Last Updated: March 2026
VLAN configuration issues are one of the most common networking problems encountered when deploying or modifying a FortiGate firewall. A typical scenario administrators run into is when a VLAN interface is configured on the FortiGate but traffic refuses to pass through it.
You may observe symptoms such as:
- Devices in the VLAN cannot reach the gateway
- Ping requests fail between VLANs
- Internet access fails for the VLAN network
- Traffic counters remain at zero on the VLAN interface
From a troubleshooting perspective, this can be confusing because the configuration may appear correct at first glance.
In real-world enterprise environments, the problem is almost always caused by misconfigurations between the FortiGate interface and the connected switch — particularly around VLAN tagging, trunk ports, firewall policies, or routing.
This guide walks through the most common causes of FortiGate VLAN traffic failures, along with a systematic troubleshooting approach used by network engineers to quickly isolate and resolve the issue.
Quick Fix Summary
If your FortiGate VLAN interface is not passing traffic, check these first:
- Ensure the switch port connected to the FortiGate is configured as a trunk.
- Verify the VLAN ID on the FortiGate matches the switch VLAN.
- Confirm firewall policies allow traffic between interfaces.
- Make sure VLAN tagging is enabled correctly on both the FortiGate and switch.
- Verify routing and gateway settings for the VLAN network.
These checks resolve the majority of VLAN connectivity issues.
Step-by-Step Troubleshooting
1. Verify the FortiGate VLAN Interface Configuration
The first step is to confirm the VLAN interface is configured correctly on the FortiGate.
A VLAN interface is essentially a logical interface attached to a physical port, and it relies on proper VLAN tagging to function.
Example configuration:
config system interface
edit "VLAN10"
set interface "port1"
set vlanid 10
set ip 192.168.10.1/24
next
end
Key items to verify:
- The correct parent interface is selected
- The VLAN ID matches the switch configuration
- The interface has a valid IP address
- Administrative status is enabled
A mismatch between the VLAN ID on the firewall and switch is one of the most frequent configuration errors.
2. Confirm the Switch Port Is Configured as a Trunk
One of the most overlooked issues is when the switch port connected to the FortiGate is configured as an access port instead of a trunk.
If the switch port is an access port, VLAN tags are removed, and the FortiGate cannot identify the VLAN traffic.
Example trunk configuration (Cisco-style switch):
interface GigabitEthernet1/0/10
switchport mode trunk
switchport trunk allowed vlan 10,20,30
Important checks:
- Port mode must be trunk
- VLAN must be allowed on the trunk
- Native VLAN should not conflict with configured VLANs
In multi-vendor environments (Cisco, Aruba, UniFi, etc.), trunk configuration syntax may differ but the concept remains the same.
3. Check Firewall Policies Between VLANs
Even if VLAN connectivity is functioning at Layer 2, FortiGate still requires firewall policies to allow traffic between interfaces.
For example, if VLAN10 needs internet access via WAN:
Source Interface: VLAN10
Destination Interface: WAN
Source Address: VLAN10 subnet
Destination Address: all
Service: ALL
Action: ACCEPT
NAT: enabled
If the policy is missing, traffic will be silently dropped.
A quick test is to check the FortiGate policy hit counters. If traffic is not hitting a rule, the firewall may not see the packets at all — which often points back to a VLAN tagging issue.
4. Verify Routing Configuration
Routing must be configured correctly for VLAN traffic to reach other networks.
Typical checks include:
- Default route configured toward WAN
- Static routes for internal networks
- Correct gateway configuration for clients
Client devices in the VLAN should use the FortiGate VLAN interface IP as their default gateway.
Example:
Gateway: 192.168.10.1
If the gateway is incorrect, traffic will never reach the firewall.
5. Confirm VLAN Tagging Between Switch and Firewall
VLAN tagging must match on both sides of the connection.
Common mistakes include:
- Switch using VLAN 20 while FortiGate uses VLAN 10
- Tagged VLAN on firewall but untagged on switch
- Native VLAN conflicts
Network engineers often verify this using packet captures.
On FortiGate:
diagnose sniffer packet port1 "vlan" 4
This command shows whether tagged packets are arriving on the interface.
If no VLAN tags appear, the switch configuration is likely incorrect.
6. Check the Physical Interface Status
Another easy thing to overlook is the physical port itself.
Verify:
- Interface is up/up
- No link errors
- Correct speed and duplex settings
You can check interface status using:
diagnose hardware deviceinfo nic port1
If the physical link is unstable, VLAN interfaces relying on that port will also fail.
Additional Troubleshooting Tips
Use FortiGate Packet Capture
Packet captures can reveal exactly where traffic stops.
Example capture command:
diagnose sniffer packet any "host 192.168.10.10" 4
This helps determine:
- Whether packets reach the firewall
- Whether replies leave the firewall
- Whether policies are blocking traffic
Check for Hardware Switch Interfaces
Some FortiGate models use hardware switch interfaces, which can complicate VLAN design.
If VLANs are configured on a hardware switch rather than a physical interface, ensure the VLAN configuration is correct within the switch group.
Verify Inter-VLAN Routing
FortiGate performs routing between VLAN interfaces automatically, but only if:
- Firewall policies allow it
- Interfaces are active
A missing policy between VLAN interfaces is another frequent oversight.
Real-World Experience
In production environments, most FortiGate VLAN issues come down to switch configuration mismatches rather than firewall configuration.
The three most common mistakes I encounter during deployments are:
- Switch port not configured as a trunk
- VLAN ID mismatch between firewall and switch
- Missing firewall policy allowing VLAN traffic
Following a structured troubleshooting process — starting at Layer 1 and working up the stack — dramatically reduces troubleshooting time.
Network engineers who immediately jump into firewall policy debugging often waste hours when the real issue is simply incorrect VLAN tagging on the switch.
FAQ
Why is my FortiGate VLAN interface not receiving traffic?
The most common reason is that the switch port connected to the firewall is not configured as a trunk or the VLAN is not allowed on the trunk.
Do I need firewall policies between VLAN interfaces?
Yes. FortiGate treats VLANs as separate interfaces, so traffic between them requires firewall policies.
Can a VLAN mismatch cause traffic failure?
Yes. If the VLAN ID on the FortiGate does not match the VLAN configured on the switch, traffic will not reach the interface.
How do I verify VLAN tags are arriving at the firewall?
You can run a packet capture using the FortiGate sniffer command to check whether VLAN tags are present in incoming packets.
Why do VLAN traffic counters remain at zero?
This usually means the firewall is not receiving tagged traffic, often due to incorrect switch trunk configuration.
Conclusion
When a FortiGate VLAN interface is not passing traffic, the issue is almost always tied to VLAN tagging mismatches, switch trunk configuration, or missing firewall policies.
By troubleshooting in the correct order:
- Physical interface
- Switch trunk configuration
- VLAN tagging
- Firewall policies
- Routing configuration
administrators can quickly isolate the root cause.
In most environments, the fix turns out to be surprisingly simple — but only after checking the fundamentals.
Last Updated
Last Updated: March 2026
This guide reflects current FortiGate firmware behaviour and VLAN configuration best practices used in modern enterprise networks.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.