Fortinet 128 FortiWeb 5.0 Patch 6 Administration Guide
you have not yet configured a policy, and therefore, if in reverse proxy mode, cannot test
connectivity through the FortiWeb.)
If the connectivity test fails, you can use the CLI commands:
execute ping <destination_ip4>
to determine if a complete route exists from the FortiWeb to the host, and
execute traceroute <destination_ipv4>
to determine the point of connectivity failure.
Also enable PING on the FortiWeb’s network interface, or configure an IP address on the
bridge, then use the equivalent tracert or traceroute command on the host (depending
on its operating system) to test routability for traffic traveling in the opposite direction: from
the host to the FortiWeb.
• If these tests fail, or if you do not want to enable PING, first examine the static route
configuration on both the host and FortiWeb.
To display the routing table, enter the CLI command:
diagnose network route list
You may also need to verify that the physical cabling is reliable and not loose or broken,
that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule
out problems at the physical, network, and transport layer.
• If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an
application-layer problem is preventing connectivity.
Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine
routers and firewalls between the host and the FortiWeb appliance to verify that they
permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI
command:
diagnose system top 5 30
to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd
are running and not overburdened. For details, see the FortiWeb CLI Reference.
By default, in reverse proxy mode, FortiWeb’s virtual servers will not forward
non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (Only traffic picked
up and allowed by the HTTP reverse proxy will be forwarded.) You may be able to provide
connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb,
or by enabling FortiWeb to route other protocols. See also “Topology for reverse proxy mode”
on page 63 and the config router setting command in the FortiWeb CLI Reference.