1) Debug output.

Open an SSH session to the Fortiweb and execute the following commands.

# diag deb reset
# diag deb timestamp enable
# diag debug flow filter http-detail 4
# diag deb flow filter flow-detail 4
# diag debug application bot-detection 7
# diag deb flow filter client-ip <client IP>
# diagnose debug flow filter server-ip <Virtual IP>
# diag debug info
# diag deb enable

2) Front end capture.

Login to GUI and go to System -> Network>Packet Capture, select interface as <VIP interface>', Host IP/Netmask as Client IP, port as <port used in the virtual server ->, maximum packet count 10000 and select 'Save', and then select Triangle button to Run.

Note.

Make sure to define the Source NAT IP  as the client IP in both debug and capture if the client's IP address gets source NAT along the path.

3) Reproduce the problem.

Take a screenshot of the error seen on the client machine.

4) Stop the debug and capture.

After reproducing the problem, stop the debug and capture.

To stop the debug run the following commands.

# diag deb disable
# diag deb reset

5) Download the following files from the unit.

* Traffic logs.
* Event logs.
* Attack logs.
* Config file: go to System ->Backup & Restore, enable 'Include Machine Learning Data' and select Backup.

*  ML Bot detection .dat file: go to Policy -> Server Policy, edit the Server Policy in question -> Machine Learning -> Bot detection -> Export.

Attach all the files while raising the ticket so TAC can review them.