Fortinet 5.0 Patch 6

Fortinet 644 FortiWeb 5.0 Patch 6 Administration Guide

4. For application-layer problems, on the FortiWeb, examine the:

• matching server policy and all components it references

• certificates (if connecting via HTTPS)

• web server service/daemon (it should be running, and configured to listen on the port

specified in the server policy for HTTP and/or HTTPS, for virtual hosts, they should be

configured with a correct Host: name)

On routers and firewalls between the host and the FortiWeb appliance, verify that they permit

HTTP and/or HTTPS connectivity between them.

Testing for connectivity with ping

The ping command sends a small data packet to the destination and waits for a response. The

response has a timer that may expire, indicating that the destination is unreachable via ICMP.

ICMP is part of Layer 3 on the OSI Networking Model. ping sends Internet Control Message

Protocol (ICMP) ECHO_REQUEST (“ping”) packets to the destination, and listens for

ECHO_RESPONSE (“pong”) packets in reply.

Some networks block ICMP packets because they can be used in a ping flood or denial of

service (DoS) attack if the network does not have anti-DoS capabilities, or because ping can

be used by an attacker to find potential targets on the network.

Beyond basic existence of a possible route between the source and destination, ping tells you

the amount of packet loss (if any), how long it takes the packet to make the round trip (latency),

and the variation in that time from packet to packet (jitter).

If ping shows some packet loss, investigate:

• cabling to eliminate loose connections

• ECMP, split horizon, or network loops

• all equipment between the ICMP source and destination to minimize hops

If ping shows total packet loss, investigate:

• cabling to eliminate incorrect connections

• all firewalls, routers, and other devices between the two locations to verify correct IP

addresses, routes, MAC lists, trusted hosts, and policy configurations

If ping finds an outage between two points, use traceroute to locate exactly where the

problem is.

To ping a device from the FortiWeb CLI

1. Log in to the CLI via either SSH, Telnet, or You can ping from the FortiWeb appliance in the

CLI Console widget of the web UI.

2. If you want to adjust the behavior of execute ping, first use the

execute ping-options command. For details, see the FortiWeb CLI Reference.

Connectivity via ICMP only proves that a route exists. It does not prove that connectivity also

exists via other protocols at other layers such as HTTP.