firewall : ldb-monitor
Use this command to configure health check settings.
Health check settings can be used by load balancing VIPs to determine if a real server is currently responsive before forwarding traffic. One health check is sent per interval using the specified protocol, port and HTTP-GET, where applicable to the protocol. If the server does not respond during the timeout period, the health check fails and, if retries are configured, another health check is performed. If all health checks fail, the server is deemed unavailable, and another real server is selected to receive the traffic according to the selected load balancing algorithm.
Health check settings can be re-used by multiple real servers. For details on enabling health checking and using configured health check settings, see firewall vip.
config firewall ldb-monitor
edit <name_str>
set http-get <httprequest_str>
set http-match <contentmatch_str>
set http-max-redirects <int>
set interval <seconds_int>
set port <port_int>
set retry <retries_int>
set timeout <seconds_int>
set type {http | ping | tcp}
Enter the name of the health check monitor.
No default.
http-get <httprequest_str>
For HTTP health check monitors, add a URL that the FortiGate unit uses when sending a get request to check the health of a HTTP server. The URL should match an actual URL for the real HTTP servers. The URL is optional.
The URL would not usually include an IP address or domain name. Instead it should start with a /and be followed by the address of an actual web page on the real server. For example, if the IP address of the real server is, the URL /test_page.htm causes the FortiGate unit to send am HTTP get request to
This option appears only if type is http.
No default.
http-match <contentmatch_str>
For HTTP health check monitors, add a phrase that a real HTTP server should include in response to the get request sent by the FortiGate unit using the content of the http-get option. If the
http-get URL returns a web page, the http-match option should exactly match some of the text on the web page. You can use the http-get and http-matched options to verify that an HTTP server is actually operating correctly by responding to get requests with expected web pages. http-match is only required if you add a http-get URL.
For example, you can set http-match to “server test page” if the real HTTP server page defined by http-get contains the phrase server test page. When the FortiGate unit receives the web page in response to the URL get request, the system searches the content of the web page for the http-match phrase.
This option appears only if type is http.
No default.
http-max-redirects <int>
Enter the maximum number of HTTP redirects allowed. Range 0 to 5. This available when type is http.
interval <seconds_int>
Enter the interval time in seconds between health checks.
port <port_int>
Enter the port number used to perform the health check. If you set the Port to 0, the health check monitor uses the port defined in the real server. This way you can use a single health check monitor for different real servers.
This option does not appear if type is ping.
retry <retries_int>
Enter the number of times that the FortiGate unit should retry the health check if a health check fails. If all health checks, including retries, fail, the server is deemed unavailable.
timeout <seconds_int>
Enter the timeout in seconds. If the FortiGate unit does not receive a response to the health check in this period of time, the health check fails.
type {http | ping | tcp}
Select the protocol used by the health check monitor.
No default.