Hi Mirek, Do you have a standalone FortiGate or you are using it in a HA cluster? Do you have access to the router before the FortiGate to check the ARP table when the problem occurs?

I have a similar problem on build179 5.0 (patch2) [aka 5.0.2]. There is a similar forum thread talking of host-load-balancing being a similar issue with 5.0.3 where the fix was to regress back to 5.0.2. So unless the fix for this is in beta, we need to report this. In our situation the interfaces are grouped as zones. Then (of course) the VIP port forwards are performed on the actual zone member interfaces. diag sniff pack ' tcp and host <vip> and port <port>' 6 proved the packets were arriving (and not forwarded) diag debug en diag debug flow show console enable diag debug flow filter daddr <vip> diag debug flow filter dport <port> diag flow trace start 10 indicated that there was something in the ' iprope' that was failing. This isn' t necessarily the exact message I got (from memory and then a google to match what I think I remember!) : iprope_in_check() check failed Ours is a FortiWiFi 40C. It is pretty well the only firewall out of about 20 on our network that is running FortiOS 5. Consequently we' re losing some amount of confidence in 5.0 but we' re not having this problem as often as you. Our fix isn' t to reboot, but simply to go in via CLI config firewall vip edit <usually an index that is suffering the problem is put in here> set arp-reply disable next end If we have the issue again, we toggle arp-reply to enable and back to disable (the GUI default is enable but this seems daft when the IP is also an interface on this same unit then that IP element is clearly going to respond to ARP whatever the setting in this port-forward is set to).