Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbandha
Staff
Staff

Created on ‎09-17-2023 09:39 PM Edited on ‎09-18-2023 06:32 AM By Moderator

Article Id 274047

Troubleshooting Tip: Unable to load website on internal network connected to FortiGate

Description This article describes how to troubleshoot the issue of loading websites on devices connected to an internal network to the FortiGate. 
Scope FortiGate v7.0+.
Solution

Check if if it is possible to ping 8.8.8.8 by running this command in from CLI:

 

exec ping 8.8.8.8

 

If it is not possible to ping 8.8.8.8, check the ISP connection. Try to connect the WAN link to some other device to check if it can reach the internet.

 

  • Take sniffer and debug:
    Run this command in Fortigate CLI:


diag sniffer packet any ‘ host <IP of Source> and host <IP of destination>’ 4 0 l

 

In the second CLI window, run these commands:


di debug reset
diag deb flow show function-name en
diag debug console time en
diag deb flow filter addr <IP of source>
diag deb flow filter addr <IP of destination>
diag deb flow trace start 99999
diag deb en

 

To stop the debug, run this command:


di deb di

 

Save the output of these two CLI.
In the debug, if  msg="Denied by forward policy check (policy 0)' is visible, it means that a firewall policy is missing to allow this traffic.

 

 

If the ping works, then the issue may be related to DNS resolution.

 

  • Check DNS Settings:
    Go to Network --> DNS. Check if the DNS server is reachable. If high latency is visible or the DNS server is unreachable then it may be causing the issue. Make sure the ISP connection is working well.
    If a FortiGuard DNS is used for DNS settings, check the status of the FortiGuard DNS server here:
    FortiMonitor Status Page

 

If there are issues with the FortiGuard server, try changing to Public DNS.
For this, select ‘Specify’ under DNS Settings and enter the public DNS server to use.
Example 8.8.8.8, 1.1.1.1.


Also, change the DNS protocol to UDP/53 and disable TLS:

 

DNS Settings.JPG

 

 

  • UTM profile:
    If both DNS and DNS filters are working as expected then check other UTM profiles.
    It is possible to remove the UTM profiles from the firewall policy and try opening the website in an incognito or private window.
    If this is not possible, it is also possible to create a test firewall policy by cloning the main policy and restricting the Source to only a test PC IP.
    Move this test policy above the main policy and disable all security profiles on it.
    Try opening the website on the test PC after that.

 

  • Check the IPS engine:
    If all these steps have been tried and the website is still not loading then try turning off the IPS engine temporarily using:


diag test app ipsmonitor 98 (Turn off IPS engine)

 

Test the website again to see if it loads.

Use this command if wanting to turn on the IPS engine again:


diag test app ipsmonitor 97 (Turn on IPS engine)
177
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.