Fortinet 5.0 Patch 6 Checking port assignments, Performing a packet trace

Fortinet 652 FortiWeb 5.0 Patch 6 Administration Guide

To check the routing table in the CLI, enter:

diagnose network route list

Checking port assignments

If you are attempting to connect to FortiWeb on a given network port, and the connection is

expected to occur on a different port number, the attempt will fail. For a list of ports used by

FortiWeb, see “Appendix A: Port numbers” on page 666. For ports used by your own HTTP

network services, see “Defining your network services” on page 274.

Performing a packet trace

When troubleshooting malformed packet or protocol errors, it helps to look inside the protocol

headers of packets to determine if they are traveling along the route you expect, and with the

flags and other options you expect. For instructions, see “Packet capture” on page 633.

If the packet trace shows that packets are arriving at your FortiWeb appliance’s interfaces but

no HTTP/HTTPS packets egress, check that:

• Physical links are firmly connected, with no loose wires

• Network interfaces/bridges are brought up (see “Configuring the network interfaces” on

page 113)

• Link aggregation peers, if any, are up (see “Link aggregation” on page 120)

• VLAN IDs, if any, match (see “Adding VLAN subinterfaces” on page 117)

• Virtual servers or V-zones exist, and are enabled (see “Configuring a bridge (V-zone)” on

page 122)

• Matching policies exist, and are enabled (see “Configuring basic policies” on page 148)

• If using HTTPS, valid server/CA certificates exist (see “How to offload or inspect HTTPS” on

page 283)

• IP-layer, and HTTP-layer routes, if necessary, match (see “Adding a gateway” on page 125

and “Routing based upon URL or “Host:” name” on page 262)

• Web servers are responsive, if server health checks are configured and enabled (see

“Configuring server up/down checks” on page 254)

• Load balancers, if any, are defined (see “Defining your proxies, clients, & X-headers” on

page 266)

• Clients are not blacklisted (see “Monitoring currently blocked IPs” on page 606)

If the packet is accepted by the policy but appears to be dropped during processing, see

“Debugging the packet processing flow” on page 653.

If you configure virtual servers on your FortiWeb appliance, packets’ destination IP addresses

will be those IP addresses, not the physical IP addresses (i.e., the IP address of port1, etc.). An

ARP update is sent out when a virtual IP address is configured.

For offline protection mode, it is usually normal if HTTP/HTTPS packets do not egress. The

nature of this deployment style is to listen only, except to reset the TCP connection if FortiWeb

detects traffic in violation.