Diagnosing server-policy access issues
Server-policy access failure
Check if FortiWeb is accessible:
Check the network connectivity stated in Diagnosing server-policy connectivity issues to guarantee that FortiWeb can be accessed from the client
Check if DNS can be resolved successfully and correctly specified to the VIP of server-policy;
Bypass CDN/DNS (set a host entry in local machine/pc) and check if FortiWeb VIP is accessible;
Add a host entry in local machine/pc:
Or visit with
curl -I HTTP://<domain> --resolve <domain>:<port>:<IP address>
Check configuration on FortiWeb:
Check the opmode in
show system settings; (different modes may have special limitation or requirement)
If HTTP & HTTPS are all enabled;
If HTTP/HTTPS service ports are correctly configured or can be successfully accessed;
If Redirect HTTP to HTTPS is enabled; (if yes, you may disable it and try whether HTTP and HTTPS access has different response);
If back-end server is correctly configured: pay special attention to port & SSL, single-server mode;
If HTTP2 is enabled; (if yes, you may disable it and test again);
If Cache&Compression are enabled; (if yes, you may disable it and test again);
If Machine-Learning is enabled; (if yes, you may disable it and test again);
Check back-end server status:
If health check is ON, check if back-end server status is up & stable;
If health check is OFF or it’s configured as single-server, visit the back-end server from a client or from the backend shell of FortiWeb to check the actual status of back-end server;
Capture packets on FortiWeb:
Use GUI > System > Network > Packet Capture or
tcpdumpunder CLI/root (or
diagnose network sniffer) to check:
The request from client is correctly received by FortiWeb and forwarded to back-end servers;
The TCP packets can be received and TCP connection is established;
The SSL handshakes are successful.
Check HTTP traffic.
Check if the access is blocked by WAF modules:
Check attack logs to see why a request is blocked: main&sub types, signature types&ID, message details&matched pattern.
Remove the web protection profile or features included from the server-policy, and visit again;
server-policy policyto bypass WAF functions.
Notes: this option applies to Reverse Proxy or True Transparent Proxy mode only, and please do not enable it on content routing, otherwise content routing will not work.
Collect diagnose output & debug logs for further support analysis:
Turn on traffic-log with enable packet-log option to check HTTP request packet details;
Diagnose debug flow to check traffic flow processing details;
Capture traffic on FortiWeb at the same time and download the pcap files;
Turn /proc/tproxy/debug levels and check packets process in kernels:
Export configuration files and download debug logs via GUI.