Fortinet black logo

Administration Guide

Performing a packet trace

Performing a packet trace

When troubleshooting malformed packet or protocol errors, it helps to look inside the protocol headers of packets to determine if they are traveling along the route you expect, and with the flags and other options you expect.

If you configure virtual servers on your FortiWeb appliance, packets’ destination IP addresses will be those IP addresses, not the physical IP addresses (i.e., the IP address of port1, etc.). An ARP update is sent out when a virtual IP address is configured.

For Offline Protection mode, it is usually normal if HTTP/HTTPS packets do not egress. The nature of this deployment style is to listen only, except to reset the TCP connection if FortiWeb detects traffic in violation.

If the packet trace shows that packets are arriving at your FortiWeb appliance’s interfaces but no HTTP/HTTPS packets egress, check that:

  • Physical links are firmly connected, with no loose wires

  • Network interfaces/bridges are brought up (see "Configuring the network interfaces" in FortiWeb Administration Guide)

  • Link aggregation peers, if any, are up (see "Link aggregation" in FortiWeb Administration Guide)

  • VLAN IDs, if any, match (see "Adding VLAN subinterfaces" in FortiWeb Administration Guide)

  • Virtual servers or V-zones exist, and are enabled (see "Configuring a bridge (V-zone)" and "Configuring virtual servers on your FortiWeb" in FortiWeb Administration Guide)

  • Matching policies exist, and are enabled (see "Configuring basic policies" in FortiWeb Administration Guide)

  • If using HTTPS, valid server/CA certificates exist (see "How to offload or inspect HTTPS" in FortiWeb Administration Guide)

  • IP-layer, and HTTP-layer routes, if necessary, match (see "Adding a gateway" and "Routing based on HTTP content" in FortiWeb Administration Guide)

  • Web servers are responsive, if server health checks are configured and enabled (see "Configuring server up/down checks" in FortiWeb Administration Guide)

  • Load balancers, if any, are defined (see "Defining your proxies, clients, & X-headers" in FortiWeb Administration Guide)

  • Clients are not blocklisted (see "Monitoring currently blocked IPs" in FortiWeb Administration Guide)

For Offline Protection mode, it is usually normal if HTTP/HTTPS packets do not egress. The nature of this deployment style is to listen only, except to reset the TCP connection if FortiWeb detects traffic in violation.

If the packet is accepted by the policy but appears to be dropped during processing, see "Debugging the packet processing flow" in FortiWeb Administration Guide.

Performing a packet trace

When troubleshooting malformed packet or protocol errors, it helps to look inside the protocol headers of packets to determine if they are traveling along the route you expect, and with the flags and other options you expect.

If you configure virtual servers on your FortiWeb appliance, packets’ destination IP addresses will be those IP addresses, not the physical IP addresses (i.e., the IP address of port1, etc.). An ARP update is sent out when a virtual IP address is configured.

For Offline Protection mode, it is usually normal if HTTP/HTTPS packets do not egress. The nature of this deployment style is to listen only, except to reset the TCP connection if FortiWeb detects traffic in violation.

If the packet trace shows that packets are arriving at your FortiWeb appliance’s interfaces but no HTTP/HTTPS packets egress, check that:

  • Physical links are firmly connected, with no loose wires

  • Network interfaces/bridges are brought up (see "Configuring the network interfaces" in FortiWeb Administration Guide)

  • Link aggregation peers, if any, are up (see "Link aggregation" in FortiWeb Administration Guide)

  • VLAN IDs, if any, match (see "Adding VLAN subinterfaces" in FortiWeb Administration Guide)

  • Virtual servers or V-zones exist, and are enabled (see "Configuring a bridge (V-zone)" and "Configuring virtual servers on your FortiWeb" in FortiWeb Administration Guide)

  • Matching policies exist, and are enabled (see "Configuring basic policies" in FortiWeb Administration Guide)

  • If using HTTPS, valid server/CA certificates exist (see "How to offload or inspect HTTPS" in FortiWeb Administration Guide)

  • IP-layer, and HTTP-layer routes, if necessary, match (see "Adding a gateway" and "Routing based on HTTP content" in FortiWeb Administration Guide)

  • Web servers are responsive, if server health checks are configured and enabled (see "Configuring server up/down checks" in FortiWeb Administration Guide)

  • Load balancers, if any, are defined (see "Defining your proxies, clients, & X-headers" in FortiWeb Administration Guide)

  • Clients are not blocklisted (see "Monitoring currently blocked IPs" in FortiWeb Administration Guide)

For Offline Protection mode, it is usually normal if HTTP/HTTPS packets do not egress. The nature of this deployment style is to listen only, except to reset the TCP connection if FortiWeb detects traffic in violation.

If the packet is accepted by the policy but appears to be dropped during processing, see "Debugging the packet processing flow" in FortiWeb Administration Guide.