Clients Cannot Reach the Internet

Symptom: LAN clients can't browse, no DNS resolution, "no internet connection." Most common FortiGate complaint.

Diagnose

Work down the stack, eliminating layers:

1. Is the FortiGate itself online?

From the FortiGate:

execute ping 8.8.8.8
execute ping google.com

• Both work → FortiGate has internet AND DNS. Issue is between FortiGate and clients.
• IP works, DNS fails → DNS broken.
• Both fail → FortiGate has no internet. WAN/route/ISP issue.

2. Is there a default route?

get router info routing-table all | grep "^S\*"

Should show a 0.0.0.0/0 line. If missing → Add a Static Route.

3. Is the gateway reachable?

execute ping <gateway-ip>

If fails → physical link, ISP, or wrong gateway IP.

4. Is DNS configured?

get system dns

If primary/secondary blank or unreachable → fix per Configure DNS Settings.

5. From the client side

# Can client reach FortiGate?
ping <fortigate-lan-ip>

# Can client resolve DNS?
nslookup google.com

# Can client reach gateway?
traceroute 8.8.8.8

6. Firewall policy exists?

A LAN-to-WAN policy with NAT must exist. See Enable IP Forwarding.

7. Debug a specific failed flow

diagnose debug flow filter saddr <client-ip>
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show function-name enable
diagnose debug enable
diagnose debug flow trace start 10

# (Generate traffic from client, watch output)

diagnose debug disable

This shows exactly what FortiGate does with the packet — route lookup, policy match, NAT, egress interface. The trace usually pinpoints the issue.

Common Causes

• Default route missing or wrong.
• No LAN-to-WAN firewall policy.
• NAT toggle off on policy (clients with RFC1918 IPs go out unable to return).
• DNS not configured.
• WAN interface down or wrong IP.
• ISP issue (last resort to suspect, but it does happen).

Related Pages

• Add a Static Route
• Add a Firewall Policy
• Use Debug Flow