May 30, 2026 · 18 min read
Troubleshooting network connectivity issues on a FortiGate firewall can be a daunting task. When packets aren't reaching their destination, or you're experiencing slow performance, pinpointing the exact location of the problem is crucial. This is where the humble, yet powerful, traceroute command comes into play. Understanding how to effectively use the traceroute command in FortiGate is an indispensable skill for any network administrator working with Fortinet devices.
This comprehensive guide will walk you through everything you need to know about the fortigate traceroute command, from basic usage to advanced troubleshooting techniques. We'll explore its significance in network diagnostics, provide practical examples, and even touch upon common pitfalls and how to overcome them. Whether you're new to FortiGate or a seasoned professional, this article aims to enhance your ability to diagnose and resolve network path issues using this essential command.
What is Traceroute and Why is it Important on a FortiGate?
At its core, traceroute is a diagnostic tool that maps the path packets take from your FortiGate firewall to a specified destination host. It does this by sending out a series of packets, each with an incrementally increasing Time-To-Live (TTL) value. The TTL value dictates how many network hops a packet can traverse before being discarded. As each packet reaches a router (a hop), that router sends back an Internet Control Message Protocol (ICMP) "Time Exceeded" message. Traceroute captures these messages, revealing the IP address and response time of each router along the path.
On a FortiGate firewall, the traceroute fortigate command is invaluable for several reasons:
- Path Identification: It visualizes the route your traffic is taking, showing all the intermediate routers and network devices between your firewall and the target. This helps understand how your network is connected and where potential bottlenecks might exist.
- Latency Detection: By measuring the round-trip time (RTT) for each hop, traceroute helps identify which specific segment of the network is introducing significant delays. High latency at a particular hop can indicate congestion or routing problems.
- Packet Loss Diagnosis: If a hop consistently fails to respond within a reasonable time, it suggests packet loss at that point or a firewall blocking ICMP responses. This is a critical indicator of connectivity issues.
- Routing Misconfigurations: Traceroute can reveal unexpected or incorrect routing paths. If the path deviates significantly from what you expect, it might point to a misconfigured routing table on an internal device or an upstream provider.
- Firewall Policy Verification: While not its primary function, traceroute can indirectly help verify if firewall policies are allowing or blocking specific traffic. If a traceroute stops abruptly at a certain point, it could indicate a policy is preventing traffic from progressing.
In essence, the traceroute command in fortigate firewall acts as a network detective, providing crucial clues to diagnose and resolve connectivity problems that impact your internal users and external services.
How to Execute the Traceroute Command on FortiGate
Accessing and running the fortigate traceroute command is typically done via the FortiGate's Command Line Interface (CLI). You can connect to your FortiGate using SSH or Telnet, or by using the CLI console available within the FortiGate's web-based manager (GUI).
Once you have CLI access, the basic syntax for running a traceroute is straightforward:
traceroute <destination_ip_or_hostname>
Let's break down the components:
traceroute: This is the command itself, initiating the traceroute process.<destination_ip_or_hostname>: This is the IP address or the resolvable hostname of the target you want to trace the route to. This could be an internal server, a website on the internet, or another network device.
Example: To trace the route to Google's DNS server (8.8.8.8), you would type:
traceroute 8.8.8.8
Or, to trace to a website like "www.example.com":
traceroute www.example.com
Important Considerations:
- Privilege Level: Ensure you have sufficient administrative privileges to execute CLI commands. Usually, this means logging in as an administrator.
- Network Reachability: The FortiGate itself must have a route to reach the destination IP address or hostname for the traceroute to succeed. If the FortiGate cannot reach the destination, the traceroute will likely fail.
- ICMP Blocking: Some network devices or firewalls along the path might be configured to block ICMP "Time Exceeded" messages, which traceroute relies on. In such cases, the traceroute output might show asterisks (
* * *) for those hops, indicating a lack of response rather than a complete failure to reach that hop.
Interpreting Traceroute Output
The output of the traceroute command in fortigate provides a wealth of information. Let's analyze a typical output to understand what each part signifies.
When you run traceroute 8.8.8.8, you might see something like this:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.987 ms 1.123 ms 1.345 ms
2 10.0.0.1 (10.0.0.1) 5.432 ms 5.678 ms 5.901 ms
3 * * *
4 203.0.113.5 (203.0.113.5) 15.123 ms 15.456 ms 15.789 ms
5 198.51.100.10 (198.51.100.10) 20.012 ms 20.345 ms 20.678 ms
...
Let's break down each line and element:
Header Line:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets- Confirms the destination IP address and hostname.
30 hops max: Indicates the maximum number of hops the traceroute will attempt before giving up. This is a configurable parameter (we'll discuss options later).60 byte packets: Shows the size of the probes sent. Some traceroute implementations send ICMP Echo Requests, while others use UDP or TCP probes.
