Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiGate VLAN subinterface not working


I'm moving from Juniper to Fortigate and I'm having issues setting up subinterfaces.

I have setup a port 3 VLAN subinterface with VLAN tag 704 (port 3 IP is



edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 7




edit "port3/3.6"
        set vdom "root"
        set ip
        set allowaccess ping https ssh
        set description "z_DB"
        set snmp-index 35
        set interface "port3"
        set vlanid 704

Then I have done static route as well:

    edit 35
        set dst
        set device "port3/3.6"


When I try to ping the fortigate unit from a MacBook Pro that is connected directly to Fortigate 800C port 3 and I gave the mac a static ip, then added VLAN 704 interface as well with ip Now when I ping the fortigate unit the ping does not go through and fortigate unit does not show anything when I try to debug address


diag debug reset
diag debug enable
diag debug flow filter addr
diag debug flow show console enable
diag debug flow trace start 100


When I change the port 3/3.6 ip to and add ip directly to port 3 interface then the diag shows me that policy is blocking access and that's the way I want it to be.


I also tested so that I added port 3/3.6 to VLAN 500 (same as my office switch ports have) and connected it to switch and the computer to switch as well. Still nothing. Sniffer does not show that any packets are coming in from port 3/3.6 or to ip when the ip is given to port 3/3.6 (subinterface). When the ip is given to port 3 directly then sniffer and flow debug show me that policy is blocking the traffic.


Where could the problem be? I can show you my configuration as well if needed.

Esteemed Contributor III

The tagging in macsox can be havoc to do did you do a tcpdump and ensure the tag was present?


hint: if you don't have the layer2 ARP address of the FGT than you know the  tagging is bad or  incorrect. So I would double check the client side if that's what your doing.





PCNSE NSE StrongSwan

Do a capture in mac and confirm it is sending tagged packet.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors