Hi,
I have a fortigate 30E (6.2.4 firmware version) and I am experiencing problem with internet speed on it. The wan led is constantly blinking amber (speed) and blinking green for LINK/ACT.
I´ve been looking on the internet for any explanation but I cant find any.
FGT#diagnose hardware deviceinfo nic wan Description Marvell NETA Gigabit Ethernet driver 00000010 System_Device_Name wan Current_HWaddr 90:6c:ac:63:1b:29 Permanent_HWaddr 90:6c:ac:63:1b:29 State up Link up Speed 100 Duplex full Rx_Packets 2679 Tx_Packets 3737 Rx_Bytes 720292 Tx_Bytes 3840955
Can someone tell me what can this be or help me troubleshoot this issue!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Nik,
You need to refer to the hardware guides here:-
https://docs.fortinet.com/product/fortigate/hardware
There doesn't seem to be a specific 30E guide- but essentially the lower end models all use the same convention:-
[ul]
For example the 30D guide (the predecessor of the 30E) documents this convention.
Your "diagnose hardware deviceinfo nic wan" shows that too- the "Speed 100" agrees with what the AMBER speed LED indication is showing you.
Because your WAN interface is currently only 100Mb/s you will never get more internet speed than that.
So, if you have a 1Gb/s (1000Mb/s) internet connection (for example) you wont get more than 100Mb/s speed until the WAN link is also showing a "GREEN" Speed LED and your diag output shows "Speed 1000".
Common causes of getting 100Mb/s connection rather than 100Mb/s are faulty Ethernet cabling or perhaps negotiation/ speed settings between the Fortigate and the modem/ internet device.
Lastly, be aware that the 30E will not support full 1Gb/s (1000Mb/s) throughput. Have a look at the datasheet here:-
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_30E.pdf
Maximum firewall throughput is 950Mb/s and if you use full threat protection (which you should) maximum throughput is about 150Mb/s (depending on traffic type and mix).
Hope that helps you.
Kind Regards,
Andy.
Hi Nik,
It sounds like you have proven that it is a Fortigate setting you need to look.
But, there is certainly nothing (even with the 30E) that will prevent you getting that speed reliably if you have it correctly configured. It will be a config issue and certainly not a bug or Fortinet defect. These basic configs work well on Fortigates and are well validated and tested. But it may take time to work through it.
From your description it sounds like the D-Link "modem" is actually acting as a router. If you can connect a PC directly to the "modem" then it sounds like it is running DHCP (and assigning the client an IP and DNS settings) and acting as a NAT router.
Ideally, you probably do want the D-Link to act as a pure modem- but you would need to reconfigure it (if that is even possible?) and let the Fortigate act as the only router on your network. The Fortigate may then need to run PPPoE (for example) depending on how the ISP manages connections.
Otherwise (as you are set up at the moment probably) you may end up with the D-Link Modem assigning an IP Address (and probably DNS servers) to the Fortigate WAN. Any clients on the LAN side of the Fortigate will then get NAT'd twice- which isn't ideal and may add delay (and therefore slower throughput).
You also need to check basic settings like MTU size- if the Fortigate is running a higher MTU size than the modem you will experience fragmentation and speed/ connectivity issues.
Also you need to look at the DNS server settings on the Fortigate (the Fortigate defaults to the Fortinet DNS servers). You may find you getting better/ faster name resolution using your ISPs servers and then just using the Fortigate for SDNS filtering.
It's very hard to offer comprehensive advice on a topic like this without a lot of background of the network and the configs of both the Fortigate and the D-Link and the ISP. But, this can only be a config issue- the Fortigate products work very well- you just need to take the time to understand what is happening at every layer of the network.
I hope that offers you some help- but you need to be aware that the Fortigates are enterprise products and they do take time and expertise to configure properly.
Good luck- and if you any more specific questions I'm sure the Forum (and myself) will be happy to try and help.
Kind Regards,
Andy.
Correction: the wan is not blinking amber, but it is solid amber for speed, and blinking green for Link/Act.
