I have done many blogs on the great features that Fortinet firewalls offer and was reminded again why I prefer them over most major firewall vendors, specifically the way they are licensed. When you purchase a Fortinet FortiGate firewall you have the option to purchase the FortiGuard license so you can utilize such features as web/email filtering, Antivirus etc. There are no licenses that restrict how many users or nodes can access the device to be able to reach the Internet. When I run into an issue on a workstation where the user cannot access the Internet but all of the NIC settings, DNS etc. are set correctly, the first thing I think about is what kind of firewall the user is behind. More often than not, it is a SonicWall or WatchGuard firewall and it has only been licensed to support a few users. Once the “user” limit is reached, any others are denied access outbound to the Internet. I put user in quotes because that term is really referring to the number of IP addresses that have registered on the firewall.
Usually, if purchasing more licenses is not an option, you have to reboot the firewall to reset the connections and that will resolve the issue temporarily. Of course this option means disconnecting all other users that are able to successfully reach the Internet. I did however find that on WatchGuard firewalls, there is an option to disconnect a session within the GUI which is great as that means you do not have to reboot the device.
On the WatchGuard, go to the System Status page once logged into the firewall. Then select either Firebox Users or the tab that list the users that are connected. You should see a red X next to the user session which you can click that will disconnect the session allow others to connect. I really like this feature as stated because you can usually get a user back on the Internet without having to affect anyone else. Next time you run into an issue with Internet connectivity and you have exhausted all options, remember to check the firewall if it is licensed on a per user basis as that might just be the culprit.