config system : config system health-check
 
config system health-check
Use this command to create health check configuration objects.
In server load balancing deployments, the system uses health checks to poll the members of the real server pool to test whether an application is available. You can also configure additional health checks to poll related servers, and you can include results for both in the health check rule. For example, you can configure an HTTP health check test and a RADIUS health check test. In a web application that requires user authentication, the web server is deemed available only if the web server and the related RADIUS server pass the health check.
In link load balancing deployments, the health check can poll either the ISP link group member itself or a “beacon” server that is deployed on the other side of the ISP link. A beacon is an IP address that must be reachable in order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual server at another data center.
If a pool member fails a health check and retries also fail, it is deemed unavailable. The ADC does not send it connections until it is deemed available.
 
If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing hardware repair, it is experiencing extended down time, or when you have removed it from the server farm, you can improve the performance of the FortiADC system by setting the status of the pool member to Disabled, rather than allowing the system to continue to attempt health checks.
Table 18 describes the predefined health checks. You can get started with these or create custom objects.
Table 18: Predefined health check configuration objects
Predefined
Description
LB_HLTHCK_HTTP
Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200.
LB_HLTHCK_HTTPS
Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200.
LB_HLTHCK_ICMP
Pings the server.
LB_HLTHCK_TCP_ECHO
Sends a TCP echo to server port 7. Expects the server to respond with the corresponding TCP echo.
Before you begin:
You must have a good understanding of TCP/IP and knowledge of the services running on your backend servers.
You must know the IP address, port, and configuration details for the applications running on backend servers. For some application protocol checks, you must specify user credentials.
You must have read-write permission for load balancing settings.
After you have configured a health check, you can select it in the server load balacing real server configuration or in the link-load-balancing gateway link configuration.
Syntax
config system health-check
edit <name>
set type {dns | ftp | http | https | icmp | imap4 | l2-detection | pop3 | radacct | radius | smtp | snmp | ssh | tcp | tcp-echo | tcphalf | tcpssl}
set dest-addr { }
set dest-addr-type {ipv4|ipv6}
set interval <integer>
set retry <integer>
set timeout <integer>
set up-retry <integer>
set addr-type {ivp4|ipv6}
set domain-name <string>
set host-addr <class_ip>
set port <integer>
set file <string>
set passive {enable|disable}
set username <string>
set password <passwd>
set method-type {http_get | http_head}
set match-type {match_all | match_status | match_string}
set send-string <string>
set receive-string <string>
set status-code <integer>
set http-connect {local_connect|no_connect|remote_connect}
set remote-host <string>
set remote-port <integer>
set nas-ip <string>
set password-type {user-password | chap-password}
set secret-key <string>
set folder <string>
set agent-type {UCD|WIN2000}
set community <string>
set cpu <integer>
set disk <integer>
set mem <integer>
set version {v1|v2c}
next
end
Table 19: Health check configuration
Settings
Guidelines
General
<name>
Configuration name. No spaces or special characters.
After you initially save the configuration, you cannot edit the name.
type
Specify the health check type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.
dest-addr
Optional. If no destination IP address is specified, the real server health check is sent to the real server IP address and the gateway link health check is sent to the ISP link IP address. If you are creating rules that test related servers or a test to a “beacon” server, specify the destination IP address. If testing an HTTP proxy, specify the proxy address, not the remote server address.
dest-addr-type
IPv4
IPv6
interval
Seconds between each health check. Should be more than the timeout to prevent overlapping health checks. The default is 10.
retry
Attempts to retry the health check to confirm availability. The default is 1.
timeout
Seconds to wait for a reply before assuming that the health check has failed. The default is 5.
up-retry
Attempts to retry the health check to confirm availability. The default is 1.
ICMP
No specific options
Simple ping to test connectivity.
TCP / TCP Half Open / TCP SSL
port
Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161 or 162.
HTTP/HTTPS
port
Listening port number of the backend server. Usually HTTP is 80. If testing an HTTP proxy server, specify the proxy port.
method-type
HTTP method for the test traffic:
HTTP GET—Send an HTTP GET request to the server. A response to an HTTP GET request includes HTTP headers and HTTP body.
HTTP HEAD—Send an HTTP HEAD request. A response to an HTTP HEAD request includes HTTP headers only.
send-string
The request URL, such as /contact.php.
receive-string
A string expected in return when the HTTP GET request is successful.
status-code
The health check sends an HTTP request to the server. Specify the HTTP status code in the server reply that indicates a successful test. Typically, you use status code 200 (OK). Other status codes indicate errors.
match-type
What determines a failed health check?
Match String
Match Status
Match All (match both string and status)
Not applicable when using HTTP HEAD. HTTP HEAD requests test status code only.
http-connect
If the real server pool members are HTTP proxy servers, specify an HTTP CONNECT option.
local_connect—Use HTTP CONNECT to test the tunnel connection through the proxy to the remote server. The member is deemed available if the request returns status code 200 (OK).
remote_connect—Use HTTP CONNECT to test both the proxy server response and remote server application availability. If you select this option, you can configure an HTTP request within the tunnel. For example, you can configure an HTTP GET/HEAD request to the specified URL and the expected response.
no_connect—Do not use the HTTP CONNECT method. This option is the default. The HTTP CONNECT option is useful to test the availability of proxy servers only.
remote-host
If you use HTTP CONNECT to test proxy servers, specify the remote server IP address.
remote-port
If you use HTTP CONNECT to test proxy servers, specify the remote server port.
DNS
port
Listening port number of the backend server. Usually DNS is 53.
addr-type
IPv4
IPv6
domain-name
The FQDN, such as www.example.com, to use in the DNS A/AAAA record health check.
host-addr
IP address that matches the FQDN, indicating a successful DNS health check.
RADIUS / RADIUS Accounting
port
Listening port number of the backend server. Usually RADIUS is 1812 and RADIUS accounting is 1813.
nas-ip
NAS IP address.
username
User name of an account on the backend server.
password
The corresponding password.
password-type
User—If the backend server does not use CHAP, select this option.
CHAP—If the backend server uses CHAP and does not require a secret key, select this option.
secret-key
The secret set on the backend server.
SMTP
port
Listening port number of the backend server. Usually SMTP is 25.
domain-name
The FQDN, such as www.example.com, to use in the SMTP health check.
POP3
port
Listening port number of the backend server. Usually POP3 is 110.
username
User name of an account on the backend server.
password
The corresponding password.
IMAP4
port
Listening port number of the backend server. Usually IMAP4 is 143.
username
User name of an account on the backend server.
password
The corresponding password.
folder
Specify a mail folder name. The default is INBOX.
FTP
port
Listening port number of the backend server. Usually FTP is 21.
username
User name of an account on the backend server.
password
The corresponding password.
file
Specify a file that exists on the backend server. Path is relative to the initial login path. If the file does not exist or is not accessible, the health check fails.
passive
Select this option if the backend server uses passive FTP.
SNMP
port
Listening port number of the backend server. Usually SNMP is 161.
agent-type
UCD
Windows 2000
community
The SNMP community string set on the backend server. If this does not match, and the appliance is not configured as an SNMP manager for the backend server, all health checks fail.
cpu
Maximum normal CPU usage. If overburdened, the health check fails.
disk
Maximum normal disk usage. If the disk is too full, the health check fails.
mem
Maximum normal RAM usage. If overburdened, the health check fails.
version
SNMP v1 or v2c.
SSH
port
Listening port number of the backend server. Usually SSH is 22.
username
Username for test login.
password
Corresponding password.
L2 Detection
No specific options
Link Layer health checker. Sends ARP (IPv4) or NDP (IPv6) packets to test whether a physically connected system is available.
Example
The following is an example of an SNMP health check:
FortiADC-VM # config system health-check
 
