Skip to main content
kdharan
Staff
kdharan
Staff
June 27, 2025

Technical Tip: Unable to access website after adding the forward server in the policy

  • June 27, 2025
  • 0 replies
  • 264 views
Description This article describes how to troubleshoot issues with the forward-server setting in FortiProxy.
Scope FortiProxy.
Solution

Configuration:

  1. Check the forward-server configuration.

 

config web-proxy forward-server
    edit "test1"             ----> Server 1.
        set ip 10.10.10.10
        set port 80
        set healthcheck enable
    next
    edit "test2"          ----->  Server 2.
        set ip 10.10.20.10
        set port 80
        set healthcheck enable
    next
end

 

  1. Check the forward-server group configuration. If the forward-server-group configuration (optional).

Note: To add more detail to the config web-proxy forward-server-group, 'active-passive' means here that one server with the highest weight will be 'active'. The others are passive and won't handle any session until the active node is considered down.
Special case: The objects in the server-list have the same weighting.
The first object will then be the active node. If the active node becomes unreachable, the second node with the same weight will become active. If the first node becomes reachable again, it will again take over from the second node.

 

config web-proxy forward-server-group
    edit "group"
        set ldb-method active-passive   ---> Using Active-passive.
            config server-list
                edit "test1"
                    set weight 30
                next
                edit "test2"
                    set weight 20
                next
            end
    next
end

 

  1. Check the forward-server / forward-server-group mapped to the firewall policy.

 

config firewall policy
    edit 1
        set type explicit-web
        set uuid 1806c9b0-526e-51f0-0cc3-10af7cd02ac1
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set webcache enable
        set webproxy-forward-server "group"
    next
end

 

  1. Check the user traffic passing through the same policy rule: Log & Report -> Forward Traffic.

  2. Check if the FortiProxy can reach the forward server using Telnet.

 

execute telnet 10.10.10.10

diagnose sniffer packet any "host X.X.X.X" 4 0 l  --> Replace X.X.X.X with the forward server IP.

 

  1. Check whether the forward server is up/down on the FortiProxy.

     

diagnose debug reset

diagnose debug enable

diagnose test application wad 101

diagnose debug disable
diagnose wad webproxy forward-server detail

 

  1. If FortiProxy is reachable and the port is listening to the forward server, but the forward server is still down. Disable the health check from the forward server.


healthcheck.png

 

Sample output:

 

FortiProxylab $ diagnose wad webproxy forward-server detail

VDOM=root server_name=test1
addr=ip/10.7.2.6:8080 health_check=disable down-opt=block proto=3
conns: succ=262194 fail=28 ongoing=2 hits=131449 blocked=0 proto_mispatch=0
monitor: succ=0 fail=0
error: stats.no_report_err=4
num_worker_load=27 state=up psv_tm=58(sec)
arbiter: tm=12(sec) tx=92004 rx=26246133

 

proto=3 refers to both HTTP and SOCKS.
Terms & ConditionsAccessibility statement