Individual Hop Lines: Each subsequent line represents a hop (router) along the path.
- Hop Number: The first number (e.g.,
1,2,3) indicates the sequence of the hop from your FortiGate. - IP Address and Hostname (if resolved): After the hop number, you'll see the IP address of the router at that hop (e.g.,
192.168.1.1). If the FortiGate can resolve the IP address to a hostname (via DNS lookup), it will display that as well (e.g.,192.168.1.1 (192.168.1.1)- in this case, the hostname is the same as the IP). - Round-Trip Times (RTTs): Following the IP/hostname, you'll see three sets of timings (e.g.,
0.987 ms 1.123 ms 1.345 ms). These are the round-trip times for three separate probe packets sent to that hop. The goal is to get three successful responses and measure their latency. - Asterisks (
* * *): If a hop doesn't respond to any of the probes within the timeout period, you'll see asterisks. This usually means:- The router is configured not to send ICMP "Time Exceeded" messages.
- A firewall (either on the intermediate router or a separate device) is blocking the ICMP response.
- There is significant packet loss at that hop or on the return path.
- The router is down or unreachable.
- Hop Number: The first number (e.g.,
Interpreting Delays and Drops:
- Sudden Increase in Latency: If the RTT jumps significantly between two consecutive hops, it suggests that the link between those two hops, or the second hop itself, is introducing the latency. This could be due to congestion, a slower link, or a more distant geographical location.
- Consistent High Latency: If all subsequent hops show very high latency, the issue might be with the destination network or a major bottleneck further down the line.
- Abrupt Stop (Consistent Asterisks): If the traceroute stops responding after a certain hop (i.e., you see
* * *for several hops), and the destination is known to be reachable, it strongly indicates a problem at or just after the last responding hop. This could be a routing issue, a firewall block, or a network outage.
Advanced Traceroute Options on FortiGate
The basic traceroute command is powerful, but FortiGate's CLI offers several options to refine your diagnostics. These options allow you to customize the traceroute behavior to better suit specific troubleshooting scenarios. You can access these options by typing traceroute ? in the CLI.
Here are some of the most useful advanced options:
-n(Do not resolve IP addresses to hostnames): This option prevents DNS lookups for each hop's IP address. It can significantly speed up the traceroute process, especially in environments with slow DNS servers or when tracing to a large number of IPs. It's also useful if you suspect DNS issues might be interfering with your diagnostics.
traceroute -n 8.8.8.8
* **`-m <max_ttl>` (Set maximum number of hops):**
As seen in the header, `max_ttl` defines the maximum number of hops the traceroute will attempt. The default is usually 30, but you might want to increase it for very long-distance routes or decrease it to quickly check reachability within a local network.
```
traceroute -m 15 8.8.8.8
-q <num_queries>(Set number of probes per hop): By default, traceroute sends three probes per hop. You can increase this number to get a more statistically reliable measurement of latency and packet loss at each hop, or decrease it to speed up the process if multiple probes aren't necessary.
traceroute -q 5 8.8.8.8
* **`-w <timeout>` (Set wait time for reply):**
This option specifies the time in seconds to wait for a response from a given hop. If you're troubleshooting over a slow or high-latency link, increasing the timeout can prevent false positives of packet loss.
```
traceroute -w 5 8.8.8.8
-I(Use ICMP Echo Request instead of UDP): By default, traceroute often uses UDP probes to a high port. Using ICMP Echo Request (-I) can be more effective if intermediate firewalls or network devices are blocking UDP traffic but allowing ICMP. This is a common scenario for troubleshooting. When using this option, ensure that ICMP is permitted through your FortiGate's policies.
traceroute -I 8.8.8.8
* **`-T` (Use TCP SYN instead of UDP):**
Similar to `-I`, this option uses a TCP SYN packet. This can be useful for testing reachability to specific TCP ports, which might be relevant if UDP or ICMP are blocked, but you know the destination port is open. You typically need to specify a destination port with this option (e.g., `-T 80` for port 80).
```
traceroute -T 80 8.8.8.8
-f <first_ttl>(Start from first TTL): This option allows you to specify the initial TTL value to start probing from. This can be useful for debugging specific parts of a path without re-transmitting probes for earlier hops.
traceroute -f 5 8.8.8.8
**Combining Options:**
These options can be combined. For instance, to trace to 8.8.8.8 with 5 probes per hop, a maximum of 20 hops, and without resolving hostnames:
traceroute -n -m 20 -q 5 8.8.8.8
Choosing the right options depends on the specific network conditions and the suspected cause of the problem. Experimentation is key to mastering these advanced settings.
### Troubleshooting Common Network Issues with FortiGate Traceroute
The `fortigate traceroute command` is a cornerstone for diagnosing a variety of network problems. Let's look at some common scenarios and how traceroute can help.