FortiADC-VM (health-check) # edit lb-health-check
Add new entry 'lb-health-check' for node 2763
 
FortiADC-VM (lb-health-check) # set type ?
dns dns
ftp ftp
http http
https https
icmp icmp
imap4 imap4
l2-detection l2-detection
pop3 pop3
radacct radacct
radius radius
smtp smtp
snmp snmp
ssh ssh
tcp tcp
tcp-echo tcp-echo
tcphalf tcphalf
tcpssl tcpssl
 
FortiADC-VM (lb-health-check) # set type snmp
 
FortiADC-VM (lb-health-check) # get
type : snmp
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
cpu : 96
mem : 96
disk : 96
agent-type : UCD
community :
version : v1
 
FortiADC-VM (lb-health-check) # set community company-string
FortiADC-VM (lb-health-check) # set port 161
FortiADC-VM (lb-health-check) # set cpu 50
FortiADC-VM (lb-health-check) # set mem 50
FortiADC-VM (lb-health-check) # set disk 50
FortiADC-VM (lb-health-check) # set version v2c
 
FortiADC-VM (lb-health-check) # get
type : snmp
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 161
dest-addr-type : ipv4
dest-addr : 0.0.0.0
cpu : 50
mem : 50
disk : 50
agent-type : UCD
community : company-string
version : v2c
 
FortiADC-VM (lb-health-check) # end
FortiADC-VM # config system health-check
The following is an example of an HTTP health check for HTTP proxy servers:
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit HTTP-CONNECT-TEST
Add new entry 'HTTP-CONNECT-TEST' for node 2763
 
FortiADC-VM (HTTP-CONNECT-T~S) # set type http
FortiADC-VM (HTTP-CONNECT-T~S) # set http-connect remote_connect
 
FortiADC-VM (HTTP-CONNECT-T~S) # get
type : http
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
method-type : http_head
send-string : /
status-code : 200
http-connect : remote_connect
remote-host :
remote-port : 0
 
FortiADC-VM (HTTP-CONNECT-T~S) # set remote-host 10.1.1.1
FortiADC-VM (HTTP-CONNECT-T~S) # set remote-port 113
FortiADC-VM (HTTP-CONNECT-T~S) # set send-string /myapp/index.html
FortiADC-VM (HTTP-CONNECT-T~S) # end
FortiADC-VM #