Hi All,
I am having some issues with websites not rendering correctly behind a Fortigate 200D (5.0.7)
Basically the pages are screwed up with text over the top of other text and the layout of the page changing. I have attached an image of what I see for reference. The only features that are turned on on the Fortigate are, WiFi and Switch Controller and Web Filter. I have tried disabling the web filter and this made no difference.
I'm hoping someone else has seen this behaviour and knows of a fix
Thanks
Rob
Fortigates - FWF60D/FWF90D/FGT200D/FGT620B/FGT1000C FortiAPs -
FP221C/FP320C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Robert.
I have seen something like this when certain page elements (e.g. style sheets, scripting) haven't fully loaded into the browser. In those cases the the fgt was allowing access to the main page but not to underlining page elements that were pulled from another site (which was blocked).
I suggest in your Web Filter Profile, play around with the "Allow Websites When a Ratings Error Occurs" and uncheck "rate URLS by domain and IP Address".
Even if you disabled the web filter on the Fortigate, the browser on the client computer may still be caching a copy of the page -- make sure you are clearing out the browser cache and/or forceing it to load a fresh copy of the page.
Also to fully troubleshoot this issue, make sure you are testing 2 or 3 browsers (IE, Google, Chrome, etc.) on at least two different computers. (I have also seen something similar to this happening on computers with a faulty NIC/switch/cable, etc.)
Edit: just remembered I have also seen this happening on PPPoE connections where the MTU value wasn't set low enough. But in those causes, it's usually the entire site wouldn't load.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi Robert.
I have seen something like this when certain page elements (e.g. style sheets, scripting) haven't fully loaded into the browser. In those cases the the fgt was allowing access to the main page but not to underlining page elements that were pulled from another site (which was blocked).
I suggest in your Web Filter Profile, play around with the "Allow Websites When a Ratings Error Occurs" and uncheck "rate URLS by domain and IP Address".
Even if you disabled the web filter on the Fortigate, the browser on the client computer may still be caching a copy of the page -- make sure you are clearing out the browser cache and/or forceing it to load a fresh copy of the page.
Also to fully troubleshoot this issue, make sure you are testing 2 or 3 browsers (IE, Google, Chrome, etc.) on at least two different computers. (I have also seen something similar to this happening on computers with a faulty NIC/switch/cable, etc.)
Edit: just remembered I have also seen this happening on PPPoE connections where the MTU value wasn't set low enough. But in those causes, it's usually the entire site wouldn't load.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I agreed 100% and a 3rd party site testing tool will confirm page load times or failures
i.e
PCNSE
NSE
StrongSwan
Looks like mtu issue.
Can you confirm if you are able to ping from the test pc cmd:
ping -f -l 1472 4.2.2.2
If you get the response "packet needs to be fragmented but df bit is set" then your mtu is less that 1500.
To fix the problem you can do the following (Most optimum option on the top)
1) Check and find out where mtu is less and if possible fix it to max (can't do anything in case like dsl)
2) set the lower tcp mss in policy
3) If you want to use web filter and there is lesser mtu somewhere upstream then you have to reduce mtu on firewall wan link.
Hi All,
I have tried what Dave suggested in his post (Allow Websites When a Ratings Error Occurs and uncheck rate URLS by domain and IP Address) and by unchecking allow websites when rating error occurs seems to have fixed the issue (rate URLS by domain and IP Address) was already unchecked.
Thanks for all your help
Rob
Fortigates - FWF60D/FWF90D/FGT200D/FGT620B/FGT1000C FortiAPs -
FP221C/FP320C
Hi All,
I think i may have spoke too soon, the issue has returned.
The rendering issues are different in every web browser I have tried (IE, Chrome, Firefox).
I can successfully ping 4.2.2.2 with 1472 bytes of data.
Any more ideas would be welcome.
Thanks
Rob
Fortigates - FWF60D/FWF90D/FGT200D/FGT620B/FGT1000C FortiAPs -
FP221C/FP320C
I didn't think unchecking "Allow Websites When a Ratings Error Occurs" would have resolved this issue -- usually it's the other way around (e.g. checking it) that resolves most issues (with websites pulling information from different sources).
