FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 329784
Description This article describes how to fix an issue where traffic fails when 'set inbandwidth' or 'set outbandwidth' is configured on the interface.
Scope FortiOS 7.0.11 and above, 7.2.6 and above, 7.4, 7.6, NP7.
Solution

Sometimes after a firmware upgrade, FortiGate traffic starts failing on the interface and even the IP address configured on the interface is not reachable.

 

config system interface
    edit "VLAN 1118"
        set vdom "Internet"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set inbandwidth 10000
        set monitor-bandwidth enable
        set role lan
        set snmp-index 53
        set interface "port1"
        set vlanid 1118
    next
end

 

Running a sniffer in this case shows that ARP requests are reaching the FortiGate: an ARP reply is seen with an NPU sniffer as well, but the traffic still fails. The ARP reply fails to make it to the FortiGate, causing ARP to fail.


diagnose sniffer packet any 'host 192.168.1.1 and arp' 4 0 a
interfaces=[any]
filters=[host 192.168.1.1 and arp]
2024-04-22 08:48:41.454732 VLAN 1118 out arp who-has 192.168.1.100 tell 192.168.1.1
2024-04-22 08:48:41.454737 port3 out arp who-has 192.168.1.100 tell 192.168.1.1
2024-04-22 08:48:41.455056 npudbg in arp reply 192.168.1.100 is-at 00:70:6f:72:27:02
<- The client is responding, but this packet gets dropped at NPU.

 

This is a known issue that was identified and documented under bug ID 901621. See the FortiOS v7.2.6 release notes and FortiOS v7.6.0 release notes.

 

Either of these two workarounds can help resolve the issue.

  1. Disable inbandwidth/outbandwidth on the interface.

 

config system interface
    edit "VLAN 1118"
        unset inbandwidth 

        unset outbandwidth

    next

end

 

  1. Change the default-qos-type from shaping to policing. The FortiGate will need to restart after this change.

    config system npu

        set default-qos-type policing

    end

     

     

Note:

For details regarding the fix, check the release notes of newer FortiOS releases.