This document includes information about the steps you can take if your FortiGate isn’t functioning as expected after you’ve installed it in either NAT/Route or Transparent mode. Steps apply to both NAT/Route and Transparent mode, unless noted otherwise.
1. Check your equipment and cables
Verify that all network equipment is powered on and all cables connect to the right interfaces.
2. Check the FortiGate LEDs
There are multiple LEDs on the faceplate of your FortiGate that you can use to troubleshoot the connections. Check the FortiGate LED Specifications guide for more information about the LEDs.
3. Ping the FortiGate
If you can’t ping the FortiGate, verify that the IP address of the computer is on the same subnet as the IP address you’re trying to reach. Also, make sure that PING is enabled for Administrative Access on the FortiGate interface.
If you’re unable to connect using HTTPS or SSH, you need to connect through the console port on the FortiGate. If you are using FortiOS 5.6 or higher, you can also connect using the FortiExplorer app for iOS.
4. Check the FortiGate interface configurations (NAT/Route mode only)
Check the configuration of the FortiGate interfaces to make sure you use the correct Addressing Mode for your network.
5. Verify the security policy configuration
Check the Internet access policy to make sure Action is set to ACCEPT and that the policy is located near the top of the policy list. Check the Sessions column to verify that traffic has been processed by this policy (if this column doesn’t appear, right-click the title row, select Sessions, and select Apply).
If you’re using NAT/Route mode, make sure that NAT is enabled and Use Destination Interface Address is selected.
6. Verify the static routing configuration (NAT/Route mode only)
7. Verify that you can connect to the Internet-facing interface’s IP address (NAT/Route mode only)
Use a computer on the internal network to ping the IP address of the Internet-facing interface. If you can’t connect to the interface, verify that PING has been enabled for Administrative Access on the interface.
If you are still unable to connect, traffic is not allowed to flow from the internal network to the Internet-facing interface. Go back to the installation recipe for your operation mode and verify that you correctly followed all the steps.
8. Verify that you can connect to the gateway provided by your ISP
Use a computer on the internal network to ping the default gateway IP address. If you can’t reach the gateway, contact your ISP to verify that you are using the correct IP address.
9. Ping an IP on the Internet
On the FortiGate, use the CLI command
execute ping to ping the IP address an IP address on the Internet, such as 220.127.116.11, the IP address of Google Public DNS. If you can’t ping the address, then the FortiGate isn’t able to access the Internet.
You can also use the
execute traceroute command to troubleshoot connectivity to the Internet.
10. Verify the DNS configuration
The FortiGate uses the Domain Name System (DNS) to map domain names to the corresponding website IP addresses. Use the CLI command
execute ping to ping a domain name, such as www.fortinet.com, and verify that the name can be resolved.
If it can’t, check that the DNS settings on the FortiGate are correct.
11. Resetting the FortiGate
12. Contacting Fortinet Support
If you need further assistance with troubleshooting your FortiGate, visit the Fortinet Support website.