If any of these solve the problem, it was a hardware connection problem. You should still perform some basic software connectivity tests to ensure complete connectivity. The interface might also be disabled, or its Administrative Status is set to Down. The following information includes troubleshooting and best practice information.
The network settings include:. If you can access the FortiGate with the management cable only, the first step is to display the interface settings. To display the settings for the internal interface, use the following CLI command:.
Check the interface settings to ensure that they aren't preventing traffic. DHCP servers are common on internal and wireless networks. If the DHCP server isn't configured correctly, it can cause problems. Check the following items:. The first line of output shows the CPU usage by category. A FortiGate that is doing nothing looks like the following example:. This line shows that all of the CPU is used up by system processes.
Normally this shouldn't happen since it shows that the FortiGate is overloaded for some reason. In this case, you must reduce the amount of traffic that's being scanned by blocking unwanted protocols, configuring more security policies to limit scanning to certain protocols, or similar actions.
It's also possible that a hacker has gained access to your network and is overloading it with malicious activity, such as running a spam server or using zombie PCs to attack other networks on the Internet. This command shows you all of the top processes that are running on the FortiGate the names are on the left and their CPU usage. If a process is using most of the CPU cycles, investigate it to determine whether the activity is normal.
The second line of output from the get system performance status command shows the memory usage. If memory is too full, some processes won't be able to function properly.
For example, if the system is running low on memory, antivirus scanning enters into failopen mode where it drops connections or bypasses the antivirus system. The other lines of output, such as average network usage, average session setup rate, viruses caught, and IPS attacks blocked, can also help you determine why system resource usage is high.
For example, if network usage is high, it results in high traffic processing on the FortiGate, or if the session setup rate is very low or zero the proxy may be overloaded and unable to do its job.
As with any system, a FortiGate has limited hardware resources, such as memory, and all processes running on the FortiGate share the memory. Each process uses more or less memory, depending on its workload.
DHCP not working
For example, a process usually uses more memory in high traffic situations. If some processes use all of the available memory, other processes won't be able to run. When high memory usage occurs, the services may freeze up, connections may be lost, or new connections may be refused. If you see high memory usage in the Memory widget, the FortiGate may be handling high traffic volumes.
Alternatively, the FortiGate may have connection pool limits that are affecting a single proxy. If the FortiGate receives a large volume of traffic on a specific proxy, the unit may exceed the connection pool limit. If the number of free connections within a proxy connection pool reaches zero, issues may occur.
When this occurs, the FortiGate experiences connection-related problems.The probably have a Mac limit on the ont.
If not you may have to call support. Comcast does this as well. At least on comcast you just reboot the modem and it clears it out. You can usually speed up the process if you reconnect the original router and go into it to do an IP release if possible. Release the ip like CAzi said on one of your routers that you had connected previously. Happy New Year! You could also use the clone Mac from your old router on the Fortinet.
This will allow it to connect right way. From cli: config system interface edit wan1 set macaddr xx:xx:xx:xx:xx:xx next end. Being that it is pulling a DHCP address would leave me to believe this is a small setup or even a home user.
Based on the description of the issue it appears that this is a home or home office. Based on that the quickest and easiest option would be to clone the MAC address. What do you mean "May be the easiest short-term fix but what happens down the road? The FIOS tech support will fight you on using anything other than the router that they supplied.
If the only way to change the MAC is to have support do it then that sucks. I was assuming this was a firewall downstream from the FIOS 'modem', not a replacement for the supplied 'modem'. Can the 'modem' be configured as a pass-through, would that allow for the fortinet to connect and give the OP what he needs? The ONT is mounted to the side of a business or home. It is what converts the Fiber line to a ethernet hand off. A modem is not required like with comcast.
The connection is a straight ethernet so any device that can do basic nat routering will connect. Sometimes rebooting and resetting everything works. Just call their support and ask them to clear out the MAC out of whatever device they have, if rebooting the ONT doesn't work. Only tech support can reboot the ONT. So again hours on hold with tech support. Just clone the MAC address. Looks like a OPW, to be honest.In addition to protecting the web server, the DMZ also protects the rest of the network.
