Created on
05-06-2013
08:43 AM
Edited on
10-10-2024
07:56 AM
By
Jean-Philippe_P
Description
This article describes how to troubleshoot WAN connectivity between the FortiGate firewall and a service provider. It is assumed that the FortiGate unit has limited or no Internet connectivity even though the appropriate ISP-provided equipment is configured and connected to the FortiGate unit.
Scope
All FortiGate versions.
Solution
Note:
Make sure to back up the FortiGate unit configuration file before proceeding with the steps below.
If using a modem, reboot it after making any changes to the FortiGate unit.
FGT (global) # diag hardware deviceinfo nic wan1
Driver Name :Fortinet Nplite Driver
Version :1.0
Admin :up
Current_HWaddr 00:09:0f:09:00:06
Permanent_HWaddr 00:09:0f:1d:8c:e3
Status :up
Speed :1000
Duplex :Full
Host Rx Pkts :3529295
Host Rx Bytes :1122573825
Host Tx Pkts :3222356
Host Tx Bytes :1214502511
Rx Pkts :6860327
Rx Bytes :3244775189
Tx Pkts :5575832
Tx Bytes :1609261750
rx_buffer_len :2048
Hidden :No
In the above output, the negotiation appears to be functioning as normal - the interface negotiated a 1000 Mbps full duplex. The link is also up, so the cabling is fine. If odd values appear, such as 10 Mbps half duplex, try manually setting the link speed on the FortiGate unit to the highest values supported by the provider's equipment:
FGT (global) # conf sys int
FGT (interface) # edit wan1
FGT (wan1) # set speed
1000full 1000M full-duplex
100full 100M full-duplex
100half 100M half-duplex
10full 10M full-duplex
10half 10M half-duplex
auto auto adjust speed
Making any configuration change on an 'outside' or 'WAN' network interface requires a direct connection to the FortiGate unit or a network local to the FortiGate unit. This is because the connectivity on a network interface may become unavailable when the interface configuration is changed.
FGT # conf sys int
FGT (interface) # edit wan1
FGT (wan1) # set mac <old device MAC here>
<xx:xx:xx:xx:xx:xx> please input mac address
FGT # end
Note: If using a FortiGate HA cluster, the virtual MAC cannot be specified. Contact the ISP.
Routing: If using a static IP, make sure there is an appropriate static route added. For example:
Destination IP/Mask: 0.0.0.0/0
Device: wan1
Gateway: ISP gateway IP
Additionally, check the routing table to ensure that the route is present (if VDOM is enabled, enter the management VDOM config mode. The name of the management VDOM is 'root' by default):
get router info routing-table all
If the route is not present, it may be necessary to alter the distances on the routes involved.
If the default route is configured and reflected in the output of the routing table, ping the gateway and public IP. For example, 8.8.8.8.
If the ping succeeds, IP connectivity is working. If pinging by FQDN fails, check DNS. If pinging by IP fails then, run sniffer:
diag sniff pack any "host 8.8.8.8 and icmp" 6 0 l
Check if the destination MAC address is that of the ISP or next hop. If it is there, it means FortiGate is sending packets and most likely the issue with the next hop or ISP.
Try a directly connected device: To rule out most service-related issues, try connecting a PC to the modem directly and observe the result. If unable to get out, reboot the modem. If still having difficulties, contact the ISP.
Plug the PC into the Modem on the same port where FortiGate is connected and provide the same WAN IP that FortiGate is receiving to see if internet connectivity functions.
Isolate the FortiGate unit: If there is an intermediate switch between the FortiGate unit and the provider, confirm that it has the correct MAC address of the FortiGate unit and that the FortiGate unit also has the switch's MAC:
FGT # get system arp
Ideally, try to test without the switch in the path.
HA considerations: When using a FortiGate HA cluster: if a static or dynamic IP address can be used on the FortiGate WAN interface but the packets fail to route egress and ingress fully, try changing the group ID value. This will generate a new virtual MAC address. Another ISP customer may be using the same model of FortiGate unit in a cluster with the default group ID of 0 - if that's the case, both FortiGate units may be using the same virtual MAC address, which results in Layer 2 conflicts.
If the ping does not work, check if the other node sees any incoming ICMP packets. If not, ensure the other node is also allowing ping.
If the other node's traceroute stops receiving replies before its packets get to the FortiGate gateway device, there may be a routing issue with the provider.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.