Hi Nik,
You need to refer to the hardware guides here:-
https://docs.fortinet.com/product/fortigate/hardware
There doesn't seem to be a specific 30E guide- but essentially the lower end models all use the same convention:-
[ul]
For example the 30D guide (the predecessor of the 30E) documents this convention.
Your "diagnose hardware deviceinfo nic wan" shows that too- the "Speed 100" agrees with what the AMBER speed LED indication is showing you.
Because your WAN interface is currently only 100Mb/s you will never get more internet speed than that.
So, if you have a 1Gb/s (1000Mb/s) internet connection (for example) you wont get more than 100Mb/s speed until the WAN link is also showing a "GREEN" Speed LED and your diag output shows "Speed 1000".
Common causes of getting 100Mb/s connection rather than 100Mb/s are faulty Ethernet cabling or perhaps negotiation/ speed settings between the Fortigate and the modem/ internet device.
Lastly, be aware that the 30E will not support full 1Gb/s (1000Mb/s) throughput. Have a look at the datasheet here:-
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_30E.pdf
Maximum firewall throughput is 950Mb/s and if you use full threat protection (which you should) maximum throughput is about 150Mb/s (depending on traffic type and mix).
Hope that helps you.
Kind Regards,
Andy.
Hi Andy,
Thank you for the clarification. That was exactly what I was looking after. The problem I am facing is this, the fortigate sits behind the d-link modem which has max speed 24 MB/s. The client has also purchased this max speed from the ISP. But when I put the fortigate behind it and then connect the clients they have a very slow internet connection, upon testing I get 0.5-1 MB/s but when I connect the client directly to the modem via a switch they get up t0 20-22 MB/s. It seems that the fortigate does something to the internet speed. How can I troubleshoot this? I have tried with different cables but there is no improvement there.
Hi Nik,
It sounds like you have proven that it is a Fortigate setting you need to look.
But, there is certainly nothing (even with the 30E) that will prevent you getting that speed reliably if you have it correctly configured. It will be a config issue and certainly not a bug or Fortinet defect. These basic configs work well on Fortigates and are well validated and tested. But it may take time to work through it.
From your description it sounds like the D-Link "modem" is actually acting as a router. If you can connect a PC directly to the "modem" then it sounds like it is running DHCP (and assigning the client an IP and DNS settings) and acting as a NAT router.
Ideally, you probably do want the D-Link to act as a pure modem- but you would need to reconfigure it (if that is even possible?) and let the Fortigate act as the only router on your network. The Fortigate may then need to run PPPoE (for example) depending on how the ISP manages connections.
Otherwise (as you are set up at the moment probably) you may end up with the D-Link Modem assigning an IP Address (and probably DNS servers) to the Fortigate WAN. Any clients on the LAN side of the Fortigate will then get NAT'd twice- which isn't ideal and may add delay (and therefore slower throughput).
You also need to check basic settings like MTU size- if the Fortigate is running a higher MTU size than the modem you will experience fragmentation and speed/ connectivity issues.
Also you need to look at the DNS server settings on the Fortigate (the Fortigate defaults to the Fortinet DNS servers). You may find you getting better/ faster name resolution using your ISPs servers and then just using the Fortigate for SDNS filtering.
It's very hard to offer comprehensive advice on a topic like this without a lot of background of the network and the configs of both the Fortigate and the D-Link and the ISP. But, this can only be a config issue- the Fortigate products work very well- you just need to take the time to understand what is happening at every layer of the network.
I hope that offers you some help- but you need to be aware that the Fortigates are enterprise products and they do take time and expertise to configure properly.
Good luck- and if you any more specific questions I'm sure the Forum (and myself) will be happy to try and help.
Kind Regards,
Andy.
Hi Andy,
You indeed has clarified this very good. There is a double NAT happening there and also the DNS is involved there too. I will try to configure the modem in bridge mode and let the fortigate do the rest. Thank you very much and have a nice day.
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.