Troubleshooting your FortiGate Installation
If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
- Use FortiExplorer if you can’t connect to the FortiGate over Ethernet.
If you can’t connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. See your FortiGate’s Quick Start Guidefor details.
- Check for equipment issues.
Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed information about the FortiGate LED indicators.
- Check the physical network connections.
Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.
Also, check the Unit Operation widget, found in the Dashboard, to make sure the ports used in the connections are shown in green.
- Verify that you can connect to the internal IP address of the FortiGate.
Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example,
If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but can't connect to the GUI, check the settings for administrative access on that interface.
- Check the FortiGate interface configurations.
Check the configuration of the FortiGate interface connected to the internal network, and check the configuration of the FortiGate interface that connects to the Internet to make sure Addressing Mode is set to the correct mode.
- Verify the security policy configuration.
Go to Policy & Objects > IPv4 Policy and verify that the internal interface to Internet-facing interface security policy has been added and is located near the top of the policy list. Check the Sessions column to ensure that traffic has been processed (if this column does not appear, right-click on the title row, select Sessions, and select Apply).
If you are using NAT/Route mode, check the configuration of the policy to make sure that NAT is turned on and that Use Outgoing Interface Address is selected.
- Verify that you can connect to the Internet-facing interface’s IP address.
Ping the IP address of the FortiGate’s Internet-facing interface. If you cannot connect to the interface, the FortiGate is not allowing sessions from the internal interface to Internet-facing interface.
- Verify the static routing configuration.
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiGate interface.
- Verify that you can connect to the gateway provided by your ISP.
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.
- Verify that you can communicate from the FortiGate to the Internet.
Access the FortiGate CLI and use the command
220.127.116.11. You can also use the
execute traceroute 18.104.22.168command to troubleshoot connectivity to the Internet.
- Verify the DNS configurations of the FortiGate and the PCs.
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example:
If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.
- Confirm that the FortiGate can connect to the FortiGuard network.
Once registered, the FortiGate obtains AntiVirus and Application Control and other updates from the FortiGuard network. Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network.
First, check the License Information widget to make sure that the status of all FortiGuard services matches the services that you have purchased.
Go to System > FortiGuard. Expand Web Filtering and Email Filtering Options and select Test Availability. After a minute, the GUI should indicate a successful connection.
- Consider changing the MAC address of your external interface.
Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using the following CLI command:
config system interface
set macaddr <xx:xx:xx:xx:xx:xx>
- Either reset the FortiGate to factory defaults or contact the technical assistance center.
If all else fails, reset the FortiGate to factory defaults using the CLI command
execute factoryreset. When prompted, type
yto confirm the reset.
You can also contact Fortinet Support for assistance. Read the following article found on the Fortinet Cookbook website: How to work with Fortinet Support to understand what type of support is available and to determine which level of support is right for you. For further information, go to support.fortinet.com.