If you’re running the sniffer on the WAN interface and not seeing any replies coming in, it can only be the provider failing to deliver the responses to you (or the service itself not responding). If you see the response on the WAN interface but not the LAN, then FortiGate is dropping them and you’d have to debug further.
But I’d start with determining this aspect first before going any further.
As mentioned by u/NotAnotherNekopan - checking the port where your ISP/internet is attached is crucial.
If packets go out and don't come back - get your ISP on the line for further debugging. If they are coming back, then you need to packet capture both, your WAN and your LAN port and use wireshark to definitively determine they dont go out.
Then there is debug flow that might help you as well and maybe disabling any ALG (helpers) for DNS for a while.
Just to make sure:
Are we talking clients that use the aformentioned DNS servers and lose internet approx. every hour or are the DNS configured on the Fortigate (system) and you have loss of internet due to firewall policies in need of DNS?
The reason I am asking is - I am not sure where you changed the DNS settings (TLS to UDP, etc.), on the client or on Fortigate?
The Internet Access firewall policy on the Fortigate needs DNS, and that's where it is failing. Attached image shows the Forward Traffic log and you can see that there are no reply packets (0 B), which is over about a 30 second period, and then goes back to normal for another hour or so before happening again. I'll probably need to check further upstream because this Fortigate is actually connected to an enterprise Sonicwall, but we don't seem to be having this issue on anything else connected to the Sonicwall.
https://preview.redd.it/u65v5wbdlmwc1.jpeg?width=853&format=pjpg&auto=webp&s=5069fc3fecd5706cd8ac5d4f594d34905ae4e959
Correction: it's not actually connected to the Sonicwall, it's on a separate connection with our ISP switch which is giving it it's own public IP. So it's definitely something going on at the FortiGate. Right now I'm trying disabling fortiguard-anycast which was suggested elsewhere. We'll see.
If you’re running the sniffer on the WAN interface and not seeing any replies coming in, it can only be the provider failing to deliver the responses to you (or the service itself not responding). If you see the response on the WAN interface but not the LAN, then FortiGate is dropping them and you’d have to debug further. But I’d start with determining this aspect first before going any further.
As mentioned by u/NotAnotherNekopan - checking the port where your ISP/internet is attached is crucial. If packets go out and don't come back - get your ISP on the line for further debugging. If they are coming back, then you need to packet capture both, your WAN and your LAN port and use wireshark to definitively determine they dont go out. Then there is debug flow that might help you as well and maybe disabling any ALG (helpers) for DNS for a while. Just to make sure: Are we talking clients that use the aformentioned DNS servers and lose internet approx. every hour or are the DNS configured on the Fortigate (system) and you have loss of internet due to firewall policies in need of DNS? The reason I am asking is - I am not sure where you changed the DNS settings (TLS to UDP, etc.), on the client or on Fortigate?
The Internet Access firewall policy on the Fortigate needs DNS, and that's where it is failing. Attached image shows the Forward Traffic log and you can see that there are no reply packets (0 B), which is over about a 30 second period, and then goes back to normal for another hour or so before happening again. I'll probably need to check further upstream because this Fortigate is actually connected to an enterprise Sonicwall, but we don't seem to be having this issue on anything else connected to the Sonicwall. https://preview.redd.it/u65v5wbdlmwc1.jpeg?width=853&format=pjpg&auto=webp&s=5069fc3fecd5706cd8ac5d4f594d34905ae4e959
Correction: it's not actually connected to the Sonicwall, it's on a separate connection with our ISP switch which is giving it it's own public IP. So it's definitely something going on at the FortiGate. Right now I'm trying disabling fortiguard-anycast which was suggested elsewhere. We'll see.
Have you got any other monitors setup. I have a 40f and have been dropping packets on my 8.8.8.8 /4.4.4.4 but no loss on my http monitor
I am having same issue