- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- WAN performance
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN performance
We own a FG-60C. Our company recently got a new 20/20 Mbps DSL line, however when we do a speed test (speedtest.net, speakeasy.net) behind the firewall we only get around 2-3 Mbps when downloading and around 20 Mbps when uploading. When we connect a pc straight to the DSL router, we get close to what the actual speeds ought to be. UTM is turned off, so no web-filter, AV, IPS, etc. What I' d like to know is how do you troubleshoot this issue. I see the traffic log, but it' s not telling me much. Anyone know how to begin tackling such an issue?
-Thank you in advance
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
Here' s a question: When you use the Fortigate inline, how many people are sharing the connection?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, rwpatterson. Around 45 people in the office, however even if there' s only one user online, the speed is the same (I stayed in the office after hours testing). I should also note that Fortigate is running v4.0 MR1 OS. Also, the ISP tech said the at line is setup as full duplex which is what the WAN port is also set as. We have a backup unit that I plan to use for testing so as not to disrupt our users. I' m going to upgrade that unit to the latest firmware and see if it makes a difference.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the latest version in V4 MR2 (patch 14) before going to V4 MR3 (my opinion) and DEFINITELY before going to V5 (general consensus).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the tip!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before upgrading from 4.0MR1 to 4.0MR2 make sure there are no space character codes in the address/firewall object labels -- we ran into problems while upgrading from 4.0MR1 to 4.0MR2 -- most of our firewall polices broke (on the units we upgraded) and we spent a few hours tracing the problem to our addressing labels getting truncated at the first space char in the name, after the upgrade.
Still having problems after the upgrade, run a " diag hardware deviceinfo nic <wan port>" test and check for any errors on the port (ie. possible duplex/speed mismatch).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the tip, Dave. Did the upgrade on the spare unit to MR2, plugged it in and still no dice. Speed tests still show 2-3 Mbps. Also ran the diagnostic command as suggested and it showed no errors. The port is correctly figure as 100mbps full duplex. I should mention that I copied the config file from the active unit into the spare. I' m thinking of resetting the spare and just start from scratch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a suggestion, from the GUI, drop the MTU to a lower number...say 1490. If packets need to be fragmented, that may slow you down as well. If you want to see what the largest packet the interface will bear, from a DOS prompt, type:
C:\ ping 8.8.8.8 -f -l <packet size>The largest packet you' ll be able to squeeze will probably be 1500. If that doesn' t work, try decreasing this number by about 10 until it works, then either take that or increase gradually until it fails. This is the number you need to enter in the GUI on the interface.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From my experience speedtest sites will always give you funky results behind a UTM. Are you sure UTM is completely off for the traffic getting to the website?
I would test out real downloads/uploads to test the performance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason for this asymmetric throttling most probably is in the config (which you unfortunately copied from the live unit).
From the console port prompt, do a " exec factoryreset" , put in an IP address for ' internal' , configure the WAN port and add just one policy allowing traffic out. Nothing else.
Then measure. Speedtest is suitable enough for such a gross mismatch.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Novice Needing Help Setting Up FortiGate... 80 Views
- Max user count on Fortiap 257 Views
- FSSO authentication fallback with flow-based policy 206 Views
- How to keep the connections when... 562 Views
- High CPU for 201E 150 Views
Labels
-
FortiGate
6,575 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
569 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.