Fortinet black logo

Administration Guide

Home FortiProxy 7.2.9 Administration Guide
7.2.9
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Troubleshooting your installation

Troubleshooting your installation

If your FortiProxy does not function as desired after installation, try the following troubleshooting tips:

  1. Check for equipment issues

    Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiProxy to the network.

  2. Check the physical network connections

    Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.

  3. Verify that you can connect to the internal IP address of the FortiProxy

    Connect to the GUI from the FortiProxy’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but cannot connect to the GUI, check the settings for administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS has been enabled for Administrative Access on the interface.

  4. Check the FortiProxy interface configurations

    Check the configuration of the FortiProxy interface connected to the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.

  5. Verify the static routing configuration

    Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiProxy interface.

  6. Verify that you can connect to the Internet-facing interface’s IP address

    Ping the IP address of the Internet-facing interface of your FortiProxy. If you cannot connect to the interface, the FortiProxy is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative Access on the interface.

  7. Verify that you can connect to the gateway provided by your ISP

    Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

  8. Verify that you can communicate from the FortiProxy to the Internet

    Access the FortiProxy CLI and use the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

  9. Verify the DNS configurations of the FortiProxy and the PCs

    Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com.

    If the name cannot be resolved, the FortiProxy or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

  10. Confirm that the FortiProxy can connect to the FortiGuard network

    Once the FortiProxy is on your network, you should confirm that it can reach the FortiGuard network. First, check the Licenses widget to make sure that the status of all FortiGuard services matches the services that you have purchased. Go to System > FortiGuard, and, in the Filtering section, click Test Connectivity. After a few minutes, the GUI should indicate a successful connection. Verify that your FortiProxy can resolve and reach FortiGuard at service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

    • Weight: Based on the difference in time zone between the FortiProxy and this server
    • RTT: Return trip time
    • Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
    • TZ: Server time zone
    • Curr Lost: Current number of consecutive lost packets
    • Total Lost: Total number of lost packets
  11. Contact Fortinet Support for assistance

If you require further assistance, visit the Fortinet Support website.

Previous
Next

Troubleshooting your installation

If your FortiProxy does not function as desired after installation, try the following troubleshooting tips:

  1. Check for equipment issues

    Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiProxy to the network.

  2. Check the physical network connections

    Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.

  3. Verify that you can connect to the internal IP address of the FortiProxy

    Connect to the GUI from the FortiProxy’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but cannot connect to the GUI, check the settings for administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS has been enabled for Administrative Access on the interface.

  4. Check the FortiProxy interface configurations

    Check the configuration of the FortiProxy interface connected to the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.

  5. Verify the static routing configuration

    Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiProxy interface.

  6. Verify that you can connect to the Internet-facing interface’s IP address

    Ping the IP address of the Internet-facing interface of your FortiProxy. If you cannot connect to the interface, the FortiProxy is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative Access on the interface.

  7. Verify that you can connect to the gateway provided by your ISP

    Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

  8. Verify that you can communicate from the FortiProxy to the Internet

    Access the FortiProxy CLI and use the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

  9. Verify the DNS configurations of the FortiProxy and the PCs

    Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com.

    If the name cannot be resolved, the FortiProxy or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

  10. Confirm that the FortiProxy can connect to the FortiGuard network

    Once the FortiProxy is on your network, you should confirm that it can reach the FortiGuard network. First, check the Licenses widget to make sure that the status of all FortiGuard services matches the services that you have purchased. Go to System > FortiGuard, and, in the Filtering section, click Test Connectivity. After a few minutes, the GUI should indicate a successful connection. Verify that your FortiProxy can resolve and reach FortiGuard at service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

    • Weight: Based on the difference in time zone between the FortiProxy and this server
    • RTT: Return trip time
    • Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
    • TZ: Server time zone
    • Curr Lost: Current number of consecutive lost packets
    • Total Lost: Total number of lost packets
  11. Contact Fortinet Support for assistance

If you require further assistance, visit the Fortinet Support website.

Previous
Next