Skip to main content
ekgyo
ekgyo
New Member
May 20, 2026
Question

Upload speed capped at 554 Mbps on one VLAN behind FortiGate, while another VLAN reaches 2 Gbps — only the policy differs

  • May 20, 2026
  • 1 reply
  • 36 views

Hello,

I have a 3 Gbps symmetric internet connection. Topology: VM → vSwitch → backbone switch → FortiGate → IPS router → ISP.

Speedtest results from two different VMs:

  • 192.168.0.0/24 segment VM: Download 2500 Mbps, Upload 1995 Mbps
  • 10.100.10.0/24 segment VM: Download 2421 Mbps, Upload 554 Mbps

Both VMs run on the same hypervisor and both use vmxnet3 vNICs. Download is at full speed on both; the problem is only on the upload direction of 10.100.10.0/24

There are no traffic shaping rules on the FortiGate.

2 gb

        set srcintf "Zone_1"
        set dstintf "net”
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set profile-protocol-options "custom-default"
        set ssl-ssh-profile "__upg_certificate-inspection"
        set logtraffic all
        set nat enable
 

500mb

        set srcintf "Zone_2"
        set dstintf "net"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set profile-protocol-options "custom-default"
        set ssl-ssh-profile "no-inspection"
        set logtraffic all
        set nat enable
 

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
May 20, 2026

i would start by testing if the bottleneck is within LAN, meaning from segment 10.100.10.0/24 up to the interface/VLAN on the FortiGate.

you can configure the FortiGate act as an iperf server and test the speed that you are getting - 

i would then test as source the interface/VLAN for that segment to a public iperf server - https://yurisk.info/2020/01/24/fortigate-iperf-traffic-test-built-in-client-cli/ 

L.E. the ssl-profile should not be that different in functionality but you can try assigning to the affected policy the same one.

"jack of all trades, master of none"
    Terms & ConditionsAccessibility statement