Helpful ReplyFortigate 100D - How to see the mac-address of interfaces

Author
bluephoenix71
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/11 03:26:32
  • Status: offline
2015/02/26 02:54:52 (permalink)
0

Fortigate 100D - How to see the mac-address of interfaces

Hi,
 
What command in gui or cli should I follow in order to see the mac-address of each interface of the fortigate firewall 100D?
 
Like show arp, then show mac-address in a cisco switch.
 
 
Thanks,
#1
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 03:07:41 (permalink)
0
The best cmd;
 
diag  hardware deviceinfo nic <name>
 
or
 
get hardware nic port  <name>
 
 
post edited by emnoc - 2015/02/26 03:11:22

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
bluephoenix71
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/11 03:26:32
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 03:35:45 (permalink)
0
This command will not affect the box?  I mean do I need to issue this command during non-business hours?
 
emnoc
The best cmd;
 
diag  hardware deviceinfo nic <name>
 
or
 
get hardware nic port  <name>
 
 




#3
ede_pfau
Expert Member
  • Total Posts : 6028
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 03:36:47 (permalink)
0
Methinks you are looking for the arp table, not the FGT's interfaces' MAC addresses (which can be easily seen in the GUI):
gate # get sys arp
Address Age(min) Hardware Addr Interface
192.168.234.11 0 00:1a:4d:48:35:8f internal
192.168.234.99 0 00:01:e6:03:0b:1f internal


Ede

" Kernel panic: Aiee, killing interrupt handler!"
#4
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 03:47:46 (permalink)
0
If that's the case than another option diag ip arp list ;)
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
bluephoenix71
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/11 03:26:32
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 03:51:15 (permalink)
0
This is a diagnostic command, so this is safe? can be issued during production?
emnoc
If that's the case than another option diag ip arp list ;)
 




#6
bluephoenix71
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/11 03:26:32
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 03:51:55 (permalink)
0
I am looking for the mac-address of each wan interface on the firewall.
 
ede_pfau
Methinks you are looking for the arp table, not the FGT's interfaces' MAC addresses (which can be easily seen in the GUI):
gate # get sys arp
Address Age(min) Hardware Addr Interface
192.168.234.11 0 00:1a:4d:48:35:8f internal
192.168.234.99 0 00:01:e6:03:0b:1f internal





#7
patrick z
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/01/27 07:11:59
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 04:03:49 (permalink)
0
Hi,
 
get hardware nic wan1
with get hardware nic ?
you will get a list of all interfaces you have.
It's save and you can do that any time!
 
Cheers, Patrick
#8
bluephoenix71
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/11 03:26:32
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 05:09:34 (permalink)
0
Hi I get to see the ip address but it's mostly the VIP or HSRP ip of the core switch...
 
patrick z
Hi,
 
get hardware nic wan1
with get hardware nic ?
you will get a list of all interfaces you have.
It's save and you can do that any time!
 
Cheers, Patrick




#9
Dave Hall
Expert Member
  • Total Posts : 1458
  • Scores: 160
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/26 07:08:19 (permalink) ☄ Helpfulby CoupDeGrace 2015/03/05 11:51:59
0
bluephoenix71
Hi I get to see the ip address but it's mostly the VIP or HSRP ip of the core switch...

 
Hi Blue. I don't think you will find a complete single list/page showing the MAC Address of all the Interfaces.  On the GUI you can find the MAC Address listed behind the Interface name (see pic). 
 

 
emnoc has already provided the CLI commands to get the mac address, which is diag  hardware deviceinfo nic <name>.  Use ? in place of <name> to get a list of interfaces.
 
If you just want the MAC-Address for an interface, use: diag hardware deviceinfo nic <name> | grep HWaddr

Attached Image(s)


NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
#10
AndreaSoliva
Expert Member
  • Total Posts : 248
  • Scores: 78
  • Reward points: 0
  • Joined: 2014/02/10 05:41:00
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/27 04:42:45 (permalink) ☄ Helpfulby CoupDeGrace 2015/03/05 11:52:12
5 (1)
Hi
 
what has to be noted in this comunication is following:
 
ARP entries on a FortiGate configured as whatever on a physical interface can be seen with the corresponding commands shown here like:
 
# get sys arp
# diagnose ip arp list
 
ARP entries like VIP ones CAN NOT BE SEEN on the arp list because they are existing in the firewall deamon on layer 4. Example: if you have one public IP on the wan1 and it is physical configured you will see the arp no problem. If you use no a second one and you DO NOT configure the second one as secondary IP on the wan1 (not needed) but instead you configure a VIP based on the second one all works from scratch as long as the second public IP is routed to the wan1 from outsite perspective. If you look to the arp tabel you will NOT see the arp entry for the second public IP because the VIP which has enabled "arp-reply yes" is existing in layer 4 or within the firewall deamon and because of this you will not see a corresponding entry in the command shown here. All commands shown here are based on layer 2 and therefore firewall deamon layer 4 arp entries you will never see. As of information of the Support of Fortinet there is no possibility or a available command which shows this entries.
 
By the way the same issue/situation we have for routing entries depending client2site (dial-up). This means acutally following: If you create a dial-up and you define for this connection a Office IP Pool  (actually a dhcp server which gives after succesfull authentication a IP to the connecting client) you do not have actually to route this Office IP Pool to the IPSec client2site VPN because this entry is done within the IPSec deamon. Of course you can create a static entry which I really recommend because also here the routing is existing within IPSec deamon on layer 4 you will never see the routing entry on layer 3 with the corresponding routing command like:
 
# diagnose ip route list
 
Also here based on the information of Fortinet Support there is no command which shows the  routing based on layer 4. This circumstances that the dial-up VPN Office Pool has not to be anymore routed and in the background the routing entry is automatically done within the IPSec deamon is for FortiOS 5.0 and higher.
 
hope this helps
 
have fun....
 
