Skip to main content
ManpreetSingh
Staff
ManpreetSingh
Staff
November 27, 2025

Troubleshooting Tip: Proxy Intermittently Blocking Access to Websites

  • November 27, 2025
  • 0 replies
  • 769 views
Description This article outlines a step-by-step approach to diagnose and resolve cases where a FortiGate or FortiProxy intermittently blocks user access to websites. It covers common root causes, including policy misconfiguration, LDAP inconsistencies, and certificate issues.
Scope FortiGate, FortiProxy.
Solution

Follow the steps below to isolate and resolve intermittent proxy access issues:

  1. Validate Proxy Policy Configuration:

  • Navigate to Policy & Objects -> Proxy Policy.

  • Confirm the policy is configured as explicit-web.

  • Verify the destination interface is mapped to the correct outgoing interface.

  • Ensure no conflicting or shadowing proxy policies exist above the intended rule.

 

  1. Verify LDAP User Group Configuration.

    If authentication using a remote LDAP server is used:

  • Verify that the LDAP user groups are correctly configured in the source of the proxy policy.

  • Confirm the LDAP server object settings:

    • Correct hostname/FQDN or IP address.

    • Correct port (389 for LDAP, 636 for LDAPS).

    • Properly imported and trusted CA certificate for LDAPS.

  • When using load-balanced LDAP (e.g., an FQDN pointing to multiple AD servers), ensure that:

    • All backend servers present a consistent certificate chain,

    • Authentication behavior is identical across all nodes.

 

  1. Test LDAP Connectivity.

    Use diagnostic tools to confirm stable LDAP communication:

 

diagnose test authserver ldap <ldap_name> <username> <password>
diagnose debug application fnbamd -1
diagnose debug enable

 

Check if failures occur intermittently or only when specific domain controllers respond.

 

To stop the debug processes:

 

diagnose debug application fnbamd 0

diagnose debug disable

diagnose debug reset

 

  1. Validate LDAP Certificates.

  • Verify the CA certificate used matches all domain controllers behind the load balancer.

  • If some servers succeed and others fail:

    • Update or replace the CA certificate,

    • Check for certificate expiry or misconfiguration on individual AD servers.

 

  1. Inspect Logs and Traffic Patterns.

  • Review Forward Traffic Logs and Proxy Logs for blocked or failed sessions.

  • Capture traffic for analysis when needed:                                                                                                       

 

diagnose sniffer packet any "host <ldap_server_ip>" 4 0 l

 

  • Identify TLS handshake failures, resets, or timeout patterns.

 

  1. Check Backend LDAP Server Health.

    Engage the AD/LDAP team to verify:

  • Account lockouts (service account or admin account),

  • Domain controllers are not responding consistently,

  • Certificate issues,

  • Latency or network instability is affecting some LDAP servers.

 

Conclusion.

Intermittent proxy access issues typically stem from LDAP connectivity problems or inconsistent certificates across domain controllers. By validating proxy policies, ensuring correct LDAP group mapping, confirming certificate consistency, and reviewing debug logs, users can efficiently identify and resolve the root cause.
    Terms & ConditionsAccessibility statement