Fortinet 5.0 Patch 6

Fortinet 128 FortiWeb 5.0 Patch 6 Administration Guide

you have not yet configured a policy, and therefore, if in reverse proxy mode, cannot test

connectivity through the FortiWeb.)

If the connectivity test fails, you can use the CLI commands:

execute ping <destination_ip4>

to determine if a complete route exists from the FortiWeb to the host, and

execute traceroute <destination_ipv4>

to determine the point of connectivity failure.

Also enable PING on the FortiWeb’s network interface, or configure an IP address on the

bridge, then use the equivalent tracert or traceroute command on the host (depending

on its operating system) to test routability for traffic traveling in the opposite direction: from

the host to the FortiWeb.

• If these tests fail, or if you do not want to enable PING, first examine the static route

configuration on both the host and FortiWeb.

To display the routing table, enter the CLI command:

diagnose network route list

You may also need to verify that the physical cabling is reliable and not loose or broken,

that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule

out problems at the physical, network, and transport layer.

• If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an

application-layer problem is preventing connectivity.

Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine

routers and firewalls between the host and the FortiWeb appliance to verify that they

permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI

command:

diagnose system top 5 30

to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd

are running and not overburdened. For details, see the FortiWeb CLI Reference.

By default, in reverse proxy mode, FortiWeb’s virtual servers will not forward

non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (Only traffic picked

up and allowed by the HTTP reverse proxy will be forwarded.) You may be able to provide

connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb,

or by enabling FortiWeb to route other protocols. See also “Topology for reverse proxy mode”

on page 63 and the config router setting command in the FortiWeb CLI Reference.