Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎11-25-2024 06:35 AM Edited on ‎06-20-2025 12:33 AM By Community Manager

Article Id 359838

Troubleshooting Tip: Addressing External Access Issues (VPNs, VIPs, FortiGate with FTM push notification etc.) on a FortiGate Behind ISP NAT Router/Modem

Description This article describes how to resolve common issues related to establishing VPNs or providing remote access through Virtual IPs (VIPs) on a FortiGate device located behind an ISP NAT router/modem.
Scope

FortiGate, DMZ, ISP router/modem.
Solution

Scenario Overview:

When a FortiGate is located behind an ISP router/modem using NAT (Network Address Translation) and assigns a private IP to the FortiGate's WAN interface, external services like VPNs, VIPs, FTM push notification, or even remote access may not work.

In this scenario, the ISP router/modem holds the public IP, while the FortiGate gets a private WAN IP and if not well configured, the ISP device may drop traffic that should be delivered to the FortiGate, causing connectivity issues.

One way to confirm this is during troubleshooting using 'diagnose sniffer packet,' where the traffic never reaches the FortiGate.

 

Considerations when FortiGate is behind CGNAT provided by the ISP:
In scenarios where the FortiGate is placed behind a Carrier-Grade NAT (CGNAT) provided by the ISP, several critical limitations may arise:

  • External access to services (e.g., VPNs, VIPs, Port Forwarding) hosted behind the FortiGate may fail, as CGNAT uses shared public IP addresses across multiple customers, making it impossible to directly reach the FortiGate from the internet.
  • IPsec VPNs, SSL VPNs, and Dynamic DNS features may become unreliable or completely inoperable due to frequent changes in the external IP or lack of a 1:1 NAT mapping.
  • Diagnostics and troubleshooting become significantly more complex due to a lack of visibility and control over the upstream NAT behavior.

 

Recommendation:
If FortiGate is behind a CGNAT, contact ISP and request a unique public IP address (also known as a static or dedicated public IP).  This change is essential for enabling consistent external access, reliable VPN connectivity, and correct operation of VIPs and other inbound services.

 

Solution:
To address this, the ISP router/modem needs to be configured to forward all incoming traffic from Internet to the FortiGate’s private WAN IP by setting up a DMZ (Demilitarized Zone).

This will ensure that any traffic towards to the public IP of the ISP router/modem will be properly routed to the FortiGate.

If access to the ISP router/modem is available, the configuration can be done locally by the user. Otherwise, the ISP will need to make this change.

If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate.

 

Generic Step-by-Step Configuration:

  1. Log in to the ISP router/modem by entering its IP address in a web browser, using the administrator credentials to get the web interface (GUI).
  2. Navigate to the DMZ settings (depending on the ISP device; look under 'Advanced Settings,' 'Firewall,' or 'NAT').
  3. Set the FortiGate's private WAN IP as the DMZ host, doing this the ISP device will forward all incoming traffic coming from Internet to the FortiGate's WAN IP.
  4. Save the changes and reboot the ISP router/modem if necessary.
  5. After completing the steps above, check for incoming traffic on the FortiGate under 'Log & Report -> Forward Traffic' or use the built-in 'diag sniffer packet' tool to confirm traffic is reaching the device. Examples below:

 

To check if the IKE sent by the remote peer is being received:


diagnose sniffer packet any 'host <remote-GW> and (port 500 or port 4500)' 4 0 a

 

To check if the requests from the Internet to the VIP (i.e., External IP address and port) are being received:


diagnose sniffer packet any 'host <VIP-IP> and (port 443 or port 3389)' 4 0 a

 

To check if the pings from the Internet to the FortiGate's WAN private IP are arriving:


diagnose sniffer packet any 'host <FGT-Private-WAN-IP> and host <Source-Public-IP>' 4 0 a

 

  1. Test external services (VPN connections, VIPs) to verify proper functionality.


Conclusion:

By enabling the DMZ on the ISP router/modem and forwarding all incoming traffic from the internet to FortiGate's private WAN IP, all the external access services, such as VPNs and VIP,s will function correctly.

 

If further assistance is needed with the configuration, contact the ISP or Fortinet support.

 

Related articles:
Technical Tip: SSL VPN behind NAT

Troubleshooting Tip: FortiToken Mobile push notification issue
800
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.