Server-policy access failure
-
Check if FortiWeb is accessible:
Check the network connectivity stated in Diagnosing server-policy connectivity issues to guarantee that FortiWeb can be accessed from the client
Check if DNS can be resolved successfully and correctly specified to the VIP of server-policy;
Bypass CDN/DNS (set a host entry in local machine/pc) and check if FortiWeb VIP is accessible;
Add a host entry in local machine/pc:
Win: C:\Windows\System32\drivers\etc\hosts
Linux: /etc/hosts
Or visit with
curl --resolve
:curl -I HTTP://<domain> --resolve <domain>:<port>:<IP address>
-
Check configuration on FortiWeb:
Check the opmode in
show system settings
; (different modes may have special limitation or requirement)If HTTP & HTTPS are all enabled;
If HTTP/HTTPS service ports are correctly configured or can be successfully accessed;
If Redirect HTTP to HTTPS is enabled; (if yes, you may disable it and try whether HTTP and HTTPS access has different response);
If back-end server is correctly configured: pay special attention to port & SSL, single-server mode;
If HTTP2 is enabled; (if yes, you may disable it and test again);
If Cache&Compression are enabled; (if yes, you may disable it and test again);
If Machine-Learning is enabled; (if yes, you may disable it and test again);
-
Check back-end server status:
If health check is ON, check if back-end server status is up & stable;
If health check is OFF or it’s configured as single-server, visit the back-end server from a client or from the backend shell of FortiWeb to check the actual status of back-end server;
-
Capture packets on FortiWeb:
Use GUI > System > Network > Packet Capture or
tcpdump
under CLI/root (ordiagnose network sniffer
) to check:The request from client is correctly received by FortiWeb and forwarded to back-end servers;
The TCP packets can be received and TCP connection is established;
The SSL handshakes are successful. (Refer to SSL/TLS for detailed troubleshooting methods)
Check HTTP traffic. (Refer to SSL/TLS for how to decrypt SSL/TLS packets)
-
Check if the access is blocked by WAF modules:
Check attack logs to see why a request is blocked: main&sub types, signature types&ID, message details&matched pattern.
Remove the web protection profile or features included from the server-policy, and visit again;
Set
noparse enable
inserver-policy policy
to bypass WAF functions.Notes: this option applies to Reverse Proxy or True Transparent Proxy mode only, and please do not enable it on content routing, otherwise content routing will not work.
-
Collect diagnose output&debug logs for further analysis:
Turn on traffic-log with enable packet-log option to check HTTP request packet details;
Diagnose debug flow to check traffic flow processing details;
Capture traffic on FortiWeb at the same time and download the pcap files;
Turn /proc/tproxy/debug levels and check packets process in kernels:
Export configuration files and download debug logs via GUI.