Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lfernando
Staff
Staff

Created on ‎05-26-2025 10:41 PM Edited on ‎05-27-2025 01:41 AM By Community Manager

Article Id 393351

Technical Tip: Inter-VLAN traffic not working after restoring a configuration backup

Description This article describes the steps to recover the Inter-VLAN traffic after a FortiGate update and subsequent configuration backup restoration.
Scope FortiGate.
Solution

Summary:
After restoring a configuration file on a FortiGate that uses multiple VLANs, users report no inter-VLAN communication, even though the policies appear to be configured correctly.


Symptoms:

  • Devices within the same VLAN can communicate without issue.
  • There is no ping response or traffic between different VLANs.
  • Inter-VLAN firewall policies are configured correctly.
  • There are no traffic denial logs.


Probable cause:


After restoring a configuration, especially from a different FortiGate model or between different firmware versions,
VLAN interfaces may be restored as 'zones' or lose route/ARP associations without any visible errors.
VLAN interfaces may also be associated with the wrong physical interface after the restore, or policies may depend on zones that are no longer active.

 

Solution: 

  1. Verify the restored VLAN interfaces: Check that the VLANs are correctly associated with the corresponding physical interface.

 

show system interface

 

  1. Validate the associated routes: Ensure there are valid static or dynamic routes that allow communication between networks.

 

get router info routing-table all

 

  1. Test connectivity directly from FortiGate:

 

execute ping-options source [IP_VLAN_A]
execute ping [IP_VLAN_B]

 

  1. Delete and recreate zones (if applicable):


If the policies reference zones, verify that the zones still correctly group the necessary interfaces.
If not, delete and recreate the zones from scratch.

 

  1. Verify the ARP and MAC Address Table:

 

diagnose ip arp list
diagnose switch mac-address list

 

  1. Review traffic with debug flow:

 

diagnose debug enable
diagnose debug flow filter addr [IP]
diagnose debug flow show function-name enable
diagnose debug flow trace start 100

 

Additional Notes: 

  • This issue typically occurs during migrations between FortiGate models or restores between different firmware versions.
  • Whenever possible, perform a line-by-line review of the '.conf' file before applying it to production.
  • For converting configuration, use Forticonverter.

 

Related document:

VLAN - FortiGate 7.6.3 administration guide
Labels:
1142
Suggest New Article
Article Feedback
Comments
JorgeMonroyPad
Staff & Editor
Staff & Editor
‎05-28-2025 10:15 AM

Great job @lfernando !!! Keep up the great work!!!

GILMENDO
Staff & Editor
Staff & Editor
‎05-28-2025 10:28 AM

Excellent contribution @lfernando thank you!

MaryBolano
Staff & Editor
Staff & Editor
‎05-28-2025 10:45 AM

Well done @lfernando !!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.