Skip to main content

Fortigate guide for Beginner - 5

It is not the end after only you can do installation , setup and configure the Fortigate unit as you wish.
Troubleshooting is also essential task you will need to perform one day.
So, let's assume you was configured Fortigate unit as NAT/Route mode to operate for your network.
But the the Internet access was unable to connect from your network and need to find out what is it caused.
How to troubleshoot???

Use the following steps to find and fix the problem.1) Check the physical network connections between the PC and the FortiGate unit, as well as between the FortiGate unit and your ISP’s
equipment. The Unit Operation dashboard widget indicates the connection status of FortiGate network
interfaces (System > Dashboard > Status).

2) Check the ISP-supplied equipment such as Modem/Router to make sure it is operating correctly.
3) Verify that you can connect to the internal IP address of the FortiGate unit. (For exampe: ping test to Fortigate)
4) Check the configuration of the FortiGate interface connected to the Internal network.
5) Check the configuration of the FortiGate interface that connects to the Internet to make sure it includes the proper addressing mode such as Static IP Address mode or DHCP IP Address mode.
    And also check each Address mode was configured proper IP address or netmask.
6) To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address or domain name
    on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet.


FW_TEST # execute ping

PING ( 56 data bytes

64 bytes from icmp_seq=0 ttl=54 time=2.8 ms

64 bytes from icmp_seq=1 ttl=54 time=2.7 ms

64 bytes from icmp_seq=2 ttl=54 time=2.7 ms

64 bytes from icmp_seq=3 ttl=54 time=2.6 ms

64 bytes from icmp_seq=4 ttl=54 time=2.6 ms

--- ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 2.6/2.6/2.8 ms


FW_TEST # execute traceroute

traceroute to (, 32 hops max, 72 byte packets

 1  0 ms  0 ms  0 ms

 2  0 ms  0 ms  0 ms

 3  1 ms  1 ms  1 ms

 4  1 ms  1 ms  1 ms

 5  1 ms  1 ms  1 ms

 6  1 ms  5 ms  1 ms

 7  2 ms  2 ms  2 ms

 8  3 ms  2 ms  2 ms

 9   2 ms  2 ms  2 ms

7) Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the
    name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example:
    ping: cannot resolve Unknown host

8) Verify the security policy configuration.
    Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Check the Count column to see if the policy has been processing traffic.
    Check the configuration of the policy to make sure it is similar to the following and that Enable NAT and Use Destination Interface Address is selected:

9) Verify the static routing configuration.
    Go to Router > Static > Static Route and verify that the default route is correct. Go to Router > Monitor > Router Monitor and take a look at the routing monitor and verify that
    the default route appears in the list as a static route. Along with the default route, you should see at least two connected routes, one for each connected FortiGate interface.
10) Disable web filtering.
      If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. This can happen for a number of reasons.
      A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in the default profile, select Advanced
      Filter and enable the Allow Websites When a Rating Error Occurs option.

That's all. I hope you will be able to troubleshoot your Fortigate unit with above steps.

May you all happy.
(Be knowledgeable, pass it on then)


Popular posts from this blog

Link Aggregating with Synology NAS and Cisco Switch

I’d like to share how to setup Link Aggregating between Synology NAS and Cisco Switch. I’ve got one Synology NAS with 4 Network Ports and I’m going to use 2 of them. Both Network Port to be as one Logical Link, Fault Tolerance and Load Balancing. To do that, I need to configure Link Aggregating on Synology NAS and EtherChannel with LACP on Cisco Switch. Below is brief steps to do to meet with my requirements. - Get connected Synology NAS and Cisco Switch as shown in picture. - Bonding two Network Ports of Synology NAS and assign IP Address - Configure EtherChannel with LACP in Cisco Switch and add two physical ports as Member. OK. Let’s begin from Synology NAS. - Login to the Synology and go to Control Panel>Network>Create>Create Bond - Select IEEE 802.3ad to get Fault Tolerance and Load Balancing Featureyou’re your switch not support 802.3ad you can only select Fault Tolerance only feature). After that click “Next”. - Choose the network port f

Fortigate guide for Begineer - 6

I would like to explaine how to troubleshoot the Fortigate Unit configured by Transparent Mode in step by step this time. Let's assume, you have one Fortigate Unit that configured as Transparent Mode. But devices from Internal/Private Network unable to access Internet/Public Network through your Fortigate Unit. OK. Let's troubleshoot with following steps, 1) Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. 2) Check the router and ISP-supplied equipment to make sure it is operating correctly. 3) Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on a

How to check the vpn user list and session in Cisco ASA 5520?

You've deployed Cisco ASA Firewall and setup Local AAA Server to create useraccount for IPSec VPN usage. As a network administrator, you've responsibility to check and monitor the list of vpn user and active session for security and audit purpose. You can use ASDM GUI to do such task but its handy to do. So, it is better to user CLI for that. Below are some useful commands to check user list and active vpn user sessions. To check user list, use below commands - show run | grep username - show aaa local user To check active vpn user list and sessions, use below commands - show vpn-sessiondb remote | grep Username (This command result will let you know how many user are active) - show vpn-sessiondb remote filter name username (This filter command will let you know details of vpn session user by inserting active vpn username in "username" ) Yes. That's all. Here I show you with Cisco ASA 5520 and its software version is 8.2 (5). May