Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Execute traceroute showing first and last hop for connected subnet

I have a FortiGate 100e device in which I have taken out one LAN port and set WAN role on it. I have assigned a /30 subnet IP address to the port. The port is up and I can PING it from other zones. However, I cannot PING the remote IP address of the /30 subnet. Execute traceroute shows the only hop as I have deployed ANY-ANY policy from LAN to the above interface but PING from LAN workstation to remote /30 IP address gets DESTINATION HOST UNREACHABLE reply from firewall. I am at my wit's end. Please help.


boneyard wrote:

if you want to and have the time you could create a link aggregate on the FortiGate, make port16 a member of it and see if that gets a working situation. that does require removing the IP from port16, removing the firewall policy and the route. then putting them back on the link aggregate.

Tried this. Didn't work. :(


what does the diagnose sniffer packet for the link aggregate look like?

Esteemed Contributor III

This happens in all of my FGT that I manage. What I've notice, if the trace route is done to a "wan" or "port" interface that is not part of a virtual-switch it looks normal. If you do a trace route to a address connected to a port of a virtual-switch,  the comes up




MANHATTANSOUTH # diag ip arp list | grep wan index=8 ifname=wan2 00:1b:bc:11:43:1a state=00000004 use=61 confirm=47 update=27 ref=51


MANHATTANSOUTH # execute traceroute traceroute to (, 32 hops max, 3 probe packets per hop, 72 byte packets 1 0.373 ms 0.330 ms 0.173 ms


and here's a LAN ( virtual-switch )


MANHATTANSOUTH # execute traceroute traceroute to (, 32 hops max, 3 probe packets per hop, 72 byte packets 1 <> 2994.351 ms !H 2999.669 ms !H 2999.987 ms !H


Opswat does end-point protection, so it's something in fortOS that using some protection. Fortinet is a partner of opswat. 





So if their is not problem with the connected host, I would chalk this up as cosmetic.



Just my observations.


Ken Felix




PCNSE NSE StrongSwan

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors