Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Logging detection of duplicate IPv4 addresses

    Logging detection of duplicate IPv4 addresses

    FortiOS can log each detection of duplicate IPv4 addresses on physical interfaces and VLAN interfaces in the event log under the new log ID 32701.

    config system global
    set ip-conflict-detection {enable | disable}
end

    set ip-conflict-detection {enable | disable}

    Enable/disable logging of IPv4 address conflict detection.

    FortiOS uses the following methods to detect duplicate IPv4 addresses, and can generate a log for each detection:

    Detection method

    Description

    Active

    Detection of duplicate physical and VLAN IPv4 addresses on FortiGate is triggered when:

    • FortiOS starts

    • The miglogd daemon restarts

    • A new physical interface is created

    • A physical interface status changes to up

    • A physical interface configuration changes

    • The diagnose test app miglogd 55 command is run

    Passive

    Detection of duplicate IPv4 address on a client is triggered when a device connected to FortiGate attempts to use an IPv4 address that is already in use.

    FortiOS identifies duplicate IPv4 addresses by monitoring the Gratuitous ARP packet. When the source IP in the Gratuitous ARP packet is duplicated in the cache, but the source MAC address is different, then the IP address is considered a duplicate.

    In addition to physical interfaces, passive detection is also valid for VLAN.

    In addition, a packet can be sent to the SNMP host when the SNMP event is set to interface.

    The config system snmp community command includes a new interface event:

    config system snmp community
    edit 1
        set name "test"
        config hosts
            edit 1
                set ip 172.18.71.107 255.255.255.0
            next
        end
        config hosts6
            edit 1
            next
        end
        set events {interface}
    next
end

    set events {interface}

    Send a trap for interface events.

    The following new debug commands are also available:

    diagnose test application miglogd 54

    Shows the cache for IPv4 address conflict detection.

    diagnose test application miglogd 55

    Executes a IPv4 address conflict detection.
    To enable logging of IPv4 address conflicts:
    config system global
    set ip-conflict-detection enable
end
    To trigger an active detection and log of IPv4 conflicts:

    1. In FortiOS, go to Network > Interfaces, and double-click an interface, such as wan1, to open it for editing.

    2. In the IP/Netmask box, change the IP address from 172.16.200.2/24 to 172.16.200.55/24. The following warning is displayed: This IP address is already in use by device <MAC address>.

    3. Go to Log & Report > System Events. A Duplicate IP address log entry is displayed.

      The same information is visible in the raw log 

      date=2024-04-30 time=18:08:56 eventtime=1714525736800388800 tz="-0700" logid="0100032701" type="event" subtype="system" level="error" vd="vdom1" logdesc="Detected IP conflicts on FGT interfaces." msg="Duplicate IP address 172.16.200.55 of MAC 02:42:ac:10:c8:37 was detected on interface wan1, also in use by wan1 (e8:1c:ba:f2:65:b6)"
    To trigger a passive detection and log of IPv4 conflicts:

    1. On a client, change the interface. For example, change the interface from 192.168.5.44 to 192.168.5.100/24.

    2. Go to Log & Report > System Events. A Duplicate IP address log entry is displayed.

      The same information is visible in the raw log 

      date=2024-04-30 time=18:00:08 eventtime=1714525207888886460 tz="-0700" logid="0100032701" type="event" subtype="system" level="error" vd="vdom1" logdesc="Detected IP conflicts on FGT interfaces." msg="Duplicate IP address 192.168.5.100 of MAC 00:0c:29:d3:30:4e was detected on interface dmz, also in use by dmzVLAN (e8:1c:ba:f2:65:b4)"
    To configure SNMP traps for interfaces:

