Logging MAC address flapping events
FortiOS logs MAC address flapping events when a device’s MAC address is learned on different interfaces within the MAC address table in transparent mode. The log provides comprehensive details about the event, such as the specific MAC address involved, the ports where the flapping occurred, and the exact time of the event. This enhancement assists network administrators in quickly identifying and addressing related issues, thereby enhancing network stability and performance.
Example
In this example, the end user initiates internet traffic from PC1, which has an authentic MAC address. Subsequently, the user generates internet traffic from PC2 using a packet manipulation tool, such as Scapy, but with the spoofed MAC address of PC1. This event is successfully identified and logged by FortiGate running in transparent (TP) mode.
To view the logs:
# execute log filter category 1 # execute log filter start-line 1 # execute log display 36 logs found. 10 logs returned. 1: date=2024-03-26 time=14:05:33 eventtime=1711487133347757075 tz="-0700" logid="0100022970" type="event" subtype="system" level="information" vd="vdom1" logdesc="MAC flapping" service="kernel" mac="00:0c:29:90:21:c3" src_int="port1" msg="The incoming port of MAC address 00:0c:29:90:21:c3 has been switched from port2 to port1"