FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seshuganesh
Staff
Staff
Article Id 210201
Description This article discusses how to troubleshoot when a website is not accessible.
Scope FortiOS.
Solution

Below describes an understanding of how packet flow works for website reachability before troubleshooting this issue.

 

As soon as the user enters the URL in the browser, the first DNS lookup will happen for that website once the website is resolved, the request will pass to the specific website IP and a response will come from that website.

 

Below shows over the troubleshooting:

 

Troubleshoot-1:

Perform DNS look upon the internal host machine for the problematic website and then do same website resolution in 'nslookup.io ' website.

Compare both results, it should be the same.

If it is different, the internal DNS server is resolving to the wrong IP address.

 

Troubleshoot-2:

Once the DNS lookup happens, focus on traffic flow.

If both local DNS and global DNS have the same resolution, run this sniffer:

 

# diag sniffer packet any 'host a.b.c.d' 4 0 a(where a.b.c.d is the website ip address)

 

Here in this sniffer output, observe whether there is two way flow or only one way flow. 

Check if the traffic is reaching the firewall and is it going out of the firewall or not.

If traffic is reaching the firewall LAN interface and it is not going out of the WAN interface, it means firewall could be blocking the traffic.

To confirm the same, run these commands:

 

# diag debug reset

# diag debug disable

# diag debug flow filter addr a.b.c.d (where a.b.c.d is the website ip)

# diag debug flow show function-name enable

# diag debug flow trace start 10000

# diag debug enable

 

Once the commands are entered reload the website, once the issue is reproduced disable debug by executing the following commands:

 

# diag debug disable <----- To disable debug.

 

Here in the above logs, observe which firewall policy it is matching or if it is not matching any policy it will give an error like 'denied by forward policy check'.

If the above error is seen, create a firewall policy for the same.

 

Troubleshoot-3:

Now if the traffic is going out of the firewall which can be seen in the sniffer and there is no reply packet probably it could be the ISP issue.

Try to connect to a different ISP or try to route traffic to the second route using the policy route, use this article for the same:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

This step is to isolate the issue caused by the ISP.

 

These steps are important for website troubleshooting.

 

This article is not covering anything related to website blocking by the UTM filters.

 

This article covers the traffic flow for the website.

Contributors