In this scenario, a client PC (20.0.0.1) on Vlan 352, sends an ICMP echo to the server (10.0.0.1) on VLAN 354.

Fortigate_1 (V-PROXY-RZ) # di sniffer packet any 'host 10.0.0.1 and icmp' 4 0 l
interfaces=[any]
filters=[host 10.0.0.1 and icmp]
2025-01-14 19:18:40.333755 VLAN-352 in 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:40.333758 VLAN-354 out 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:40.333759 VLAN-354 out 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:40.333760 LAG-01 out 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:40.333760 x7 out 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:41.333759 VLAN-352-PRO-RZ in 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:41.333763 VLAN-354-PRO-RZ out 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:41.333764 VLAN-354 out 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:41.333764 LAG-01 out 20.0.0.1 -> 10.0.0.1: icmp: echo request
2025-01-14 19:18:41.333765 x7 out 20.0.0.1 -> 10.0.0.1: icmp: echo request

Analyzing the sniffer, the FortiGate passes the traffic, and debugs show the same, on the switch side when the packets were captured, the reply was seen but the FortiGate does not see the same.

When the issue happens, some traffic may work and some are affected, or all traffic on the aggregates is affected.

To mitigate this problem, changes in the way traffic is handled at the NP level must be made, as a workaround, the commands below.

The commands take effect post-reboot, and the device will show a prompt for reboot.

config system npu
    set default-qos-type policing
    set qtm-buf-mode 4ch
end

WARNING: When default-qos-type is set to shaping max-receive-unit should also be set to 6000, and all interface MTUs should be set to 6000 or less. Interface MTU will be lowered automatically.
The configuration will take effect after system reboot.
Do you want to continue? (y/n)y

Note: MTU on all interfaces will be set to 6000 if it is above this number.