FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 274047
Description This article describes how to troubleshoot the issue of loading websites on devices connected to an internal network to the FortiGate. 
Scope FortiGate v7.0+.

Check if if it is possible to ping by running this command in from CLI:


exec ping


If it is not possible to ping, check the ISP connection. Try to connect the WAN link to some other device to check if it can reach the internet.


  • Take sniffer and debug:
    Run this command in Fortigate CLI:

diag sniffer packet any ‘ host <IP of Source> and host <IP of destination>’ 4 0 l


In the second CLI window, run these commands:

di debug reset
diag deb flow show function-name en
diag debug console time en
diag deb flow filter addr <IP of source>
diag deb flow filter addr <IP of destination>
diag deb flow trace start 99999
diag deb en


To stop the debug, run this command:

di deb di


Save the output of these two CLI.
In the debug, if  msg="Denied by forward policy check (policy 0)' is visible, it means that a firewall policy is missing to allow this traffic.



If the ping works, then the issue may be related to DNS resolution.


  • Check DNS Settings:
    Go to Network --> DNS. Check if the DNS server is reachable. If high latency is visible or the DNS server is unreachable then it may be causing the issue. Make sure the ISP connection is working well.
    If a FortiGuard DNS is used for DNS settings, check the status of the FortiGuard DNS server here:
    FortiMonitor Status Page


If there are issues with the FortiGuard server, try changing to Public DNS.
For this, select ‘Specify’ under DNS Settings and enter the public DNS server to use.

Also, change the DNS protocol to UDP/53 and disable TLS:


DNS Settings.JPG



  • UTM profile:
    If both DNS and DNS filters are working as expected then check other UTM profiles.
    It is possible to remove the UTM profiles from the firewall policy and try opening the website in an incognito or private window.
    If this is not possible, it is also possible to create a test firewall policy by cloning the main policy and restricting the Source to only a test PC IP.
    Move this test policy above the main policy and disable all security profiles on it.
    Try opening the website on the test PC after that.


  • Check the IPS engine:
    If all these steps have been tried and the website is still not loading then try turning off the IPS engine temporarily using:

diag test app ipsmonitor 98 (Turn off IPS engine)


Test the website again to see if it loads.

Use this command if wanting to turn on the IPS engine again:

diag test app ipsmonitor 97 (Turn on IPS engine)