• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 838
  • Last Modified:

Fortingate not receiving all traffic from ISP

I own a Fortigate 300A an have had it on line for three years. Recently I had the ISP change to fiber connection and increase bandwidth. From the moment f te change many of my VIPs stopped receiving traffic from internet.
ISP state they are just a gateway and are passing all traffic with in the IP range (
Fortinet engineers state fire wall is properly configured but not receiving the traffic.  
Yet three IPs are working fine.
Its been two weeks and each level of support I go tell me the same thing..."its the other guys problem".  My most resent communication from Fortinet states if the ISP sets up a static route for my addresses all will be well, (I haven' heard back from ISP yet).
My question is simple is there anything I can do or put in between the two systems to correct this problem?  I am tired of waiting o support.
Bill Doherty
Bill Doherty
  • 3
  • 3
2 Solutions
A quick fix would be to PAT your VIPs to one of the known good addresses. It could be a number of issues but it sounds like they may have a wrong subnet mask for your IP range on their end assuming you have made no configuration changes.

Can you do a trace route from another ISP and see where the traffic goes? Try it for both an IP that works and one that does not. If you see it getting to the ISP side of your Internet Router, than you can push the issue with your hardware. If it stops on their network, then you can push harder on the ISP.

I had a similar situation where we brought up a new circuit to increase bandwidth and the ISP just simply forgot to activate the routes in their equipment. In this situation, it took someone at a 3rd tier support to be able to assist.

If nothing changed on the fortigate, but something did change with the ISP, then it's pretty clear where the problem is.  Can you get the ISP to come onsite for a vendor meet and certify the new fiber connection?
Bill DohertyNetwork AdministratorAuthor Commented:
Thank you both for your comments.
eeRoot: the vendor has come in and pretty much proved that there gateway could see the correct IP addresses if they were broadcast.  set direct connect with laptop and tested each IP. So clearly some routing issue my side of their connection. (so it seems) but I agree with you clealry the fortigate would not just stop.

jgibbar: We did test and trace and we lost the traffic at hopefully today the ISP and Fortigate will test together as promised to test through the gateway.

Here is another observation. When I came here we had only a partial T1 line from the same ISP out of the ISP cable box a cisco router was in place that forwarded my traffic.  About three years ago we upgraded the T1 to a wireless bridge (line of sight rf) for a10Mb broadband connection, again they had the bridge modem or router between there radio and my firewall. This new connection there is no equipment between my firewall and the fiber box. Do you think this is what broke? In my limited understanding of how this all connects I am beginning to think I need a local router of some type or maybe a L3 switch between the fiber and my firewall.

I'm asking these questions here because Expert exchange is one place I can get unbiased answers and I truly appreciate the feedback.

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

The Fortigate may have been using the IP of the old/removed router as a default gateway, or the router may have been forwarding traffic to the Fortigate.  It's impossible to say now things were configured now that the devices are gone unless you have a backup of the configs handy.  You'll have to look at how the WAN links are set on the Fortigate, and see if it's pointing to something that isn't there anymore.
Bill DohertyNetwork AdministratorAuthor Commented:
eeroot: The router addresses stayed the same which only adds to my confusion.
Can you post a sanitized config and any errors in the logs?
Bill DohertyNetwork AdministratorAuthor Commented:
Thank you for your attemps to solve this issue, Finnally an engineer at the ISP explained the differences  with the old and new connections. We were swithed to some type of trunk access and because of that we are diresctly connected to them so they do not supply a static route of our iP addreeses for the Fortigate to see. The fix is easy enough, we just had to create gratuitous-arps (proxy arps) for each of the ips within the firewall;
csi command:
config firewall vip
edit "vip name"
set gratuitous-arp-interval 5

5 is 5 second interval

again thanks for help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now