FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to resolve the issue where certain web sites accessed through a FortiGate virtual server for DNAT are unable to load the page.
Scope
FortiGate v7.2.5, Virtual IP (VIP),
Solution
The challenge originated from the default behavior changes for virtual servers:
Enabling support for HTTP2 by default.
FortiGate rewriting the 'Host' field in HTTP requests through the virtual server.
To rectify the issue:
The 'translate-host' setting under the real server configuration under the VIP must be disabled.
Enforce the use of HTTP1 to allow resources to load correctly, ensuring websites load as expected.
Enter the virtual IP configuration:
config firewall vip
edit <vip>
set http-supported-max-version http1
config realservers
edit <realserver_id>
set translate-host disable
end
end
Note:
For multiple real servers configured under a VIP, the change to 'translate-host disable' must be applied to all of them.
If the settings don't show under the VIP when executing 'show', it signifies they are in the non-working default setup. Using 'show full' will reveal both default and non-default configurations for the object.
