Fortinet 644 FortiWeb 5.0 Patch 6 Administration Guide
4. For application-layer problems, on the FortiWeb, examine the:
• matching server policy and all components it references
• certificates (if connecting via HTTPS)
• web server service/daemon (it should be running, and configured to listen on the port
specified in the server policy for HTTP and/or HTTPS, for virtual hosts, they should be
configured with a correct Host: name)
On routers and firewalls between the host and the FortiWeb appliance, verify that they permit
HTTP and/or HTTPS connectivity between them.
Testing for connectivity with ping
The ping command sends a small data packet to the destination and waits for a response. The
response has a timer that may expire, indicating that the destination is unreachable via ICMP.
ICMP is part of Layer 3 on the OSI Networking Model. ping sends Internet Control Message
Protocol (ICMP) ECHO_REQUEST (“ping”) packets to the destination, and listens for
ECHO_RESPONSE (“pong”) packets in reply.
Some networks block ICMP packets because they can be used in a ping flood or denial of
service (DoS) attack if the network does not have anti-DoS capabilities, or because ping can
be used by an attacker to find potential targets on the network.
Beyond basic existence of a possible route between the source and destination, ping tells you
the amount of packet loss (if any), how long it takes the packet to make the round trip (latency),
and the variation in that time from packet to packet (jitter).
If ping shows some packet loss, investigate:
• cabling to eliminate loose connections
• ECMP, split horizon, or network loops
• all equipment between the ICMP source and destination to minimize hops
If ping shows total packet loss, investigate:
• cabling to eliminate incorrect connections
• all firewalls, routers, and other devices between the two locations to verify correct IP
addresses, routes, MAC lists, trusted hosts, and policy configurations
If ping finds an outage between two points, use traceroute to locate exactly where the
problem is.
To ping a device from the FortiWeb CLI
1. Log in to the CLI via either SSH, Telnet, or You can ping from the FortiWeb appliance in the
CLI Console widget of the web UI.
2. If you want to adjust the behavior of execute ping, first use the
execute ping-options command. For details, see the FortiWeb CLI Reference.
Connectivity via ICMP only proves that a route exists. It does not prove that connectivity also
exists via other protocols at other layers such as HTTP.