When using an online port checker, the port used for services of the internal server is indicated as blocked.

To troubleshoot this :

1. Ensure that the VIP is set to point to the internal server correctly.
2. Ensure that services allowed for configured firewall policy for VIP is correct.   
3. Ensure that the internal server’s port is set to open. (This step is NOT FortiGate's setting. Configure on the internal server).
4. Verify by accessing the website of the internal server via public IP, it should display correctly.

Example of problem:

In this example, 111.111.111.111 is an external WAN IP and 10.10.10.10 is a mapped internal server IP.

1. Visit https://portchecker.co/check-v0  (IP addresses are fictitious in the example).

2. Use these CLI commands:

config firewall vip (Vip is set correctly)
    edit "SQL"
        set extip 111.111.111.111
        set extintf "port3"
        set portforward enable   
        set mappedip 10.10.10.10
        set extport 3306           
        set mappedport 3306        
    next

config firewall policy (firewall policy is set correctly)
    edit 1
        set srcintf "port3"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "SQL"
        set action accept
        set schedule "always"   
        set service "ALL"   
        set nat enable       
    next
end

3. Make sure the internal server’s port is set to open:

    #Allow incoming TCP ports

  TCP_IN = “20,21,80,443,3306”

4. Visit 111.111.111.111 and a visual of the functioning page will be shown as the port is not blocked by the internal server.