Andrea
 
 
#11
ede_pfau
Expert Member
  • Total Posts : 6028
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/02/27 05:23:49 (permalink)
0
Hmm, the OP is looking for the list of MAC addresses of all interfaces. VIPs - as documented - use the MAC address of the associated physical interface.
So, yes, you cannot see all IP addresses in an IP-MAC table but you can see all MAC addresses in use by the FGT.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#12
CoupDeGrace
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/07/07 12:00:21
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/03/05 11:57:53 (permalink)
0
So is there not a way to assign a virtual MAC to VIPs? We have an ISP that (as a side benefit to their DOCSIS3 rollout) has to manually approve all requests when there is >1 IP/MAC.
 
Re-reading this - that may be a dumb question as the MAC is the hardware address and that's what's actually plugged in, but I suppose it could be possible to alter the ARP reply by the WAN interface. Just not sure if this is actually something that can be done.
#13
AndreaSoliva
Expert Member
  • Total Posts : 248
  • Scores: 78
  • Reward points: 0
  • Joined: 2014/02/10 05:41:00
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/03/05 23:26:46 (permalink)
0
Hi
 
to assign a MAC address to a VIP in direct way is not possible from my point of view. Anyway of course you can add a specific ARP entry as normally done on layer 2 which means if you use on the wan1 a /29 and there is an addtional /29 which is from logical point of view also on the wan1 actually it is enough if you create a VIP based on the addtional /29 and if under "config firewall vip" the option which is by standard the case "arp-reply" is enabled in layer 4 there will be ARP entries. This arp entries are not visible on layer 2 but as mentioned of course you can add classic arp entries based on this addtional /29 to the wan1 which means:
 
       # config system arp-table
       # edit 1
       new entry '1' added
       # get
       id                  : 1
       interface           :
       ip                  : 0.0.0.0
       mac                 : 00:00:00:00:00:00
       # set interface [Name of Interface zB "wan1"]
       # set ip [IPv4 Addresse]
       # set mac [MAC Addresse der IPv4 Addresse]
       # end
 
In this way the interface on layer 2 will answer to arp request. What is also possible is to enable within "config firewall vip" the option "gratuitous-arp-interval" which means if this option is used the layer 4 will send arp replies out to informe the switch/router etc. that this ip/arp is up etc. Normally this is used within a cluster env to inform the switch that something is up and running etc. I'm since long time in this business and if I have a customer in such situation meaning with addtional IP Range on wan1 I'm doing actually always static ARP entries only to show for future use that there is an addtional IP range. Of course you can also configure this addtional /29 as secondary on the wan1 which means if this is done it is visible on the Web Gui (because of the scondary entry on the interface) as on arp because it is based on a classic way to add arp's based on layer 2 as based on secondary interface.
 
For me is only important "to know that arp entries based on VIP are not based on layer 2 and not visible because they exist in layer 4" (firewall deamon).
 
hope this helps
 
have fun
 
Andrea
#14
bluephoenix71
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/11 03:26:32
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/03/23 04:59:44 (permalink)
0
Hi all,
Thanks for the commands, I can see 2 mac-addresses on port15 and port 16
fwb01 # get hardware nic port15 | grep -A 2 "Current"
Current_HWaddr 08:5b:0e:5d:33:12
Permanent_HWaddr 08:5b:0e:5d:33:12
 
fwb01 # get hardware nic port16 | grep -A 2 "Current"
Current_HWaddr 08:5b:0e:5d:33:13
Permanent_HWaddr 08:5b:0e:5d:33:13
 
Now, what I need to is to exactly trace what port port 15 and port 16 connects to the switch, in this case a cisco switch.
 
If I do a show mac address-table add on core-sw1, I can see that it's in g4/21.
COR-1# show mac address-table add 08:5b:0e:5d:33:12
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
108 085b.0e5d.3312 dynamic ip GigabitEthernet4/21
 
BUT...if I trace the second mac-address it is not showing on both core switches...
 
COR-1# show mac address-table add 08:5b:0e:5d:33:13
No entries present.
COR-2# sh mac add add 08:5b:0e:5d:33:13
No entries present.
 
Now, port 15 and 16 are configured as bonded or only having one IP address.

How can I now see what port in core-sw1 or core-sw2 is connected to fortigate por16?  Do I really need someone physically onsite to trace this??
 
Thanks,
 
 
 
Dave Hall
bluephoenix71
Hi I get to see the ip address but it's mostly the VIP or HSRP ip of the core switch...

 
Hi Blue. I don't think you will find a complete single list/page showing the MAC Address of all the Interfaces.  On the GUI you can find the MAC Address listed behind the Interface name (see pic). 
 

 
emnoc has already provided the CLI commands to get the mac address, which is diag  hardware deviceinfo nic <name>.  Use ? in place of <name> to get a list of interfaces.
 
If you just want the MAC-Address for an interface, use: diag hardware deviceinfo nic <name> | grep HWaddr




post edited by bluephoenix71 - 2015/03/23 05:07:06
#15
Shawn W
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/10/15 09:56:31
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/03/25 06:31:36 (permalink)
0
bump
#16
Davey
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/24 16:23:50
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/03/25 18:39:01 (permalink)
0
In the CLI use the following command:
diagnose hardware deviceinfo nic wan1

The MAC will be listed as "Current_HWadd".
 
#17
Jonathan Rennie_FTNT
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/09/02 13:34:35
  • Status: offline
Re: Fortigate 100D - How to see the mac-address of interfaces 2015/03/26 02:26:01 (permalink)
#18
Jump to:
© 2019 APG vNext Commercial Version 5.5