Fortingate not receiving all traffic from ISP

Posted on 2011-09-05
Last Modified: 2012-06-21
I own a Fortigate 300A an have had it on line for three years. Recently I had the ISP change to fiber connection and increase bandwidth. From the moment f te change many of my VIPs stopped receiving traffic from internet.
ISP state they are just a gateway and are passing all traffic with in the IP range (
Fortinet engineers state fire wall is properly configured but not receiving the traffic.  
Yet three IPs are working fine.
Its been two weeks and each level of support I go tell me the same thing..."its the other guys problem".  My most resent communication from Fortinet states if the ISP sets up a static route for my addresses all will be well, (I haven' heard back from ISP yet).
My question is simple is there anything I can do or put in between the two systems to correct this problem?  I am tired of waiting o support.
Question by:mwpai
  • 3
  • 3

Accepted Solution

jgibbar earned 250 total points
ID: 36484467
A quick fix would be to PAT your VIPs to one of the known good addresses. It could be a number of issues but it sounds like they may have a wrong subnet mask for your IP range on their end assuming you have made no configuration changes.

Can you do a trace route from another ISP and see where the traffic goes? Try it for both an IP that works and one that does not. If you see it getting to the ISP side of your Internet Router, than you can push the issue with your hardware. If it stops on their network, then you can push harder on the ISP.

I had a similar situation where we brought up a new circuit to increase bandwidth and the ISP just simply forgot to activate the routes in their equipment. In this situation, it took someone at a 3rd tier support to be able to assist.

LVL 22

Expert Comment

ID: 36485237
If nothing changed on the fortigate, but something did change with the ISP, then it's pretty clear where the problem is.  Can you get the ISP to come onsite for a vendor meet and certify the new fiber connection?

Author Comment

ID: 36488717
Thank you both for your comments.
eeRoot: the vendor has come in and pretty much proved that there gateway could see the correct IP addresses if they were broadcast.  set direct connect with laptop and tested each IP. So clearly some routing issue my side of their connection. (so it seems) but I agree with you clealry the fortigate would not just stop.

jgibbar: We did test and trace and we lost the traffic at hopefully today the ISP and Fortigate will test together as promised to test through the gateway.

Here is another observation. When I came here we had only a partial T1 line from the same ISP out of the ISP cable box a cisco router was in place that forwarded my traffic.  About three years ago we upgraded the T1 to a wireless bridge (line of sight rf) for a10Mb broadband connection, again they had the bridge modem or router between there radio and my firewall. This new connection there is no equipment between my firewall and the fiber box. Do you think this is what broke? In my limited understanding of how this all connects I am beginning to think I need a local router of some type or maybe a L3 switch between the fiber and my firewall.

I'm asking these questions here because Expert exchange is one place I can get unbiased answers and I truly appreciate the feedback.

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 22

Assisted Solution

eeRoot earned 250 total points
ID: 36493295
The Fortigate may have been using the IP of the old/removed router as a default gateway, or the router may have been forwarding traffic to the Fortigate.  It's impossible to say now things were configured now that the devices are gone unless you have a backup of the configs handy.  You'll have to look at how the WAN links are set on the Fortigate, and see if it's pointing to something that isn't there anymore.

Author Comment

ID: 36495542
eeroot: The router addresses stayed the same which only adds to my confusion.
LVL 22

Expert Comment

ID: 36499988
Can you post a sanitized config and any errors in the logs?

Author Closing Comment

ID: 36505308
Thank you for your attemps to solve this issue, Finnally an engineer at the ISP explained the differences  with the old and new connections. We were swithed to some type of trunk access and because of that we are diresctly connected to them so they do not supply a static route of our iP addreeses for the Fortigate to see. The fix is easy enough, we just had to create gratuitous-arps (proxy arps) for each of the ips within the firewall;
csi command:
config firewall vip
edit "vip name"
set gratuitous-arp-interval 5

5 is 5 second interval

again thanks for help

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How VPC help preventing STP Loops 4 132
network error 8 56
Connect two buildings 6 49
Disabling Proxy-ARPs on Cisco ASA's outside interface downs outside terrafic 4 33
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question