Fortinet 5.0 Patch 6

Fortinet 643 FortiWeb 5.0 Patch 6 Administration Guide

2. In the row for the network interface which you want to respond to ICMP type 8

(ECHO_REQUEST) for ping and UDP for traceroute, click Edit.

A dialog appears.

3. Enable PING.

4. If Trusted Host #1, Trust ed H ost #2, and Trusted Host #3 have been restricted, verify that

they include your computer or device’s IP address. Otherwise FortiWeb will not respond.

5. Click OK.

The appliance should now respond when another device such as your management

computer sends a ping or traceroute to that network interface.

To verify routes between clients and your web servers

1. Attempt to connect through the FortiWeb appliance, from a client to a protected web server,

via HTTP and/or HTTPS.

If the connectivity test fails, continue to the next step.

2. Use the ping command on both the client and the server to verify that a route exists

between the two. Test traffic movement in both directions: from the client to the server, and

the server to the client. Web servers do not need to be able to initiate a connection, but must

be able to send reply traffic along a return path.

If the routing test succeeds, continue with step 4.

If the routing test fails, continue to the next step.

3. Use the tracert or traceroute command on both the client and the server (depending

on their operating systems) to locate the point of failure along the route.

If the route is broken when it reaches the FortiWeb appliance, first examine its network

interfaces and routes. To display network interface addresses and subnets, enter the CLI

command:

show system interface

To display all recently-used routes with their priorities, enter the CLI command:

diagnose network route list

You may need to verify that the physical cabling is reliable and not loose or broken, that there

are no IP address or MAC address conflicts or blacklisting, misconfigured DNS records, and

otherwise rule out problems at the physical, network, and transport layer.

If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an

application-layer problem is preventing connectivity.

Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and

traceroute-related UDP and responding to it.

It does not disable FortiWeb CLI commands such as execute ping or execute

traceroute that send such traffic.

In networks using features such as asymmetric routing, routing success in one direction does

not guarantee success in the other.