My Fortigate 60E has a strange issue. Every 3-5 days internal clients cannot reach wan-side applications anymore, and a reboot of the fortigate fixes the issue always.
- ping to public IP's is still possible
- DNS gives timeouts (also from fortigate CLI not able to ping a hostname)
- Ping from internet to the WAN interface is also not replying anymore
- Inbound virtual servers are not reachable anymore
- Inbound IPsec VPN not reachable anymore
- Not any issue visible in event logs (only messages that forticloud cannot be reached)
What I did in trying to fix:
- configured SDWAN -> does not help
- configured SDWAN wan-failover -> when the issue occurs the healthcheck still reports wan1 as alive. -> when I switch the inbound internet line to the wan2 port immediately internal users can reach outside internet. When plugging the line back to wan1 the internet is again unreachable, DNS request times out.
- Simple setup, multi VLAN on a single physical interface
- Single internet line, no PPPoE, direct IP connection
- For DNS I use Open DNS
- Simple IPsec VPN for remote connectivity
- FortiOS 6.2.4
Since when do I have this problem?
- Seems that the issue started 6 weeks ago, after upgrade to 6.2.4.
- At the same time my 3 years support contract expired, so am not able to download new/old fw images... (sorry for that)
- Around the same time my fortiguard licenses expired, but I did not use fortiguard.
I captured some CLI output at the moment the issue is active. See attached.
Any ideas what could cause this behavior and how to solve?
Just upgraded FG-60E from 6.0.10 to 6.2.4 ten days ago (Aug 14 2020), and this issue started occurring. I will add that IPv6 traffic was routed and processed by the firewall while IPv4 was not. Rebooting the firewall resolved the issue for only three or so days. Was going to open a case with Fortinet TAC when FortiOS 6.2.5 was released. Upgraded to 6.2.5, but had to revert to 6.2.4 within twelve hours because of new issues related to applications being blocked / not loading.
You are just the first one replying to my post. And no I don't have a solution yet. Outbound-DNS connectivity and inbound-virtual-server connectivity drops every 3,5 days and I have to reboot my FGT60E everytime to fix this.
I have a 100E running 5.6.11, IPv4, and am having the same issue. But only from my Comcast link. SD WAN is configured, and about once a week the Comcast link goes down. I can still see the modem, but nothing past it. The Consolidated link stays up and running fine. I have also found that rebooting the modem helps, as well as changing the SD-WAN ping target. But only for a few days. We just moved to a new office, so the Comcast is a new account. And of course they blame the FGT.
There is a Bug ID (635589) that may resolve the issue. I have not tested this yet but my 60E does has DOS-Policies.
635589 FortiGate 6.2.4 Open
Description After upgrade from FortiOS 6.2.3 to 6.2.4, DOS-policy causing service interruption. workaround disable DOS-policy
* After upgrade from FortiOS 6.2.3 to 6.2.4, the DOS-policy causing service interruption.
* If DOS-policy disabled, all traffic starts flowing as expected.
Note: No issues were observed on FortiOS 6.2.3, all traffic flowed as expected with DOS-policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.