A hole in the network protection must be made to allow outside users to access the web server. This hole creates a potential vulnerability that is mitigated by the DMZ. In this example the DMZ network uses a private subnet and allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.
No other access is allowed. For this recipe to work the web server must be properly configured with its default route pointing at the FortiGate's DMZ interface.
This example uses the port3 interface as the DMZ interface. The interface Alias indicates that this is the DMZ interface. As well the Role is set to DMZ. Add both VIPs as the destination address. Do not enable NAT. If you do enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users.
If you enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users. Go to FortiView Policies to see current sessions for each firewall policy. If you add a filter to just show policies with the DMZ interface as the destination interface you will see sessions from the Internal network to the web server and from the Internet to the web server. Double-clicking on the Internet to DMZ web server session shows sessions from Internet addresses in the example For further reading, check out Firewall in the FortiOS 5.
For enhanced security, disable all Administrative Access options. In this example the Internet address of the web server is You can also enable logging for all sessions to make it easier to test the configuration.Dual internet connection, dual WAN, or redundant internet connection refers to using two FortiGate interfaces to connect to the Internet. Dual internet connections can be used in three ways:. Redundant interfaces, ensures that should your internet access be no longer available through a certain port, the FortiGate unit will use an alternate port to connect to the Internet.
WAN1 is the primary connection. For this configuration to function correctly, you need to configure three specific settings:. Adding a link health monitor is required for routing fail over traffic. You need to configure a default route for each interface and indicate which route is preferred by specifying the distance.
The lower distance is declared active and placed higher in the routing table. When creating security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic will be allowed to pass through WAN2 as it did with WAN1. This ensures that fail-over will occur with minimal affect to users. For more information on creating security policies see the Firewall Guide. Load sharing enables you to use both connections to the internet at the same time, but do not provide fail over support.
When configuring for load sharing, you need to ensure routing is configured for both external ports, for example, WAN1 and WAN2, have static routes with the same distance and priority. In this scenario, both links are available to distribute Internet traffic over both links.
Should one of the interfaces fail, the FortiGate unit will continue to send traffic over the other active interface. Configuration is similar to the Redundant interfaces configuration, with the main difference being that the configured routes should have equal distance settings.
This means both routes will remain active in the routing table. To make one interface the preferred interface, use a default policy route to indicate the interface that is preferred for accessing the Internet. If traffic matches the security policy, the policy overrides all entries in the routing table, including connected routes.
You may need to add a specific policy routes that override these default policy routes. To redirect traffic over the secondary interface, create policy routes to direct some traffic onto it rather than the primary interface. When adding the policy route, only define the outgoing interface and leave the gateway blank. This ensures that the policy route will not be active when the link is down.
Dual internet connections can be used in three ways: Redundant interfaces, should one interface go down, the second automatically becomes the main internet connection For load sharing to ensure better throughput.
A combination of redundancy and load sharing. Redundant interfaces Redundant interfaces, ensures that should your internet access be no longer available through a certain port, the FortiGate unit will use an alternate port to connect to the Internet.
IPv6 DHCP on wan1 interface not working? How to fix this?
For this configuration to function correctly, you need to configure three specific settings: Configure a link health monitor to determine when the primary interface WAN1 is down and when the connection returns Configure a default route for each interface. Configure security policies to allow traffic through each interface to the internal network. Link Health Monitor Adding a link health monitor is required for routing fail over traffic. When you have dual WAN interfaces that are configured to provide fail over, you might not be able to connect to the backup WAN interface because the FortiGate unit may not route traffic even responses out of the backup interface.
The FortiGate unit performs a reverse path lookup to prevent spoofed traffic. If no entry can be found in the routing table which sends the return traffic out the same interface, then the incoming traffic is dropped. Enter the Gateway address. Select Advanced.I have a Fortigate 60D running firmware 5. WAN1 is preferred. The only routes I have configured are static routes, one for each WAN. I remember being able to do this on a Sonicwall, but not how, and it's been a while.
