Link to home
Start Free TrialLog in
Avatar of Bill Doherty
Bill DohertyFlag for United States of America

asked on

Fortingate not receiving all traffic from ISP

I own a Fortigate 300A an have had it on line for three years. Recently I had the ISP change to fiber connection and increase bandwidth. From the moment f te change many of my VIPs stopped receiving traffic from internet.
ISP state they are just a gateway and are passing all traffic with in the IP range (209.217.199.96/27)
Fortinet engineers state fire wall is properly configured but not receiving the traffic.  
Yet three IPs are working fine.
Its been two weeks and each level of support I go tell me the same thing..."its the other guys problem".  My most resent communication from Fortinet states if the ISP sets up a static route for my addresses all will be well, (I haven' heard back from ISP yet).
My question is simple is there anything I can do or put in between the two systems to correct this problem?  I am tired of waiting o support.
Thanks
ASKER CERTIFIED SOLUTION
Avatar of jgibbar
jgibbar
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of eeRoot
eeRoot

If nothing changed on the fortigate, but something did change with the ISP, then it's pretty clear where the problem is.  Can you get the ISP to come onsite for a vendor meet and certify the new fiber connection?
Avatar of Bill Doherty

ASKER

Thank you both for your comments.
 
eeRoot: the vendor has come in and pretty much proved that there gateway could see the correct IP addresses if they were broadcast.  set direct connect with laptop and tested each IP. So clearly some routing issue my side of their connection. (so it seems) but I agree with you clealry the fortigate would not just stop.

jgibbar: We did test and trace and we lost the traffic at hopefully today the ISP and Fortigate will test together as promised to test through the gateway.

Here is another observation. When I came here we had only a partial T1 line from the same ISP out of the ISP cable box a cisco router was in place that forwarded my traffic.  About three years ago we upgraded the T1 to a wireless bridge (line of sight rf) for a10Mb broadband connection, again they had the bridge modem or router between there radio and my firewall. This new connection there is no equipment between my firewall and the fiber box. Do you think this is what broke? In my limited understanding of how this all connects I am beginning to think I need a local router of some type or maybe a L3 switch between the fiber and my firewall.

I'm asking these questions here because Expert exchange is one place I can get unbiased answers and I truly appreciate the feedback.

thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
eeroot: The router addresses stayed the same which only adds to my confusion.
Can you post a sanitized config and any errors in the logs?
Thank you for your attemps to solve this issue, Finnally an engineer at the ISP explained the differences  with the old and new connections. We were swithed to some type of trunk access and because of that we are diresctly connected to them so they do not supply a static route of our iP addreeses for the Fortigate to see. The fix is easy enough, we just had to create gratuitous-arps (proxy arps) for each of the ips within the firewall;
csi command:
config firewall vip
edit "vip name"
set gratuitous-arp-interval 5
end

5 is 5 second interval

again thanks for help