    1. Configure an SNMP host and set up an event trap for interface.

      config system snmp community
    edit 1
        set name "test"
        config hosts
            edit 1
                set ip 172.16.200.55 255.255.255.0
            next
        end
        set events interface  
    next
end
    To show the IPv4 address conflict detection cache:
    # diagnose test application miglogd 54
index   IPv4 address    MAC     dev     vlanid
50      10.10.100.2     00:00:00:00:00:00       Loopback2
58      192.168.5.44    e8:1c:ba:f2:65:b4       dmzVLAN 50
48      10.255.1.1      00:00:00:00:00:00       fortilink
51      10.1.10.3       00:00:00:00:00:00       Loopback3
8       10.1.100.2      e8:1c:ba:f2:65:b7       wan2
49      10.10.10.2      00:00:00:00:00:00       loopback
6       10.6.30.107     e8:1c:ba:f2:65:b5       mgmt
52      192.168.100.99  e8:1c:ba:f2:65:bb       lan
23      10.2.2.2        e8:1c:ba:f2:65:c6       x1
7       172.16.200.2    e8:1c:ba:f2:65:b6       wan1
    To execute an IPv4 address conflict detection:
    # diagnose test application miglogd 55
Sending probe for 10.10.100.2 via Loopback2.
Sending probe for 192.168.5.44 via dmzVLAN.
Sending probe for 10.255.1.1 via fortilink.
Sending probe for 10.1.10.3 via Loopback3.
Sending probe for 10.1.100.2 via wan2.
Sending probe for 10.10.10.2 via loopback.
Sending probe for 10.6.30.107 via mgmt.
Sending probe for 192.168.100.99 via lan.
Sending probe for 10.2.2.2 via x1.
Sending probe for 172.16.200.2 via wan1.
    To verify the trap has been sent:
    # diagnose debug application snmp -1
# diagnose debug enable
snmpd: queue is 2 entries long.
snmpd: queueing trap 8008000000000000@4295121097 (4295121097)
snmpd: queue is 3 entries long.
snmpd: dequeueing trap 8008000000000000@4295121097 (4295121097)
snmpd: sending to hosts: interface(1601)
snmpd: attempting v1 trap: interface(1601)
snmpd: trap from (172.16.200.1 -> 172.16.200.55)
snmpd: trap send(172.16.200.1:162 -> 172.16.200.55:162) bytes sent=264 total=264
snmpd: attempting v2c trap: interface(1601)
snmpd: get     : system.3.0 -> () -> 0
snmpd: trap send(172.16.200.1:162 -> 172.16.200.55:162) bytes sent=288 total=288
    Previous
    Next

    Logging detection of duplicate IPv4 addresses

    Logging detection of duplicate IPv4 addresses

    FortiOS can log each detection of duplicate IPv4 addresses on physical interfaces and VLAN interfaces in the event log under the new log ID 32701.

    config system global
    set ip-conflict-detection {enable | disable}
end

    set ip-conflict-detection {enable | disable}

    Enable/disable logging of IPv4 address conflict detection.

    FortiOS uses the following methods to detect duplicate IPv4 addresses, and can generate a log for each detection:

    Detection method

    Description

    Active

    Detection of duplicate physical and VLAN IPv4 addresses on FortiGate is triggered when:

    • FortiOS starts

    • The miglogd daemon restarts

    • A new physical interface is created

    • A physical interface status changes to up

    • A physical interface configuration changes

    • The diagnose test app miglogd 55 command is run

    Passive

    Detection of duplicate IPv4 address on a client is triggered when a device connected to FortiGate attempts to use an IPv4 address that is already in use.

    FortiOS identifies duplicate IPv4 addresses by monitoring the Gratuitous ARP packet. When the source IP in the Gratuitous ARP packet is duplicated in the cache, but the source MAC address is different, then the IP address is considered a duplicate.

    In addition to physical interfaces, passive detection is also valid for VLAN.

    In addition, a packet can be sent to the SNMP host when the SNMP event is set to interface.

    The config system snmp community command includes a new interface event:

    config system snmp community
    edit 1
        set name "test"
        config hosts
            edit 1
                set ip 172.18.71.107 255.255.255.0
            next
        end
        config hosts6
            edit 1
            next
        end
        set events {interface}
    next
end

    set events {interface}

    Send a trap for interface events.

    The following new debug commands are also available:

    diagnose test application miglogd 54

    Shows the cache for IPv4 address conflict detection.

    diagnose test application miglogd 55

    Executes a IPv4 address conflict detection.
    To enable logging of IPv4 address conflicts:
    config system global
    set ip-conflict-detection enable
end
    To trigger an active detection and log of IPv4 conflicts:

    1. In FortiOS, go to Network > Interfaces, and double-click an interface, such as wan1, to open it for editing.

    2. In the IP/Netmask box, change the IP address from 172.16.200.2/24 to 172.16.200.55/24. The following warning is displayed: This IP address is already in use by device <MAC address>.

