Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
jcastellanos
Staff
Staff

Created on ‎10-03-2024 10:50 PM Edited on ‎08-10-2025 11:42 AM By Moderator

Article Id 346983

Troubleshooting Tip: How to diagnose the reason for the empty return code in the FortiWeb traffic logs

Description This article describes how to investigate if the reason for the empty return code could be related to a fail in the TLS negotiation.
Scope FortiWeb v7.4.x.
Solution

The empty return code could be interpreted as no response from the server:

 

1-returncode0.png

 

In some scenarios the cause is related to TLS negotiation is not completing between FortiWeb and the real server because of a TLS version. A packet capture between Fortiweb and the real server could help to see this error:

 

3-tls version.png

 

Confirm with the real server administrator what version the real server supports and enable the specific version of TLS in the server pool configuration. Go to Server Objects- > Server -> Server Pool -> SSL Connection Settings and adjust the TLS versions supported by the real server.


2-enable_tls_1.3.png

 

In another scenario, the real server could answer an RST after the Client Hello sent by the FortiWeb

 

1-tls negotiation.png

 

The real server could host multiple domains; in such case, the Fortiweb should forward the Server Name to the real server to start the TLS negotiation.

 

config server-policy server-pool
    edit "<server-pool_name>"

        config pserver-list
            edit <entry_index>

                set server-side-sni enable

            next

        end

   next

end

 

In packet capture, the Server Name is added to the Client Hello in TLS negotiation between FortiWeb and the Real Server. 

 

2-sni.png

 

For more information about 'server-side-sni' settingTroubleshooting Tip: How to fix error 'ERR_EMPTY_RESPONSE' 

 

In another scenario, the admin may see an empty return code in the traffic logs, where the method was 'others'.

 

1-traffic log.png


The site may load, but the security features are not applied to the traffic.

 

Examine the Policy configuration and review the Services Configuration. The two may be reversed, as shown below:

 

2-servicios.png

 

To resolve the issue, ensure the HTTPS service matches the HTTPS port and the HTTPS service matches the HTTPS port.

 

Note:

There is an empty return code because of the TLS negotiation failure. This could be one of several reasons why FortiWeb shows the status as empty code. Open a TAC ticket in case to further investigation in case the TLS negotiation is completed.

 

For an explanation of the mechanism of FortiWeb traffic log, including the meaning of response code 0Technical Tip: Response Code 0 found in Traffic Log.
688
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.