#### 1. Slow Internet Connectivity
If users are complaining about slow internet speeds, a traceroute can help identify if the issue is within your local network, with your ISP, or further out on the internet.
**Scenario:** Users report slow loading times for external websites.
**Traceroute Approach:**
1. Execute a `traceroute` from the FortiGate to a well-known external IP address or hostname (e.g., `8.8.8.8`, `www.google.com`).
2. **Analyze the output:**
* **High latency on the first few hops:** This points to an issue within your internal network or at your local network egress point. Check your internal switch configurations, Wi-Fi, or cabling.
* **Sudden spike in latency at a specific hop:** If the latency increases dramatically between hop X and hop X+1, the problem likely lies on the link or device between them. This could be a congested link, a slow router from your ISP, or even an issue with the ISP's internal routing.
* **Consistent high latency throughout:** If all hops show consistently high latency, it suggests a broader internet problem, potentially with your ISP's upstream providers or a widespread internet congestion issue.
#### 2. Inability to Reach a Specific Server or Service
When a user cannot access a particular internal or external server (e.g., an application server, a web server), traceroute can show if the traffic is even getting to the vicinity of the destination.
**Scenario:** A user cannot connect to an internal CRM server.
**Traceroute Approach:**
1. Execute `traceroute <CRM_server_IP>`. (Ensure the FortiGate can route to this IP, perhaps through static routes or OSPF/BGP if it's on a different subnet).
2. **Analyze the output:**
* **Traceroute stops at an internal hop before reaching the server's subnet:** This strongly suggests a routing problem within your internal network. Verify your routing tables, VLAN configurations, and inter-VLAN routing on your switches or routers.
* **Traceroute reaches the subnet but fails to get a response from the server's IP:** This could indicate:
* The server is down or not responding.
* A firewall policy on the FortiGate is blocking the traffic to that server (e.g., blocking ICMP or the specific application port).
* A firewall on the server itself is blocking the traffic.
* **Traceroute stops at your FortiGate's internal interface IP:** This could mean the FortiGate is not configured to route traffic to that destination subnet, or there's a firewall policy blocking the outbound traffic from the source interface.
#### 3. Intermittent Connectivity Drops
Intermittent issues are the hardest to diagnose. Traceroute can help capture a snapshot of the path during a period of instability.
**Scenario:** Users experience random disconnections from external services.
**Traceroute Approach:**
1. When the issue is occurring, run `traceroute` to a stable external destination.
2. **Analyze the output:**
* **Frequent asterisks or timeouts at specific hops:** This points to packet loss or instability at that particular network segment or device. It could be a failing network card, a flapping link, or an overloaded router.
* **Variability in RTTs across hops:** Significant fluctuations in latency can indicate congestion or unstable routing paths.
* **If traceroute completes but the problem persists:** The issue might be deeper than simple routing, possibly related to TCP session timeouts, application-level issues, or high CPU on an intermediate device that isn't directly shown by traceroute.
#### 4. Diagnosing ISP Routing Issues
When you suspect your Internet Service Provider (ISP) is having routing problems, traceroute is your primary tool.
**Scenario:** An external website hosted by a particular ISP is unreachable or extremely slow.
**Traceroute Approach:**
1. Run `traceroute` to an IP address known to be within that ISP's network, or to a website hosted by them.
2. **Analyze the output:**
* **Traceroute stops at your FortiGate's WAN interface or your ISP's edge router:** This suggests your ISP may have an issue reaching that destination, or a policy is blocking it.
* **Abrupt increase in latency or packet loss once traffic enters the ISP's network:** This indicates congestion or routing problems within the ISP's infrastructure.
* **If traceroute passes through multiple hops of your ISP and then fails, but you can traceroute successfully to other destinations via the same ISP:** This may point to a specific routing issue for that particular destination network on the ISP's part.
**Key Takeaway:** Always try to run traceroutes to multiple destinations (different IPs, different external services) to isolate whether the problem is specific to one path or a more general network issue.
### FortiGate Traceroute vs. Other Tools
While traceroute is incredibly useful, it's important to understand its limitations and how it complements other <a class="kw-link" href="/trace-route-google">network diagnostic tools</a> available on a FortiGate.
* **`ping`:** `ping` is simpler and checks basic reachability and latency to a single destination. It sends ICMP Echo Requests and waits for Echo Replies. It doesn't show the path. Traceroute is superior for understanding the *route* taken.
* **`diagnose network ping` (CLI):** Similar to the standard `ping` command but often with more options available directly within the FortiGate CLI environment. It's good for basic connectivity tests.
* **`diagnose network trace` (CLI):** This is a powerful packet sniffing tool. It captures actual network packets traversing an interface. While traceroute tells you *which* hops are responding (or not), `diagnose network trace` shows you the *exact packets* being sent and received, their headers, and any errors. It's more detailed but also generates much more data and requires deeper packet analysis skills.
