Fortinet 652 FortiWeb 5.0 Patch 6 Administration Guide
To check the routing table in the CLI, enter:
diagnose network route list
Checking port assignmentsIf you are attempting to connect to FortiWeb on a given network port, and the connection is
expected to occur on a different port number, the attempt will fail. For a list of ports used by
FortiWeb, see “Appendix A: Port numbers” on page 666. For ports used by your own HTTP
network services, see “Defining your network services” on page 274.
Performing a packet traceWhen troubleshooting malformed packet or protocol errors, it helps to look inside the protocol
headers of packets to determine if they are traveling along the route you expect, and with the
flags and other options you expect. For instructions, see “Packet capture” on page 633.
If the packet trace shows that packets are arriving at your FortiWeb appliance’s interfaces but
no HTTP/HTTPS packets egress, check that:
• Physical links are firmly connected, with no loose wires
• Network interfaces/bridges are brought up (see “Configuring the network interfaces” on
page 113)
• Link aggregation peers, if any, are up (see “Link aggregation” on page 120)
• VLAN IDs, if any, match (see “Adding VLAN subinterfaces” on page 117)
• Virtual servers or V-zones exist, and are enabled (see “Configuring a bridge (V-zone)” on
page 122)
• Matching policies exist, and are enabled (see “Configuring basic policies” on page 148)
• If using HTTPS, valid server/CA certificates exist (see “How to offload or inspect HTTPS” on
page 283)
• IP-layer, and HTTP-layer routes, if necessary, match (see “Adding a gateway” on page 125
and “Routing based upon URL or “Host:” name” on page 262)
• Web servers are responsive, if server health checks are configured and enabled (see
“Configuring server up/down checks” on page 254)
• Load balancers, if any, are defined (see “Defining your proxies, clients, & X-headers” on
page 266)
• Clients are not blacklisted (see “Monitoring currently blocked IPs” on page 606)
If the packet is accepted by the policy but appears to be dropped during processing, see
“Debugging the packet processing flow” on page 653.
If you configure virtual servers on your FortiWeb appliance, packets’ destination IP addresses
will be those IP addresses, not the physical IP addresses (i.e., the IP address of port1, etc.). An
ARP update is sent out when a virtual IP address is configured.
For offline protection mode, it is usually normal if HTTP/HTTPS packets do not egress. The
nature of this deployment style is to listen only, except to reset the TCP connection if FortiWeb
detects traffic in violation.