FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 270111
Description This article discusses the considerations one such take before implementing/Creating VLANS in FORTIOS.
Scope FortiGate.

The scope of VLAN which is available on FortiGate is [ 0 - 4094].


When configuring a network or setting up a VLAN interface, it is necessary to be aware that VLAN ID: 1 cannot be configured when creating a new VLAN interface on FortiGate.


  • This is a reserved VLAN in Fortios and assigned to all switch ports when Fortiswitch is being managed by FortiGate.
  • Non-working scenario and common issue: (When assigning VLAN ID 1 to the VLAN interface).
  • FortiGate will be able to see the traffic coming to the interface from the respective VLAN which is using VLAN ID 1 but the return traffic back to the source will have issues and will not work as expected.

Mostly, an RPF will encounter a check failure, meaning it cannot route the traffic back to the source which in this case, is a source IP behind the VLAN which is tagged as VLAN ID 1.


  • The RPF error can be seen when running a debug flow filter as per below:


diagnose debug flow filter addr x.x.x.x <----- (x.x.x.x is the source IP behind the VLAN).

diagnose debug flow show iprope enable

diagnose debug flow show function-name enable

diagnose debug flow flow trace start 100

diag de enable


To stop:


diag de disable