Consider the following VLAN interfaces configured on FortiGate-I.

config system interface
    edit "vlan111"
        set vdom "root"
        set ip 10.111.1.1 255.255.255.252
        set allowaccess ping
        set interface "vlan222"
        set vlanid 111
        set snmp-index 10
    next
    edit "vlan222"
        set vdom "root"
        set interface "port1"
        set vlanid 222
        set snmp-index 20
    next
    edit "port1"
        set vdom "root"
        set role lan
        set type physical
        set snmp-index 30
    next
end

Likewise, the following VLAN interfaces are configured on FortiGate-II.

config system interface
    edit "vlan111"
        set vdom "root"
        set ip 10.111.1.2 255.255.255.252
        set allowaccess ping
        set interface "vlan222"
        set vlanid 111
        set snmp-index 40
    next
    edit "vlan222"
        set vdom "root"
        set interface "port2"
        set vlanid 222
        set snmp-index 50
    next
    edit "port2"
        set vdom "root"
        set role lan
        set type physical
        set snmp-index 60
    next
end

The network topology is as follows:

Windows10 (10.203.6.120) -- [(port10) FortiGate-I {port1 -- vlan222 -- vlan111 (10.111.1.1)}] ======= [{vlan111 (10.111.1.2) -- vlan222 -- port2} FortiGate-II (port20)] -- Windows10 (10.207.15.153)

A firewall policy has been configured to allow the traffic between Windows clients.

config firewall policy
    edit 1
        set name "Q-in-Q-Testing"
        set srcintf "port10"
        set dstintf "vlan111"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

With offloading enabled (default) on firewall policy ID 1, traffic stops after two ICMP requests.

FortiGate-I # diagnose sniffer packet any "host 10.207.15.153 and icmp" 4 0 l
interfaces=[any]
filters=[host 10.207.15.153 and icmp]
2025-01-09 09:20:37.184550 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184564 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184565 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184567 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184617 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:37.184623 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:38.181920 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181932 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181933 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181935 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181969 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:38.181978 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply
^C
12 packets received by filter
0 packets dropped by kernel

However, traffic works if offloading is disabled on firewall policy.

config firewall policy
    edit 1
        set auto-asic-offload disable
    next
end

The reason is that NP7 can NOT support 802.1Q over 802.1Q offloading due to hardware design. Fortigate supports 802.1Q over 802.1AD offloading only.

Related articles:

• QinQ 802.1Q in 802.1Q - FortiGate administration guide
• Improve DVLAN QinQ performance for NP7 platforms over virtual wire pairs - FortiGate documentation
• Changing the DVLAN mode for FortiGates with NP7 processors - FortiGate documentation
• Technical Tip: How to workaround double tagging issues with hardware acceleration over virtual wire ...