Device : fortigate 60d
ISP: Spectrum
Line speed :300 down, 24 up.
When behind the firewall we are getting between 54-70 down and 24 up. From the modem we are getting 300/24. I have worked with tech support but was not able to resolve the issue. I have disabled utm and changed the wan port to be 1gb instead of auto negotiating. Still no luck
I have seen the fortinet not get the full bandwidth on several of my customers who are supposed to download more than 200. Wondering if anybody else has seen this issue?
We're currently dealing with the exact same situation for multiple customer locations where the ISP/modem is from Charter-Spectrum in mainly TX or surrounding states. We tested almost everything on the other end of IPSec tunnel (FGT as IPSec concentrator) using a test FG60D here in NW over other vendor like Comcast and CenturyLink. And ruled out both sides of FGTs for the slowdown.
Then I found a post at Expert Exchange stating Spectrum's Hitron modem/router was slowing down ONLY VPN over the cable internet while the speed test without VPN shows full bandwidth. The guy persuaded Spectrum's support to get the modem/router replaced to Ubee's, then the problem was resolved.
We're trying to do the same at all those customer locations where they got Hitron mondem/router but having hard time to persuade them to replace or can't find Ubee modem to replace with. Please let me know when you get it reolved by Spectrum. I'll update when we get any progress.
Toshi
I had spectrum change the modem out to an UBEE. They did not tell me that the speed is limited to 100 download if you have a static ip address. Their download speed went from 54 to 64. It did increase the speed but it is still slower than should be getting. Monitored the firewall most of the day and nothing was using bandwidth.
I have an update on our side. We got a Spectrum Hitron modem replaced with Ubee's at one of customer locations with Spectrum. This location's internet comes over FGT(CPE) to FGT (IPsec consentrator) and even routed through their HQ MPLS circuit to go though their own FW there.
Before the modem swap, download speed was about 16-17Mbps for this 60M/4M circuit. After the swap, download speed is about 60Mbps. So it solved the problem.
Your current situation might be caused by another factor on their network if the circuit is beyond 60M level.
Same issue here, just in case was there any resolution?
Just an FYI, we just installed a new spectrum 400MB down, 20 up. They said the only modem they had that would support the 400 down is the Arris. I'm having issues with the 60D and the arris. Max download is 40MB.
Have you tried putting a dumb GB switch inline?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I am in the same boat but on Centurylink. Went from 40/5 to 140/20 and I am only getting half of the bonded line on the Fortigate 50E.... :( Modem is a Zyxel 3000z.
Same problem here with an Arris tg3442de DOCSIS 3.1 cable router in bridge mode and a 60E.
If auto-negotiation is enabled, max downstream is ~110MBit/sec. If we place a gbit switch between the 60E and the Arris, we get 800-900Mbit/s (Cable speed is 1000Mbit/50Mbit)
As there is no possibility to set anything in the Arris router (Vodafone), we are now in the situation that the connection is shaky, as the Arris seem to rely on the link status on the LAN side for DHCP requests. If the FortiGate 60E Port is connected via switch and the router is restarted, 60E won't get a WAN IP from providers side, as first the 60E gets an internal IP of the Arris router's DHCP server. Then the Arris gets switched to bridge mode by the provider when cable sync finishes. As the 60E already got a DHCP address, it won't receive a new one from the provider, as the link is still up (to the switch). The providers DHCP server seem to register the device id and doesn't let the 60E get an IP address.
The only possible way we found to get an IP is to set the 60E WAN port to manual IP mode, restart the Arris and let it sync, then switch the 60E WAN port to DHCP. This way, the 60E receives an IP from the provider.
I do not know who is responsible for this bad performance when auto-negotiation is on, but a PC or MacBook works flawlessly on the Arris. 60E is on FW version 6.0.5.
Bottom line: The article https://kb.fortinet.com/kb/documentLink.do?externalID=13780 may be true in theory, but we got opposite results. We didn't expect auto-negotiation problems these days on gbit ethernet.
Bit of a necro-post here. Running across this same issue right now. I have a few FG61F at different sites.
What I have seen so far, if the FG is talking to a fiber link, I can run speedtest.net and see the full bandwidth. If I am plugged into a cable modem, I have seen a straight test get up to 350 Mbs, but to see anything beyond that, you have to go to fast.com(because this change cannot be made on speedtest.net) and change to 20-30 parallel processes sending data, and I get the full 1 Gbs. I have been able to reproduce this method by using Iperf3 from server to server across a VPN tunnel and have seen upwards of 500 Mbs. I did test full vs half duplex, but that was not an issue for me.
I do not understand the protocol/signaling difference in these situations. Interestingly, I used a borrowed Sonicwall and it had no problems seeing full 1Gbs bandwidth at speedtest.net. The bandwidth is there and the FG can use it, but the test has to be customized.
Maybe the FG engineers can chime in and explain?
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.