Source MAC addresses
When a FortiGate is in transparent mode, it does not typically alter the original source and destination address of packets that flow through the unit. Because of this, end devices do not “see” the MAC address of the FortiGate. However, if network address translation (NAT) is enabled by a firewall policy, the source MAC address will be the MAC address of the FortiGate's management interface.
IP packets that are initiated by the FortiGate (remote management, access to FortiGuard server…) are sent in L2 Ethernet frames that have a source MAC address of the interface in the virtual domain (VDOM) with the lowest MAC address. Below is an example with port2 and port3 in the same VDOM, remote access done via port3, but the sniffer trace showing MAC address of port2. The address of port2 is shown in bold.
diagnose hardware deviceinfo nic port2
[…]
Current_HWaddr 00:09:0F:85:3F:C4
Permanent_HWaddr 00:09:0F:85:3F:C4
fgt300 (global) # diagnose hardware deviceinfo nic port3
[…]
Current_HWaddr 00:09:0F:85:3F:C5
Permanent_HWaddr 00:09:0F:85:3F:C5
diagnose sniffer packet port3 "port 80" 6
3.774236 port3 -- 192.168.171.165.2619 -> 192.168.182.136.80: syn 3961770249
0x0000 0009 0f85 3fc4 0009 0f09 3204 0800 4500 ....? .... 2...E.
0x0010 0030 8071 4000 7e06 98d7 c0a8 aba5 c0a8 .0.q@.~ ........
0x0020 b688 0a3b 0050 ec23 d109 0000 0000 7002 ...;.P.# ..... p.
0x0030 ffff d7e7 0000 0204 05b4 0101 0402