I haven't done failover like that on Fortigate but I would assume that the second interface is not responding because it is not active. Either that or the responses are going out the active interface and being dropped at some point as being spoofed since they can't be replied to on the path they are trying to traverse assuming you have different ISPs on the 2 interfaces. This depends on several factors.
Are these different "WAN" providers? Are you using eBGP? Is this an actual WAN, or two separate internet connections? Why are you manually dictating static routes and ADs? Two entirely separate circuits from two ISPs, separate static ranges for both. Not using eBGP. I realize I'm very likely doing it wrong.
I inherited this firewall and this is not exactly my wheelhouse, but I'm trying to figure out the right way to do it. Pointing me to some resources would also be great.
What's the ancient proverb? Teach a man to subnet Sounds like you need to dig into this. From a quick look: Quote: 4. Priority keeps the entry active in the routing table lower priority means the route is preferred, higher priority means the route is not preferred. That sound interesting to your situation.
Policy routing as well.User Name. IKE Version. These IPs must be set to 0. Interface Name. P1 Proposal.
The static route ensures that traffic for the VPN does not leave the FortiGate unit for the default gateway. When you select the VPN interface as the Device, there is no requirement for a gateway, as shown by it being greyed out.
Allowing a Fortigate to receive traffic on both WAN IPs
These instructions were tested on FortiClient 4. Connection Name. Acquire virtual IP address. Enable and select Config to ensure Prompt to login is set. In FortiClient, the status next to the VPN connection will appear as Upwith the number of seconds it has been up, next to it. This will open a window and display each step of the attempted connection. If there are any problems they will appear here for troubleshooting. In particular, the MessageActionand Error Reason parts of the log messages can be useful when troubleshooting.
Remote Gateway. Dialup User. Local Interface. Main ID protection. Authentication Method. Preshared Key. Pre-shared Key. Peer Options. Accept any peer ID. IPv6 Version. Clear check box.
Local Gateway IP. Main Interface IP. DNS Server. Use System DNS. DH Group. Enable as Server. Server Type. User Group. NAT Traversal.Create an account on Neowin to contribute and support the site. Asked by giantsnyy. I've tried everything.
I've been able to create the VLAN's, create the necessary firewall policies which allow external communication, create the firewall policies which allow intra-vlan communication where necessary and test intra-vlan communication.
Everything works, except outside communication. VLAN1 works without an issue. I have even tried separating out the physical interfaces instead of using VLAN's - and the result is the same every time.
Every connection works, except outbound to the internet on the separate VLAN's.
VLAN1 is the only vlan to access the internet. I've read places that I need to create a static route for the outbound, but this customer doesn't have a static IP address. This is a residential customer of mine, and not a business - so they can't get FiOS business for a static IP.
I gave up on the VLAN's and tried physical interfaces with the same rules and the same results applied:. It says it will create one automatically, but it did not for me. I'm not an expert, by any means, but we have a D here. On a side note, I read something about ports 1 and 2 being reserved for something.
It was in release notes for an upgrade, so you might do some research on it if you have or will be upgrading soon. Don't screw with the routes, screw with the ACL's.
You would have to create an allow all but deny your internal traffic. I haven't touched the routes - the default route is automatically set since the wan port is set as DHCP.
I've tried all combinations of ACL's. I managed to get one VLAN working correctly aside from the management vlan. I've mimicked the ACL on the other vlans The longer you screw with it unsuccessfully the more you get paid to not accomplish your job, the more it will cost them. If you have spent more than 3 hours on it, you have spent more than a support contract would cost them.
Its a bit more than that But if they do not renew then they don't get any of the bells and whistle like the av scanning website filtering, etc. Full bundle for a year is prob If so then you prob need an outbound nat rule. This would be the case with pfsense - but pfsense does it automatic.
Unless the user tuns off automatic outbound nat - which happens a bunch. If so then yeah I would bet its your outbound nat rule. It doesn't know how to nat the new networks to is public IP