From the screenshot you included nothing indicates that the packets are getting dropped, only they are getting sent. Like emnoc suggested, if the issue happens again than run some troubleshooting commands on the FGT or turn on logging on the last implicit deny rule and analyse the logs for anything suspicious. " So after issuing a laptop, we kinda can' t track if their AV are still up to date, or if its still installed there. etc." Than Forticlient should be just perfect for you to get it installed on all of these laptops. You can even enforce FGT policy after client registration to enable access to network only if the client has updated AV signatures. http://www.forticlient.com/ " With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users & guests can work efficiently anywhere, without compromising your security. It' s the end-point solution for your FortiGate network."

ORIGINAL: Istvan Takacs From the screenshot you included nothing indicates that the packets are getting dropped, only they are getting sent. Like emnoc suggested, if the issue happens again than run some troubleshooting commands on the FGT or turn on logging on the last implicit deny rule and analyse the logs for anything suspicious. " So after issuing a laptop, we kinda can' t track if their AV are still up to date, or if its still installed there. etc." Than Forticlient should be just perfect for you to get it installed on all of these laptops. You can even enforce FGT policy after client registration to enable access to network only if the client has updated AV signatures. http://www.forticlient.com/ " With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users & guests can work efficiently anywhere, without compromising your security. It' s the end-point solution for your FortiGate network."

Hi Istvan, thanks for the reply, will do the logging for the last implicit deny in time. As for the forticlient, I will try to push this. Kinda difficult to do this since there are a lot of clients.

Hi emnoc, not yet. Sorry I just don' t know how can i find out where this is coming from.

Does

 diag ip arp list | grep " ifname=port1 0.0.0.0"  
 

return something? If yes (a MAC address, example: ' 00:00:DE:AD:C0:DE' ), does

 diag ip arp list | grep " 00:00:DE:AD:C0:DE" 
 

show any additional information?

ORIGINAL: netmin Does

 diag ip arp list | grep " ifname=port1 0.0.0.0"  
 

return something? If yes (a MAC address, example: ' 00:00:DE:AD:C0:DE' ), does

 diag ip arp list | grep " 00:00:DE:AD:C0:DE" 
 

show any additional information?

Hi netmin, the command doesn' t return anything. No additional information. What' s weird is that, I' m trying to sort the Top Sources by changing " src Interface" to Port1 LAN, then " Dst Interface" to " Wan1" or " Wan2" , since these are the only interfaces in use in this fortigate, the 0.0.0.0 entry DOESN' T SHOW. Its only in the condition that the Src Interface is at " PORT1" and " All" , and Dst Interface to " All" that the 0.0.0.0 entry will show.

one more GUI setting you can try (I would already have used <add your favourite swiss knife tool here> at this time) to potentially get more information about the traffic type: - set your session monitor to " Report By: All" - click on " Column settings" - add columns, such as protocol, src port, src address, dst port, dst address, etc. ... as needed. Example:

ORIGINAL: netmin one more GUI setting you can try (I would already have used <add your favourite swiss knife tool here> at this time) to potentially get more information about the traffic type: - set your session monitor to " Report By: All" - click on " Column settings" - add columns, such as protocol, src port, src address, dst port, dst address, etc. ... as needed. Example:

Hi netmin, thanks again for your reply. and patience :) Already did what you specified, and after setting the session monitor to " Report By: All" , the " paulbusiness, etc,etc" was not shown. All that was shown are valid private ip addresses. BEFORE: