Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbandha
Staff
Staff

Created on ‎09-17-2023 09:39 PM Edited on ‎07-15-2025 03:45 AM By Staff

Article Id 274047

Troubleshooting Tip: Unable to load website on internal network connected to FortiGate

Description This article describes how to troubleshoot the issue of loading websites on devices connected to an internal network to the FortiGate. 
Scope FortiGate v7.0+.
Solution

Check if if it is possible to ping 8.8.8.8 by running this command in from CLI:

 

execute ping 8.8.8.8

 

If it is not possible to ping 8.8.8.8, check the ISP connection. Try to connect the WAN link to some other device to check if it can reach the internet.

 

  • Take sniffer and debug:

Run this command in the FortiGate CLI:


diagnose sniffer packet any ‘ host <IP of Source> and host <IP of destination>’ 4 0 l

 

In the second CLI window, run these commands:


diagnose debug reset

diagnose debug console timestamp enable 
diagnose debug flow show function-name enable
diagnose debug flow filter addr x.x.x.x y.y.y.y and <-- x.x.x.x: Source IP y.y.y.y: Destination IP.
diagnose debug flow trace start 99999
diagnose debug enable 

 

To stop the debug, run this command:


diagnose debug disable

 

Save the output of these two CLI.
In the debug, if msg="Denied by forward policy check (policy 0)'' is visible, it means that a firewall policy is missing to allow this traffic.

 

  • Check Bandwidth utilization:

It is also possible to check the bandwidth utilization of the WAN interface to make sure all the bandwidth is not being used which may be causing the issue.
To check bandwidth utilization, refer to this article:
Technical Tip: How to check interface bandwidth utilization from GUI

 

It is also necessary to check if the PC connected to the Internal network has an Internal DNS server configured or not by running the command below:

 

>ipconfig /all

 

If yes, it is necessary to make sure that there is no separate policy configured on FortiGate and that it does not have any DNS filtering enabled. It is possible to try to tune that DNS filtering and allow the website there if it is not working.

 

If the ping works, then the issue may be related to DNS resolution.

 

  • Check DNS Settings:

Go to Network --> DNS. Check if the DNS server is reachable. If high latency is visible or the DNS server is unreachable then it may be causing the issue. Make sure the ISP connection is working well.
If a FortiGuard DNS is used for DNS settings, check the status of the FortiGuard DNS server here:
FortiMonitor Status Page

 

If there are issues with the FortiGuard server, try changing to Public DNS.
For this, select ‘Specify’ under DNS Settings and enter the public DNS server to use.
Example 8.8.8.8, 1.1.1.1.


Also, change the DNS protocol to UDP/53 and disable TLS:

 

DNS Settings.JPG

 

  • DNS filtering:

If the DNS is working and there is no latency there, check DNS filtering if is used in the firewall policy.
Check the DNS Filter rating server under Network -> DNS.
If there is latency or they are unreachable, check these articles for troubleshooting steps:
Troubleshooting for DNS filter
Technical Tip: SDNS Rating traffic (i.e. DNS Rating traffic) are not affected by interface-select-me...

 

  • UTM profile:

If both DNS and DNS filters are working as expected then check other UTM profiles.
It is possible to remove the UTM profiles from the firewall policy and try opening the website in an incognito or private window.

If this is not possible, it is also possible to create a test firewall policy by cloning the main policy and restricting the Source to only a test PC IP.
Move this test policy above the main policy and disable all security profiles on it.
Try opening the website on the test PC after that.

 

  • Public IP is blacklisted:

Identify the IP Address of the Domain: To determine the IP address of the domain, execute a ping command.

execute ping 'domain name' 

 

Use a sniffer tool to capture the traffic and specify the IP address of the domain: 

   

diagnose sniffer packet any 'host X.X.X.X' 4 0 l  --> Replace X.X.X.X with the IP address of the domain to be monitored.

 

Check Server Response: If the server does not respond to the SYN packet and instead sends a reset (RST) packet, there may be an issue with the public IP.

 

Verify if the Public IP is Blacklisted: If the server is sending a reset packet without a proper response to the SYN  packet, check if the public IP is blacklisted. A blacklisted IP could be blocking the server's connection.

 

  • Check the IPS engine:

If all these steps have been tried and the website is still not loading, then try turning off the IPS engine temporarily using:


diagnose test application ipsmonitor 98 (Turn off IPS engine)

 

Test the website again to see if it loads.

Use this command to turn on the IPS engine again:


diagnose test application ipsmonitor 97 (Turn on IPS engine)
3980
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.