Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManpreetSingh
Staff
Staff

Created on ‎11-27-2025 12:34 AM Edited on ‎12-01-2025 08:30 AM By Community Manager

Article Id 420457

Troubleshooting Tip: Proxy Intermittently Blocking Access to Websites

Description This article outlines a step-by-step approach to diagnose and resolve cases where a FortiGate or FortiProxy intermittently blocks user access to websites. It covers common root causes, including policy misconfiguration, LDAP inconsistencies, and certificate issues.
Scope FortiGate, FortiProxy.
Solution

Follow the steps below to isolate and resolve intermittent proxy access issues:

  1. Validate Proxy Policy Configuration:

  • Navigate to Policy & Objects -> Proxy Policy.

  • Confirm the policy is configured as explicit-web.

  • Verify the destination interface is mapped to the correct outgoing interface.

  • Ensure no conflicting or shadowing proxy policies exist above the intended rule.

 

  1. Verify LDAP User Group Configuration.

    If authentication using a remote LDAP server is used:

  • Verify that the LDAP user groups are correctly configured in the source of the proxy policy.

  • Confirm the LDAP server object settings:

    • Correct hostname/FQDN or IP address.

    • Correct port (389 for LDAP, 636 for LDAPS).

    • Properly imported and trusted CA certificate for LDAPS.

  • When using load-balanced LDAP (e.g., an FQDN pointing to multiple AD servers), ensure that:

    • All backend servers present a consistent certificate chain,

    • Authentication behavior is identical across all nodes.

 

  1. Test LDAP Connectivity.

    Use diagnostic tools to confirm stable LDAP communication:

 

diagnose test authserver ldap <ldap_name> <username> <password>
diagnose debug application fnbamd -1
diagnose debug enable

 

Check if failures occur intermittently or only when specific domain controllers respond.

 

To stop the debug processes:

 

diagnose debug application fnbamd 0

diagnose debug disable

diagnose debug reset

 

  1. Validate LDAP Certificates.

  • Verify the CA certificate used matches all domain controllers behind the load balancer.

  • If some servers succeed and others fail:

    • Update or replace the CA certificate,

    • Check for certificate expiry or misconfiguration on individual AD servers.

 

  1. Inspect Logs and Traffic Patterns.

  • Review Forward Traffic Logs and Proxy Logs for blocked or failed sessions.

  • Capture traffic for analysis when needed:                                                                                                       

 

diagnose sniffer packet any "host <ldap_server_ip>" 4 0 l

 

  • Identify TLS handshake failures, resets, or timeout patterns.

 

  1. Check Backend LDAP Server Health.

    Engage the AD/LDAP team to verify:

  • Account lockouts (service account or admin account),

  • Domain controllers are not responding consistently,

  • Certificate issues,

  • Latency or network instability is affecting some LDAP servers.

 

Conclusion.

Intermittent proxy access issues typically stem from LDAP connectivity problems or inconsistent certificates across domain controllers. By validating proxy policies, ensuring correct LDAP group mapping, confirming certificate consistency, and reviewing debug logs, users can efficiently identify and resolve the root cause.
215
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.