Scenario Overview:

When a FortiGate is located behind an ISP router/modem using NAT (Network Address Translation) and assigns a private IP to the FortiGate's WAN interface, external services like VPNs, VIPs, FTM push notification, or even remote access may not work.

In this scenario, the ISP router/modem holds the public IP, while the FortiGate gets a private WAN IP and if not well configured the ISP device may drop traffic that should be delivered to the FortiGate, causing connectivity issues.

One way to confirm this is during troubleshooting using 'diagnose sniffer packet,' where the traffic never reaches the FortiGate.

Solution:
To address this, the ISP router/modem needs to be configured to forward all incoming traffic from Internet to the FortiGate’s private WAN IP by setting up a DMZ (Demilitarized Zone).

This will ensure that any traffic towards to the public IP of the ISP router/modem will be properly routed to the FortiGate.

If access to the ISP router/modem is available, the configuration can be done locally by the user. Otherwise, the ISP will need to make this change.

If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate.

Generic Step-by-Step Configuration:

1. Log in to the ISP router/modem by entering its IP address in a web browser, using the administrator credentials to get the web interface (GUI).
2. Navigate to the DMZ settings (depending on the ISP device; look under 'Advanced Settings,' 'Firewall,' or 'NAT').
3. Set the FortiGate's private WAN IP as the DMZ host, doing this the ISP device will forward all incoming traffic coming from Internet to the FortiGate's WAN IP.
4. Save the changes and reboot the ISP router/modem if necessary.
5. After completing the steps above, check for incoming traffic on the FortiGate under 'Log & Report -> Forward Traffic' or use the built-in 'diag sniffer packet' tool to confirm traffic is reaching the device. Examples below:

To check if the IKE sent by the remote peer is being received:

diag sniffer packet any 'host <remote-GW> and (port 500 or port 4500)' 4 0 a

To check if the requests from the Internet to the VIP (i.e., External IP address and port) are being received:

diag sniffer packet any 'host <VIP-IP> and (port 443 or port 3389)' 4 0 a

To check if the pings from the Internet to the FortiGate's WAN private IP are arriving:

diag sniffer packet any 'host <FGT-Private-WAN-IP> and host <Source-Public-IP>' 4 0 a

6. Test external services (VPN connections, VIPs) to verify proper functionality.

Conclusion:

By enabling the DMZ on the ISP router/modem and forwarding all incoming traffic from the internet to FortiGate's private WAN IP, all the external access services such as VPNs and VIPs will function correctly.

If further assistance is needed with the configuration, contact the ISP or Fortinet support.

Related article:
Technical Tip: SSL VPN behind NAT

Troubleshooting Tip: FortiToken Mobile push notification issue