One of the biggest mystery with the fortigate and FGCP protocol is to find your ipv4 address & the mac_address that uses on the HA port.
Basically the fortigate use a APIPA ipv4 link-only address aka 169.254.0.0/16 range.
The master is typically always defined with 169.254.0.1 the first .2 next slave .3 and so on. You can have up to 4 slave units.
Using the diag sniffer packet command and by defining the port_ha is a good mean for witnessing the interface traffic and finding both the layer2 and layer3 addresses.
e.g ( diag sniffer packet port_ha "any" )
Finding the interfaces mac_address on a FGT110 master/slaves
Finding the master-unit ipv4 address
( diag sys ha status | grep master )
Using the diag sniffer command and option for displaying the unit traffic in HEX
see the red and green lines for src /dst mac_address respectively
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
=( * * )=