FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 291470
Description This article describes how to ensure ping is reachable to a FortiGate WAN IP in the Dashboard with VIP configured.
Scope FortiGate 6.4.8 and below.
  • A test ping failure to the FortiGate WAN IP shows in the dashboard from the internal network.
  • A sniffer packet shows the packet enters FortiGate but no ping reply is received from the WAN IP.
  • Debugging shows the packet was dropped with the error 'iprope_in_check() check failed on policy 0, drop'.


In this example, the WAN IP is






sniffer packet ping.PNG




debug deny policy.PNG


  • No IPpool is configured. It was discovered that FortiGate has a VIP configured mapping the WAN IP to an internal IP address. However, it was not used in any firewall policy.
  • This is due to how VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled.
  • The solution is to disable ARP replies in the VIP.
config firewall vip
    edit <name>
        set arp-reply disable (default: enable)
Related document: