I've tried both. When going through the router just now speedtest.net gave: Ping ms 83 Download Mbps 7.21 Upload Mbps 9.43, note that there are other users getting a portion of the bandwidth, so this is expected to be lower than the 25/25 we get without the router. At the same time the bandwidth window is displaying a flat line near 10Mbps.

When testing directly connected to the fiber modem last week we saw the full 25/25 using speedtest.net. I hesitate to do that test very often since it takes the whole company down...

Ping out to a nearby server was 83 ms through the FortiGate?

What was the ping going straight through the fiber modem?

I don't remember right off hand, 10ms or so... Ping Plotter is currently showing 1.2ms to the router and 407.8ms to a machine that's sitting on the same fiber modem (I have four static IPs on that modem). That does go through another 30E on the other side...

That's pretty slow for a ping without much between the devices, though I don't know the 30E latency specs.

Are you getting some packet loss?  Maybe a speed/duplex mismatch between the FortiGate and modem?

See https://forum.fortinet.com/tm.aspx?m=164445 for someone running into something similar recently and http://kb.fortinet.com/kb/documentLink.do?externalID=10653 for speed/duplex checking.

Both the FortiGate and the fiber modem are at 1000Mbit full duplex. The cable run is all within the same room, under 20 feet in total. The fiber modem acts as a four port switch, the other device connected is fiber for several hundred feet (it's in a different building), then a fiber modem then the other 30E. Do I have visibility into packet loss through the web interface? I'm not seeing any stats at first glance through the GUI.

To get a list of your interfaces (which will tell you that wan1 is actually port3, etc.):

    diagnose netlink device list 

To see statistics for a particular interface, which should show you the link speed and duplex and some of the counters for statistics:

    diagnose hardware deviceinfo nic <interface>

If you do see a bunch of dropped packets or link speeds that don't match, then you'll be a bit closer to the cause of the problem.

That first one is a bit hard to read since the number are so big. Counting right from 'bytes' and 'packets' for both Receive and Transmit show 0 errors and 0 drops on all active ports. The second command shows links as up, 1000, full on each port that's in use.

I did a show and captured the results into a text file. If there was something that was doing extra debug logging what would I search for in the file? I remember turning debug on and off while diagnosing VPNs but I believe I left them all in off states.

What does the following show?

  config sys int

    edit <wan port>

      get | grep speed

If it is "auto" you might try "set speed 1000full".  I've run into some modems that didn't auto-negotiate well, especially those with SFP to Gigabit ethernet adapters.

Just in case you left any of the debug stuff on, you might want to do:

    diagnose debug disable      diagnose debug flow trace stop      diagnose debug flow filter clear      diagnose debug reset 

then run a quick speed test again.

Beyond that, I'm really not the one to ask about using diag debug flow, maybe others will chime in. 

One basic doc is http://kb.fortinet.com/kb/documentLink.do?externalID=FD33882 which has some other references.

BTW, I'm quite interested in how this goes for you as I was supposed to order a 30E tomorrow to use in a small location that will need to handle 100/50 Mbps with UTM.