Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Error codes displayed when visiting server policy

There are some predefined web pages with error codes that will replace HTML pages:

Go to System > Config > Replacement Message, click the Predefined or User Defined items to check details.

Error code 503 (Server Unavailable)

Possible causes

  1. Server Health Check is ON while the back-end server status is Down.
  2. Server Health Check is OFF and the back-end server status is Down.
  3. When replacemsg-on-connect-failure is enabled, and the back-end server status is unstable, in this situation the health check is still UP while the connection to back-end server may be failed.

    Please note that the predefined HTTP HC is set with Interval 10, Timeout 3, and  Retry_Times 3, so the back-end server status may change from UP to Down in 23 (the 1st HC starts just when back-end server gets down) or 30 seconds (the back-end server gets down just after the previous HC succeeds).

    config server-policy policy

      edit "1"

        set replacemsg-on-connect-failure enable

        set tcp-conn-timeout 10

      next

    end

  4. Server policy uses content routing without setting default and no content route is matched.

Troubleshooting methods

  1. How to judge whether the error code 503 is returned by the back-end server or by FortiWeb?

    The Response Bytes in Traffic log is usually larger than 1K when it’s from FortiWeb. This is a simple way (but not always correct) to judge when you cannot see the response page.

  2. Disable replacement-on-connect-failure

    If this option is enabled, when the health check is disabled and the backend server is not responsive, FortiWeb will send the 503 error code to the client.

    When enabled, you should also configure tcp-conn-timeout to specify the timeout value. When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for such specified time until it sends the 503 error code.

    config server-policy policy

        edit "1270571790_api_test_com"

          set replacemsg-on-connect-failure disable

        next

    end

  3. Remove the web protection profile or modules included in the server-policy
  4. Bypass waf functions:

    config server-policy policy

      edit "1270571790_api_test_com"

        set noparse enable

      next

    end

    Please note: do not enable noparse on content routing, otherwise content routing will not work.

Error code 500 (Internal Server Error)

  1. This error is returned w hen the visit is recognized as an attack and denied by WAF modules.
  2. Sometimes when WAF features fail to process the traffic flow, for example, when a rewrite/redirect rule is configured but failed to correctly handle the request, FortiWeb will respond 500. In this situation, please collect diagnose debug flow logs for further analysis.

Error codes displayed when visiting server policy

There are some predefined web pages with error codes that will replace HTML pages:

Go to System > Config > Replacement Message, click the Predefined or User Defined items to check details.

Error code 503 (Server Unavailable)

Possible causes

  1. Server Health Check is ON while the back-end server status is Down.
  2. Server Health Check is OFF and the back-end server status is Down.
  3. When replacemsg-on-connect-failure is enabled, and the back-end server status is unstable, in this situation the health check is still UP while the connection to back-end server may be failed.

    Please note that the predefined HTTP HC is set with Interval 10, Timeout 3, and  Retry_Times 3, so the back-end server status may change from UP to Down in 23 (the 1st HC starts just when back-end server gets down) or 30 seconds (the back-end server gets down just after the previous HC succeeds).

    config server-policy policy

      edit "1"

        set replacemsg-on-connect-failure enable

        set tcp-conn-timeout 10

      next

    end

  4. Server policy uses content routing without setting default and no content route is matched.

Troubleshooting methods

  1. How to judge whether the error code 503 is returned by the back-end server or by FortiWeb?

    The Response Bytes in Traffic log is usually larger than 1K when it’s from FortiWeb. This is a simple way (but not always correct) to judge when you cannot see the response page.

  2. Disable replacement-on-connect-failure

    If this option is enabled, when the health check is disabled and the backend server is not responsive, FortiWeb will send the 503 error code to the client.

    When enabled, you should also configure tcp-conn-timeout to specify the timeout value. When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for such specified time until it sends the 503 error code.

    config server-policy policy

        edit "1270571790_api_test_com"

          set replacemsg-on-connect-failure disable

        next

    end

  3. Remove the web protection profile or modules included in the server-policy
  4. Bypass waf functions:

    config server-policy policy

      edit "1270571790_api_test_com"

        set noparse enable

      next

    end

    Please note: do not enable noparse on content routing, otherwise content routing will not work.

Error code 500 (Internal Server Error)

  1. This error is returned w hen the visit is recognized as an attack and denied by WAF modules.
  2. Sometimes when WAF features fail to process the traffic flow, for example, when a rewrite/redirect rule is configured but failed to correctly handle the request, FortiWeb will respond 500. In this situation, please collect diagnose debug flow logs for further analysis.