Basic Connectivity & Interface Status Fortigate Firewall

 ⿡ Basic Connectivity & Interface Status

Check interface status

get system interface physical

get system interface

Confirm link is up and has the correct IP/subnet.

Make sure administrative access (HTTPS, SSH, PING) is enabled on the interface.

Test connectivity

execute ping <destination_IP>

execute traceroute <destination_IP>

Helps isolate if the issue is internal, upstream, or external.

⿢ Routing Verification

Check routing table

get router info routing-table all

Confirm the default route (0.0.0.0/0) points to the correct gateway.

If using dynamic routing (OSPF, BGP, RIP), check:

get router info ospf neighbor

get router info bgp summary

⿣ Firewall Policy Check

List all firewall policies

show firewall policy

Ensure a policy exists from source zone/interface to destination zone/interface.

Confirm:

Policy is enabled.

Action is ACCEPT, not DENY.

Correct service (TCP/UDP/ICMP).

Correct NAT settings.

Check policy hit counts

diagnose sys session filter clear

diagnose sys session filter src <IP> dst <IP>

diagnose sys session list

Verifies if traffic is hitting the expected policy.

⿤ Security Profiles & UTM Features

If issues occur only with web or application traffic, check if:

Web Filter, Application Control, IPS, or SSL inspection are blocking traffic.

Temporarily disable the security profile to test.

⿥ NAT Troubleshooting

Check SNAT/DNAT configuration

show firewall ippool

show firewall vip

For DNAT (Virtual IP), ensure the VIP is correctly mapped.

For SNAT, ensure the correct IP pool or “Use Outgoing Interface Address” is set.

⿦ Logs & Monitoring

View traffic logs

execute log filter category 0

execute log display

Or via GUI → Log & Report → Forward Traffic.

Look for DENY entries and reason codes.

⿧ Session & Connection Issues

Clear stuck sessions

diagnose sys session filter clear

diagnose sys session filter src <IP>

diagnose sys session clear

Useful if old sessions are causing problems.

⿨ Firmware & Resource Checks

Check CPU & Memory usage

get system performance status

Check firmware version

get system status

If bugs are suspected, review release notes and consider upgrading.

⿩ Packet Capture (Deep Diagnosis)

Capture packets directly on FortiGate:

diagnose sniffer packet any 'host <IP>' 4

Level 4 gives detailed packet info.

✅ Golden Rule:

On FortiGate, traffic flow = Interface + Routing + Policy + NAT. If any one of these four is wrong, the traffic won’t pass. Always check them in that order.