Perhaps it's best that we establish a base line or clarification so everyone is on the same page. Is this the first time setting up this 200D or has it already been setup and you are trying web filtering now? Does the problem happen on wifi connections too?
What type of ISP equipment is the 200D connected to? (xDSL modem/PPPoE connection?) It may be possible that there could be a duplex/speed mismatch. Perform a diag hardware deviceinfo nic <WAN interface> on the CLI and check for errors. You can force the duplex/speed on any given interface like so:
config system interface edit "<interface>" set speed {speed duplex} next exit
(Press ? after set Speed for list of speed/duplex settings that interface supports.)
If there are switch devices between your test machine and the Fortigate, try direct connecting your test machine to the the Fortigate. Try direct connecting your test machine or a laptop to the ISP equipment.
If everything appears fine and you have ruled out MTU as being the issue, review your configuration: make sure you have NAT enabled on your Internal->WAN firewall policies. Confirm/verify the WAN and routing information is correct. Look for improper subnet masks on address objects, wrong firewall object type (FQDN instead of IP address). etc. If this issue seems to only effect pages on HTTPS, check/confirm the time/date/timezone is correct on the Fortigate and your test machine.
Perhaps you should just upgrade the firmware on the 200D?
Maybe run sniffer...
diag debug reset diag debug flow filter addr <IP address> diag debug flow filter proto 6 diag debug flow filter port 80 diag debug flow show console enable diag debug flow trace start 1000 diag debug en
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi All,
The 200D has been setup for quite some time now, we have noticed site not rendering correctly in the past but haven't bothered with it as they were non work related sites. eg. ebay.com.au
Now work related stuff is affected we need to sort it out.
The WAN interface of the 200D is connected to a Cisco 2950 which is connected to a MPLS.
The LAN interface connects to a HP Procurve 5412ZL switch which has LACP trunks to other 5412ZL switches throughout our office. There are no errors appearing on diag hardware deviceinfo nic wan1:
melfw01 # diag hardware deviceinfo nic wan1 Driver Name :Fortinet NP4Lite Driver Version :1.0.1 Admin :up Status :up Speed :1000 Duplex :Full Host Rx Pkts :4070794614 Host Rx Bytes :4325252747491 Host Tx Pkts :3305057242 Host Tx Bytes :509932902404 Rx Pkts :414342 Rx Bytes :237472037 Tx Pkts :375623 Tx Bytes :185371195 rx_buffer_len :2048 Hidden :No cmd_in_list : 0 promiscuous : 1
I haven't tried connecting directly to the firewall with a test machine as of yet.
NAT is not enabled between Internal -> WAN as it breaks networking with certain devices in our office, however in the past i have tried enabling it and it made no difference. WAN info and routing is Correct and address objects are good to.
Thanks
Rob
Fortigates - FWF60D/FWF90D/FGT200D/FGT620B/FGT1000C FortiAPs -
FP221C/FP320C
I don't think this is a lower layer issues. Since you say it's websites, have you any trending?
i.e
> it's http or https
> it's repeatable
> it's only during certain time
> is it window linux or macosx or all types and devices
Next, do you have any IPS sensors ?, have the MPLS provider made changes > Do you have any ping lost?
PCNSE
NSE
StrongSwan
seems to be HTTP as I haven't found a HTTPS site that doesn't render poorly.
It seemed to come good yesterday morning then it went back to the way it was in the afternoon.
We aren't using any IPS sensors and Network provider hasn't made any changes, no ping lost.
I have just tested on WiFi which is using WPA2 Enterprise Authentication and it seems to render correctly.
The only difference between the two networks policies is IP Address assignment, and the Policy for WiFi => WAN1 has NAT enabled.
Thanks
Fortigates - FWF60D/FWF90D/FGT200D/FGT620B/FGT1000C FortiAPs -
FP221C/FP320C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.