Fortingate not receiving all traffic from ISP

Posted on 2011-09-05
Last Modified: 2012-06-21
I own a Fortigate 300A an have had it on line for three years. Recently I had the ISP change to fiber connection and increase bandwidth. From the moment f te change many of my VIPs stopped receiving traffic from internet.
ISP state they are just a gateway and are passing all traffic with in the IP range (
Fortinet engineers state fire wall is properly configured but not receiving the traffic.  
Yet three IPs are working fine.
Its been two weeks and each level of support I go tell me the same thing..."its the other guys problem".  My most resent communication from Fortinet states if the ISP sets up a static route for my addresses all will be well, (I haven' heard back from ISP yet).
My question is simple is there anything I can do or put in between the two systems to correct this problem?  I am tired of waiting o support.
Question by:mwpai
  • 3
  • 3

Accepted Solution

jgibbar earned 250 total points
ID: 36484467
A quick fix would be to PAT your VIPs to one of the known good addresses. It could be a number of issues but it sounds like they may have a wrong subnet mask for your IP range on their end assuming you have made no configuration changes.

Can you do a trace route from another ISP and see where the traffic goes? Try it for both an IP that works and one that does not. If you see it getting to the ISP side of your Internet Router, than you can push the issue with your hardware. If it stops on their network, then you can push harder on the ISP.

I had a similar situation where we brought up a new circuit to increase bandwidth and the ISP just simply forgot to activate the routes in their equipment. In this situation, it took someone at a 3rd tier support to be able to assist.

LVL 22

Expert Comment

ID: 36485237
If nothing changed on the fortigate, but something did change with the ISP, then it's pretty clear where the problem is.  Can you get the ISP to come onsite for a vendor meet and certify the new fiber connection?

Author Comment

ID: 36488717
Thank you both for your comments.
eeRoot: the vendor has come in and pretty much proved that there gateway could see the correct IP addresses if they were broadcast.  set direct connect with laptop and tested each IP. So clearly some routing issue my side of their connection. (so it seems) but I agree with you clealry the fortigate would not just stop.

jgibbar: We did test and trace and we lost the traffic at hopefully today the ISP and Fortigate will test together as promised to test through the gateway.

Here is another observation. When I came here we had only a partial T1 line from the same ISP out of the ISP cable box a cisco router was in place that forwarded my traffic.  About three years ago we upgraded the T1 to a wireless bridge (line of sight rf) for a10Mb broadband connection, again they had the bridge modem or router between there radio and my firewall. This new connection there is no equipment between my firewall and the fiber box. Do you think this is what broke? In my limited understanding of how this all connects I am beginning to think I need a local router of some type or maybe a L3 switch between the fiber and my firewall.

I'm asking these questions here because Expert exchange is one place I can get unbiased answers and I truly appreciate the feedback.

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

LVL 22

Assisted Solution

eeRoot earned 250 total points
ID: 36493295
The Fortigate may have been using the IP of the old/removed router as a default gateway, or the router may have been forwarding traffic to the Fortigate.  It's impossible to say now things were configured now that the devices are gone unless you have a backup of the configs handy.  You'll have to look at how the WAN links are set on the Fortigate, and see if it's pointing to something that isn't there anymore.

Author Comment

ID: 36495542
eeroot: The router addresses stayed the same which only adds to my confusion.
LVL 22

Expert Comment

ID: 36499988
Can you post a sanitized config and any errors in the logs?

Author Closing Comment

ID: 36505308
Thank you for your attemps to solve this issue, Finnally an engineer at the ISP explained the differences  with the old and new connections. We were swithed to some type of trunk access and because of that we are diresctly connected to them so they do not supply a static route of our iP addreeses for the Fortigate to see. The fix is easy enough, we just had to create gratuitous-arps (proxy arps) for each of the ips within the firewall;
csi command:
config firewall vip
edit "vip name"
set gratuitous-arp-interval 5

5 is 5 second interval

again thanks for help

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet Protocol Security question 3 112
Cisco WLAN 5520 licensing 10 84
SSG50 Firewall Rules 17 43
ASA5510 Blocking a Wanted Website/Host 9 46
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question