The MAC address prefix e0:23:ff is specifically used by FortiGate High Availability (HA) clusters when Virtual Domains (VDOMs) are enabled. This immediately confirms that the packet originates from a cluster with VDOMs.

The last three octets of the MAC address (fc:00:86) encode the HA group ID, virtual cluster ID, and interface index. The value is calculated using the formula: Last 3 Octets = 0xFFFFFF - ((groupid << 16) | (vclusterid << 8) | ifindex).

By reversing the calculation (0xFFFFFF - 0xFC0086), we get 0x03FF79. This result indicates a groupid of 0x03 (decimal 3). Since 3 is less than the maximum possible value of 255, this conclusion is also correct.

B. The FortiGate Session Life Support Protocol (FGSP) is used for session synchronization between standalone devices and does not generate this virtual MAC address for traffic forwarding.

D. The calculation derives the interface index as 0x79 (decimal 121), not 7. Furthermore, the interface index is an internal value and does not directly map to a physical port number.

1. FortiOS Handbook - High Availability 7.2.1

Page 36

Section: "HA cluster virtual MAC addresses".

This document states: "When VDOMs are enabled

FortiGate generates a different set of virtual MAC addresses. The first three octets are e0:23:ff. The last three octets are calculated based on the HA group ID

the virtual cluster ID

and the interface index. The formula is (0xffffff - (groupid << 16 | vclusterid << 8 | ifindex))." This directly supports the explanation for answers A and C.

2. Fortinet Knowledge Base - Technical Tip: FortiGate HA virtual MAC address details (Article ID: FD36109).

This article provides a detailed breakdown of HA virtual MAC address calculation. It confirms that for FortiOS 5.4 and later with VDOMs enabled

the prefix is e0:23:ff and explicitly provides the formula 0xffffff - ((groupid << 16) + (vclusterid << 8) + ifindex) for the remaining octets. This validates the entire analysis.