end FWF # show system switch-interface wire_less_ssw config system switch-interface edit "wire_less_ssw" set vdom "root" set member "internal" "wifi" next end FWF # show system interface internal config system interface edit "internal" set vdom "root" set type hard-switch set stp enable set snmp-index 6 next end FWF # show system virtual-switch internal config system virtual-switch edit "internal" set physical-switch "sw0" config port edit "internal1" next edit "internal2" next edit "internal3" next edit "internal4" next edit "internal5" next edit "internal6" next edit "internal7" next end next end FWF # show system interface wifi config system interface edit "wifi" set vdom "root" set type vap-switch set role lan set snmp-index 7 set macaddr 00:88:01:01:01:01 next end In 6.0.12: FWF # diagnose netlink brctl name host wire_less_ssw show bridge control interface wire_less_ssw host. fdb: size=2048, used=9, num=9, depth=1, simple=switch Bridge wire_less_ssw host table port no device devname mac addr ttl attributes : 2 21 wifi 00:88:01:01:01:01 0 Local Static However, in 6.4.5: FWF # diagnose netlink brctl name host wire_less_ssw show bridge control interface wire_less_ssw host. fdb: size=2048, used=14, num=14, depth=1, ageing-time=300, simple=switch Bridge wire_less_ssw host table port no device devname mac addr ttl attributes : 2 22 wifi 00:ff:15:AA:BB:CC 0 Local Static :
Client: $ arp -a Interface: 192.168.1.19 --- 0x3 Internet Address Physical Address Type 192.168.1.2 00-ff-15-AA-BB-CC dynamic :
Fixed in 6.4.6.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.