Skip to main content
Jasys
Jasys
Explorer
May 1, 2026
Question

Fortigate Virtual Server not passing traffic to members.

  • May 1, 2026
  • 4 replies
  • 73 views

I have moved a VIP from a load balancer to an internal Fortigate as its not doing anything special, just a basic round robin.

It allows a handful of public IPs to access the Virtual Server, The setup is like this:

EXERNAL SOURCES > External VDOM > DNAT TO VS > Route to Internal VDOM > VS Configured on DMZ interface > Real Servers on Inside Interface.

It gets as far as the VS on the DMZ Interface, I can see the hits on the VS, but that it, it does not forward anything, no denies, no blocks, it just doesn't go any further that the VS? there is no health check, does it need one? it is doing SSL offload for the external certificate

Thanks

4 replies

msanjaypadma
Staff
msanjaypadma
Staff
May 1, 2026

Hi ​@Jasys ,

The information provided above may not be sufficient to accurately identify the location of the packet drop/reason behind its not working.

I recommend reviewing the debug flow and utilizing a network sniffer to pinpoint where the packet is being dropped.

Refer below articles: 

 


If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,
Mayur Padma

    Jasys
    JasysAuthor
    Explorer
    May 1, 2026

    looking at the logs, the issue is at the internal VDOM, it NATs correctly to the VIP address, as its public IPs ill try and explain the Debug,

    Traffic comes in from 20.20.20.20 (example) to the DNAT 30.30.30.30 external Interface and does the DNAT to the VIP and arrives at the internal VDOM, so I have eliminated the External VDOM.

    On the Internal:

    The result shows 0B/423B in the policy, which is odd, as thats bytes returning!

    Source: 20.20.20.20, Source Port xxxx ,Source Interface: Internal-to-External

    Destination: 192.168.1.100 (VS) Destination NAT IP 10.10.10.100 (Real Server) Destination port: 8088

    All good!

    Action: close

    Policy 244 (Correct Policy)

     

    and thats it...

     

     

    Talank
    Staff
    Talank
    Staff
    May 1, 2026

    Hello Jasys,

     

    Can you share a basic topology along with the debug flow collected from the Internal vdom for better understanding.

      Jasys
      JasysAuthor
      Explorer
      May 3, 2026

      it is just straight forward,  Like below, I can see 30.30.301 hitting the Virtual Server, but nothing hits the real server, not even anything in the logs

       

       

      Terms & ConditionsAccessibility statement