    3. Go to Log & Report > System Events. A Duplicate IP address log entry is displayed.

      The same information is visible in the raw log 

      date=2024-04-30 time=18:08:56 eventtime=1714525736800388800 tz="-0700" logid="0100032701" type="event" subtype="system" level="error" vd="vdom1" logdesc="Detected IP conflicts on FGT interfaces." msg="Duplicate IP address 172.16.200.55 of MAC 02:42:ac:10:c8:37 was detected on interface wan1, also in use by wan1 (e8:1c:ba:f2:65:b6)"
    To trigger a passive detection and log of IPv4 conflicts:

    1. On a client, change the interface. For example, change the interface from 192.168.5.44 to 192.168.5.100/24.

    2. Go to Log & Report > System Events. A Duplicate IP address log entry is displayed.

      The same information is visible in the raw log 

      date=2024-04-30 time=18:00:08 eventtime=1714525207888886460 tz="-0700" logid="0100032701" type="event" subtype="system" level="error" vd="vdom1" logdesc="Detected IP conflicts on FGT interfaces." msg="Duplicate IP address 192.168.5.100 of MAC 00:0c:29:d3:30:4e was detected on interface dmz, also in use by dmzVLAN (e8:1c:ba:f2:65:b4)"
    To configure SNMP traps for interfaces:

    1. Configure an SNMP host and set up an event trap for interface.

      config system snmp community
    edit 1
        set name "test"
        config hosts
            edit 1
                set ip 172.16.200.55 255.255.255.0
            next
        end
        set events interface  
    next
end
    To show the IPv4 address conflict detection cache:
    # diagnose test application miglogd 54
index   IPv4 address    MAC     dev     vlanid
50      10.10.100.2     00:00:00:00:00:00       Loopback2
58      192.168.5.44    e8:1c:ba:f2:65:b4       dmzVLAN 50
48      10.255.1.1      00:00:00:00:00:00       fortilink
51      10.1.10.3       00:00:00:00:00:00       Loopback3
8       10.1.100.2      e8:1c:ba:f2:65:b7       wan2
49      10.10.10.2      00:00:00:00:00:00       loopback
6       10.6.30.107     e8:1c:ba:f2:65:b5       mgmt
52      192.168.100.99  e8:1c:ba:f2:65:bb       lan
23      10.2.2.2        e8:1c:ba:f2:65:c6       x1
7       172.16.200.2    e8:1c:ba:f2:65:b6       wan1
    To execute an IPv4 address conflict detection:
    # diagnose test application miglogd 55
Sending probe for 10.10.100.2 via Loopback2.
Sending probe for 192.168.5.44 via dmzVLAN.
Sending probe for 10.255.1.1 via fortilink.
Sending probe for 10.1.10.3 via Loopback3.
Sending probe for 10.1.100.2 via wan2.
Sending probe for 10.10.10.2 via loopback.
Sending probe for 10.6.30.107 via mgmt.
Sending probe for 192.168.100.99 via lan.
Sending probe for 10.2.2.2 via x1.
Sending probe for 172.16.200.2 via wan1.
    To verify the trap has been sent:
    # diagnose debug application snmp -1
# diagnose debug enable
snmpd: queue is 2 entries long.
snmpd: queueing trap 8008000000000000@4295121097 (4295121097)
snmpd: queue is 3 entries long.
snmpd: dequeueing trap 8008000000000000@4295121097 (4295121097)
snmpd: sending to hosts: interface(1601)
snmpd: attempting v1 trap: interface(1601)
snmpd: trap from (172.16.200.1 -> 172.16.200.55)
snmpd: trap send(172.16.200.1:162 -> 172.16.200.55:162) bytes sent=264 total=264
snmpd: attempting v2c trap: interface(1601)
snmpd: get     : system.3.0 -> () -> 0
snmpd: trap send(172.16.200.1:162 -> 172.16.200.55:162) bytes sent=288 total=288
    Previous
    Next