Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Traceroute via FGT unit doesn't show as a hop



I've come across fgt100d HA

 installation where internal Ip doesn't show in traceroute

What I get.

>tracert -d   1     1 ms     2 ms     1 ms   2     4 ms     3 ms     3 ms

... ^C


What I would like to get

>tracert -d   1     1 ms     1 ms     1 ms   2     1 ms     2 ms     1 ms   3     4 ms     3 ms     3 ms ^C


Setup is quite basic.

there are several Lan interfaces combined under one zone. Policy is

LANzone > wan all traffic is permitted responds to icmp



I'm suspecting fortigate doesn't decrease TTL or it's somehow connected that traffic is processed using NP...  Any ideas what could be switched on/off ;) ?

New Contributor II

Sorry to bump an old thread, but +1 to supafin syntoms.


Using Windows server, if I trace for the first time, it shows my FG 240D. If I run it just after the first, it does not show the FG and shows the ISP gateway twice, in place of the FG itself.


I'm attaching a photo. is my fortigate and the IP with the end 241.241 is the ISP's router.


Any hints?




Yes I still have same issue. But I have learned to live with it, so to say.

First trace is correct, then fortigate stops to respond and after while (could be 30 minutes - some day) it respond again.

This is easy to see since I run pingplotter monitoring thru fortigate unit and it records route change whenever fortigate responds to icmp or not. It's hop will be replaced by next router, as you saw also.

I think it still relates that fortigate offloads traffic to asic and that's why it doesn't respond. But I'm not sure why it starts to respond after awhile again.


There is no asic offload disable possibility under firewall policy in our unit (100D) for some reason.

We have also 600D unit and in that there is possibility to disable offloading.


I might open support case to fortinet at some point but this hasn't been major issue for me so I haven't done that yet.

New Contributor II

Same thing here.


The point is that I only saw this behaviour now, because we are in a very critical moment righ now, with many network problems. So I though that it could be possible the problem we have.


Can you say if this harm the connectivity or not?


No problem with actual connectivity. It just cosmetic thing in our network monitoring screens ;)


New Contributor II

Thanks for your feedback. :)


And if you change those admin ports under system->settings to whatever you want, you don't have to deal with VIPs at all.


Please disregards. a wrong thread.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors