Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JesperAP
New Contributor

Created on ‎03-04-2025 05:16 AM Edited on ‎03-04-2025 05:40 AM

WAN bandwidth peaks of 1.5Gbps

Hi all,

 

We are seeing some strange peaks in our WAN bandwidth. Every 20 minutes, we get a peak of around 1.5Gbps which lasts for about 1 minute. We can not figure out what is doing this.

 

We did a packet capture when the peak is going, but when looking in wireguard -> statistics -> conversations, we can only see 5 things that are around 15Mbps. To IP addresses that are not being used in any VIP.

 

How can we further troubleshoot this?

 

Edit: We've also checked all firewall rules comming into the fortigate, but none of them are producing this many Gbps..

 

 
 

fortigate_wan.png

 

Labels:
333
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎03-04-2025 06:44 AM Edited on ‎03-04-2025 06:44 AM

Hi Jesper

Try enable logs for the implicit deny rule and check again. Probably the peaks are for incoming packets that are being blocked.

Also check in the local traffic logs as well.

AEK
AEK
299
JesperAP
New Contributor
In response to AEK

Created on ‎03-04-2025 06:47 AM Edited on ‎03-04-2025 06:47 AM

I've enabled the implicit deny rule logging now, I have to wait for the next peak.

 

If it is this, how can we prevent it from peaking to 1.5Gbps, because of this we are paying around 300 euro's monthly to burst fees as we only have 100Mbps bandwidth..

 

Local traffic log is empty..?

296
0 Kudos
AEK
SuperUser
SuperUser
In response to JesperAP

Created on ‎03-04-2025 06:52 AM

Lets see in the logs then we can decide what to do.

But if it is blocked traffic from a source that is not controlled by you, then you can't do anything about that. You can just continue to block it and pay for it.

Local traffic log should not be empty. Try enable it in log settings.

AEK
AEK
292
JesperAP
New Contributor
In response to AEK

Created on ‎03-04-2025 06:55 AM

Currently, all of the logs in forward traffic are 0 Bytes

 

implicit_deny.png

 

I also found this inside the implicit deny firewall policy. the total bytes shouldn't be this low if every 20 minutes 1.5Gbps comes in right?

firewallpolicy.png

289
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-04-2025 07:00 AM

I think you are right.

Can you check the graphs of all other interfaces? In case you find an interface having the same peak at the same moment that would mean you have found at least to which local network this traffic is going.

AEK
AEK
284
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.