* **`get router info routing-table all` (CLI):** This command displays the FortiGate's entire routing table. It's crucial for understanding *why* a traceroute takes a certain path. If traceroute shows an unexpected path, checking the routing table can reveal the underlying routing decisions.
* **`diagnose firewall policy list` (CLI):** This command lists all firewall policies. If traceroute stops at the FortiGate or just after it, reviewing firewall policies is essential to see if traffic is being allowed or denied.
Traceroute provides a high-level view of the path. If traceroute suggests an issue at a specific hop, you might then use `ping` to further test that hop's direct reachability or `diagnose network trace` to inspect the actual traffic flow. If traceroute reveals an incorrect path, the routing table (`get router info routing-table all`) is the next place to look.
### Best Practices for Using the FortiGate Traceroute Command
To get the most out of the `fortigate traceroute command`, follow these best practices:
1. **Establish a Baseline:** Periodically run traceroutes to key internal and external destinations during normal network operation. Save this output. When problems arise, you can compare the current traceroute with your baseline to quickly identify changes.
2. **Trace from the Correct Source:** If possible, run traceroutes from the FortiGate's CLI as this represents the firewall's perspective on routing. However, if users are experiencing issues from a specific subnet, consider configuring FortiGate to allow traceroute from that internal interface or using a trusted host to run traceroute to simulate user traffic.
3. **Use Meaningful Destinations:** Trace to stable, well-known destinations (e.g., `8.8.8.8`, `1.1.1.1`) for general internet connectivity, and to specific application servers or devices for targeted troubleshooting.
4. **Combine with Other Tools:** Don't rely solely on traceroute. Use it in conjunction with `ping`, `diagnose network trace`, and routing table checks for a complete picture.
5. **Consider ICMP Blocking:** Remember that asterisks (`* * *`) don't always mean the path is broken. They often indicate ICMP is blocked. Try using the `-I` (ICMP Echo Request) option if you suspect this. If the problem persists with ICMP, try UDP or TCP probes.
6. **Document Your Findings:** Keep a log of your traceroute results, including the command used, the output, and your interpretation. This documentation is invaluable for tracking issues over time and for reporting to ISPs or vendors.
7. **Be Patient with High Latency Hops:** High latency isn't always a problem. Some hops are geographically distant, and latency is expected. Look for *sudden increases* or *disproportionately high latency compared to previous hops*.
8. **Understand Your Network:** Before running traceroutes to external destinations, have a clear understanding of your internal network topology, your ISP's edge, and your usual internet routing.
### Frequently Asked Questions (FAQ)
**Q: Why does my FortiGate traceroute show asterisks (`* * *`) for some hops?**
A: Asterisks typically indicate that a router at that hop is not responding to the traceroute probes. This could be due to various reasons: the router might be configured to block ICMP messages for security reasons, there might be a firewall in the path blocking the responses, or there could be significant packet loss at that hop or on the return path.
**Q: How can I tell if the problem is with my FortiGate or my ISP?**
A: Run traceroutes to different destinations. If traceroutes to multiple external IPs show issues starting at your FortiGate's WAN interface or the first hop *after* your FortiGate (your ISP's equipment), it points towards an ISP issue. If traceroutes to internal resources fail or show issues within your local network before reaching the internet, the problem is more likely on your FortiGate or internal network infrastructure.
**Q: Can the `fortigate traceroute command` help with firewall policy issues?**
A: Indirectly. If a traceroute stops abruptly at the FortiGate's internal interface, or just after, it might indicate that a firewall policy is blocking the traffic. However, traceroute itself doesn't explicitly show policy drops. For that, you'd typically need to examine FortiGate logs or use packet sniffing (`diagnose network trace`).
**Q: What is the difference between traceroute and ping?**
A: Ping checks basic connectivity and latency to a single destination without revealing the path. Traceroute maps the entire route by showing each hop (router) packets pass through, along with the latency to each hop. Traceroute is used for path discovery and bottleneck identification, while ping is for simple reachability.
### Conclusion
The `fortigate traceroute command` is an indispensable tool in the network administrator's toolkit. By understanding how to execute it, interpret its output, and leverage its advanced options, you can efficiently diagnose and resolve a wide range of network connectivity and performance issues. Whether you're <a class="kw-link" href="https://mixedblog.online/measurement-of-speed-over-a-network" target="_blank" rel="noopener">troubleshooting slow internet</a>, unreachable servers, or intermittent connection drops, traceroute provides critical insights into the network path your data takes.
Mastering this command, combined with a systematic approach and knowledge of other diagnostic tools, will significantly enhance your ability to maintain a robust and reliable network environment. Regularly practicing with the `traceroute fortigate command` will build your confidence and speed in tackling network challenges.
