Hi guys,
We have Forti400E HA pairs topology ( with FortiOS V6.4.2 ) in the production network, and intend to change the interface MAC add; do we need to change the same mac add for both devices at the same time, or just change the MAC add in primary/master Forti400E ( it will synch the mac add to the secondary/slave Forti400E ) ?
Thanks so much for your advice
Solved! Go to Solution.
Hi,
Every FortiGate physical interface has two MAC addresses: the current hardware address and the permanent hardware address. The permanent hardware address cannot be changed, it is the actual MAC address of the interface hardware. The current hardware address can be changed.
For an operating cluster, the current hardware address of each cluster unit interface is changed to the HA virtual MAC address by the FGCP. The macaddr option is not available for a functioning cluster. You cannot change an interface MAC address and you cannot view MAC addresses from the system interface CLI command.
MarMar
how are you going to change the MAC address?
if this is based on the group-id in the ha settings i believe this needs to be done on both units.
if in another way please share how.
Hi BensonLEI,
what you say is true if you are not talking about HA Cluster. In this case the FGCP (Fortigate Cluster Protocol) manages the current addresses and it is no longer possible to set them manually.
In this part of the documentation it is a bit clearer.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses
MarMar
Hi,
Every FortiGate physical interface has two MAC addresses: the current hardware address and the permanent hardware address. The permanent hardware address cannot be changed, it is the actual MAC address of the interface hardware. The current hardware address can be changed.
For an operating cluster, the current hardware address of each cluster unit interface is changed to the HA virtual MAC address by the FGCP. The macaddr option is not available for a functioning cluster. You cannot change an interface MAC address and you cannot view MAC addresses from the system interface CLI command.
MarMar
Hi, MARMAR,
Thanks so much for your information.
Based on my finding, two mac addr are defined for a fortigate interface ( current and perm. mac add), as you state.
But the current mac add can be viewed and changed:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD30888.
Cheers
Hi BensonLEI,
what you say is true if you are not talking about HA Cluster. In this case the FGCP (Fortigate Cluster Protocol) manages the current addresses and it is no longer possible to set them manually.
In this part of the documentation it is a bit clearer.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses
MarMar
Hi, MARMAR,
Thanks so much for your information, now I understand.
I am running the Fortigate HA pair, can I change the Cluster-ID for the different virtual mac add ( any device reboot if the mac add is changed) ?
Cheers
BensonLEI wrote:yes you can change cluster-id and it will change the virtual MAC, that happens directly after the change.I am running the Fortigate HA pair, can I change the Cluster-ID for the different virtual mac add ( any device reboot if the mac add is changed) ?
Correct, thx a lot
how are you going to change the MAC address?
if this is based on the group-id in the ha settings i believe this needs to be done on both units.
if in another way please share how.
Hi, Boneyard,
Great help.
Cheers
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.