Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    7.6.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Manual and automatic HA virtual MAC address assignment

    Manual and automatic HA virtual MAC address assignment

    Note

    This information is also available in the FortiOS 7.6 Administration Guide:

    To increase the number of HA virtual MAC addresses higher than the number HA group IDs, FortiGate supports three methods of assigning virtual MAC addresses, in order of highest priority to lowest:

    • Manual assignment per interface

    • Automatic assignment

    • Group ID based assignment (existing process)

    Manual virtual MAC address assignment can be configured on a physical, EMAC, or FortiExtender interface. It will override other virtual MAC address assignments on the interface.

    config system interface
    edit <interface>
        set virtual-mac <mac_address>
    next
end

    Automatic virtual MAC address assignment can be configured on physical interfaces. It uses the hardware MAC address of the primary device with the locally administered bit (U/L bit) changed to 1. For example, 00:xx:xx:xx:xx:xx becomes 02:xx:xx:xx:xx:xx.

    Note

    In a 48-bit MAC address, the U/L bit refers to the second least significant bit in the first octet of the hexadecimal MAC address. When this bit is 0, it indicates that the MAC address is Universal, meaning that it is assigned by a central authority. When this bit is 1, it indicates that the MAC address is Local, meaning that it is assigned locally.

    For example, the first octet of 00 represented in binary is 00000000, where the U/L bit is 0. Whereas the first octet of 02 represented in binary is 00000010, where the U/L bit is set to 1.

    		 
    config system ha
    set auto-virtual-mac-interface <interface> [interface(s)]
end
    To manually assign a virtual MAC address to an interface:
    config system interface
    edit "wan1"
        set ip 172.16.200.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set virtual-mac 06:d5:90:04:f8:9c
        set type physical
        set snmp-index 3
        config ipv6
            set ip6-address 2000:172:16:200::1/64
            set ip6-allowaccess ping https ssh snmp http telnet
        end
    next
end
    To configure automatic virtual MAC address assignment:
    config system ha
    set group-id 20
    set group-name "MMMMM"
    set mode a-p
    set hbdev "ha1" 50 "ha2" 100
    set auto-virtual-mac-interface "wan1" "port1" "port2" "ha1" "ha2" "port3" "port4" "port5" "port6" "port7" "port8" "dmz"
    set upgrade-mode simultaneous
    set override enable
    set priority 200
end
    To check the MAC addresses:
    # diagnose hardware deviceinfo nic wan1 | grep addr
Current_HWaddr       06:d5:90:04:f8:9c
Permanent_HWaddr     04:d5:90:04:f8:9c

    The current hardware address (Current_HWaddr) is the automatically generated virtual MAC address. The permanent hardware address (Permanent_HWaddr) is the physical MAC address.

    Previous
    Next

    Manual and automatic HA virtual MAC address assignment

    Manual and automatic HA virtual MAC address assignment

    Note

    This information is also available in the FortiOS 7.6 Administration Guide:

    To increase the number of HA virtual MAC addresses higher than the number HA group IDs, FortiGate supports three methods of assigning virtual MAC addresses, in order of highest priority to lowest:

    • Manual assignment per interface

    • Automatic assignment

    • Group ID based assignment (existing process)

    Manual virtual MAC address assignment can be configured on a physical, EMAC, or FortiExtender interface. It will override other virtual MAC address assignments on the interface.

    config system interface
    edit <interface>
        set virtual-mac <mac_address>
    next
end

    Automatic virtual MAC address assignment can be configured on physical interfaces. It uses the hardware MAC address of the primary device with the locally administered bit (U/L bit) changed to 1. For example, 00:xx:xx:xx:xx:xx becomes 02:xx:xx:xx:xx:xx.

    Note

    In a 48-bit MAC address, the U/L bit refers to the second least significant bit in the first octet of the hexadecimal MAC address. When this bit is 0, it indicates that the MAC address is Universal, meaning that it is assigned by a central authority. When this bit is 1, it indicates that the MAC address is Local, meaning that it is assigned locally.

    For example, the first octet of 00 represented in binary is 00000000, where the U/L bit is 0. Whereas the first octet of 02 represented in binary is 00000010, where the U/L bit is set to 1.

    		 
    config system ha
    set auto-virtual-mac-interface <interface> [interface(s)]
end
    To manually assign a virtual MAC address to an interface:
    config system interface
    edit "wan1"
        set ip 172.16.200.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set virtual-mac 06:d5:90:04:f8:9c
        set type physical
        set snmp-index 3
        config ipv6
            set ip6-address 2000:172:16:200::1/64
            set ip6-allowaccess ping https ssh snmp http telnet
        end
    next
end
    To configure automatic virtual MAC address assignment:
    config system ha
    set group-id 20
    set group-name "MMMMM"
    set mode a-p
    set hbdev "ha1" 50 "ha2" 100
    set auto-virtual-mac-interface "wan1" "port1" "port2" "ha1" "ha2" "port3" "port4" "port5" "port6" "port7" "port8" "dmz"
    set upgrade-mode simultaneous
    set override enable
    set priority 200
end
    To check the MAC addresses:
    # diagnose hardware deviceinfo nic wan1 | grep addr
Current_HWaddr       06:d5:90:04:f8:9c
Permanent_HWaddr     04:d5:90:04:f8:9c

    The current hardware address (Current_HWaddr) is the automatically generated virtual MAC address. The permanent hardware address (Permanent_HWaddr) is the physical MAC address.

    Previous
    Next