config system health-check
Use this command to create health check configuration objects.
In server load balancing deployments, the system uses health checks to poll the members of the real server pool to test whether an application is available. You can also configure additional health checks to poll related servers, and you can include results for both in the health check rule. For example, you can configure an HTTP health check test and a RADIUS health check test. In a web application that requires user authentication, the web server is deemed available only if the web server and the related RADIUS server pass the health check.
In link load balancing deployments, the health check can poll either the ISP link group member itself or a “beacon” server that is deployed on the other side of the ISP link. A beacon is an IP address that must be reachable in order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual server at another data center.
If a pool member fails a health check and retries also fail, it is deemed unavailable. The ADC does not send it connections until it is deemed available.
If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing hardware repair, it is experiencing extended down time, or when you have removed it from the server farm, you can improve the performance of the FortiADC system by setting the status of the pool member to Disabled, rather than allowing the system to continue to attempt health checks. |
Table 21 describes the predefined health checks. You can get started with these or create custom objects.
Predefined | Description |
---|---|
LB_HLTHCK_HTTP |
Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200. |
LB_HLTHCK_HTTPS |
Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200. |
LB_HLTHCK_ICMP |
Pings the server. |
LB_HLTHCK_TCP_ECHO |
Sends a TCP echo to server port 7. Expects the server to respond with the corresponding TCP echo. |
Before you begin:
- You must have a good understanding of TCP/IP and knowledge of the services running on your backend servers.
- You must know the IP address, port, and configuration details for the applications running on backend servers. For some application protocol checks, you must specify user credentials.
- You must have read-write permission for load balancing settings.
After you have configured a health check, you can select it in the server load balacing real server configuration or in the link-load-balancing gateway link configuration.
Syntax
config system health-check
edit <name>
set type {dns | ftp | http | https | icmp | imap4 | l2-detection | mssql | pop3 | radacct | radius | sip | sip-tcp | smtp | snmp | snmp-custom | ssh | tcp | tcp-echo | tcphalf | tcpssl | udp | mysql | oracle | script}
set connect-data-type {service_name | sid | connect_string }
set service_name <string>
set sid <string>
set script <datasource>
set connect-string <string>
set oracle-send-string <string>
set oracle-receive-string <string>
set row <integer>
set column <integer>
set dest-addr <class_ip>
set dest-addr-type {ipv4|ipv6}
set hostname <string>
set interval <integer>
set retry <integer>
set timeout <integer>
set up-retry <integer>
set addr-type {ivp4|ipv6}
set domain-name <string>
set host-addr <class_ip>
set port <integer>
set file <string>
set passive {enable|disable}
set username <string>
set password <passwd>
set database <database name>
set method-type {http_get | http_head}
set match-type {match_all | match_status | match_string}
set send-string <string>
set receive-string <string>
set status-code <integer>
set http-connect {local_connect|no_connect|remote_connect}
set remote-host <string>
set remote-port <integer>
set nas-ip <string>
set password-type {user-password | chap-password}
set secret-key <string>
set sip-request-type {register|options}
set folder <string>
set agent-type {UCD|WIN2000}
set community <string>
set cpu <integer>
set disk <integer>
set mem <integer>
set version {v1|v2c}
set oid <string>
set value-type {ASN_COUNTER | ASN_INTEGER | ASN_OBJECT_ID | ASN_OCTET_STR | ASN_UINTEGER}
set dest-addr <ip addr>
set port <port>
set http-version {http_1.0 | http_1.1}
set additional-string <additional string for http header content>
set mssql-send-string <sql statement>
set mssql-receive-string <response>
next
end
Settings | Guidelines |
---|---|
General |
|
<name> |
Configuration name. No spaces or special characters. After you initially save the configuration, you cannot edit the name. |
type |
Specify the health check type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table. |
dest-addr |
Optional. If no destination IP address is specified, the real server health check is sent to the real server IP address and the gateway link health check is sent to the ISP link IP address. If you are creating rules that test related servers or a test to a “beacon” server, specify the destination IP address. If testing an HTTP proxy, specify the proxy address, not the remote server address. |
dest-addr-type |
IPv4 or IPv6 |
hostname |
For HTTP or HTTPS health checks, you can specify the hostname (FQDN) instead of the destination IP address. This is useful in VM environments where multiple applications have the same IP address. |
interval |
Seconds between each health check. Should be more than the timeout to prevent overlapping health checks. The default is 10. |
retry |
Attempts to retry the health check to confirm availability. The default is 1. |
timeout |
Seconds to wait for a reply before assuming that the health check has failed. The default is 5. |
up-retry |
Attempts to retry the health check to confirm availability. The default is 1. |
ICMP | |
No specific options |
Simple ping to test connectivity. |
TCP / TCP Half Open / TCL SSL / UDP | |
port |
Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161 or 162. |
HTTP/HTTPS |
|
port |
Listening port number of the backend server. Usually HTTP is 80. If testing an HTTP proxy server, specify the proxy port. |
method-type |
HTTP method for the test traffic:
|
send-string |
The request URL, such as /contact.php. |
receive-string |
A string expected in return when the HTTP GET request is successful. |
status-code |
The health check sends an HTTP request to the server. Specify the HTTP status code in the server reply that indicates a successful test. Typically, you use status code 200 (OK). Other status codes indicate errors. |
match-type |
What determines a failed health check?
Not applicable when using HTTP HEAD. HTTP HEAD requests test status code only. |
http-connect |
If the real server pool members are HTTP proxy servers, specify an HTTP CONNECT option:
See the FortiADC Deployment Guide for FortiCache for an example that uses this health check. |
http-version |
Specify the version of HTTP |
additional-string |
attach some string to HTTP header content |
remote-host |
If you use HTTP CONNECT to test proxy servers, specify the remote server IP address. |
remote-port |
If you use HTTP CONNECT to test proxy servers, specify the remote server port. |
DNS |
|
addr-type |
IPv4 or IPv6 |
domain-name |
The FQDN, such as www.example.com, to use in the DNS A/AAAA record health check. |
host-addr |
IP address that matches the FQDN, indicating a successful DNS health check. |
RADIUS / RADIUS Accounting |
|
port |
Listening port number of the backend server. Usually RADIUS is 1812 and RADIUS accounting is 1813. |
nas-ip |
NAS IP address. |
username |
User name of an account on the backend server. |
password |
The corresponding password. |
password-type |
|
secret-key |
The secret set on the backend server. |
SIP / SIP-TCP | |
sip-request-type |
Specify the SIP request type to be used for health checks:
|
status-code |
The expected response code. If not set, response code 200 is expected. Specify 0 if any reply should indicate the server is available. |
SMTP |
|
port |
Listening port number of the backend server. Usually SMTP is 25. |
domain-name |
The FQDN, such as www.example.com, to use in the SMTP health check. |
POP3 |
|
port |
Listening port number of the backend server. Usually POP3 is 110. |
username |
User name of an account on the backend server. |
password |
The corresponding password. |
IMAP4 |
|
port |
Listening port number of the backend server. Usually IMAP4 is 143. |
username |
User name of an account on the backend server. |
password |
The corresponding password. |
folder |
Specify a mail folder name. The default is INBOX. |
FTP |
|
port |
Listening port number of the backend server. Usually FTP is 21. |
username |
User name of an account on the backend server. |
password |
The corresponding password. |
file |
Specify a file that exists on the backend server. Path is relative to the initial login path. If the file does not exist or is not accessible, the health check fails. |
passive |
Select this option if the backend server uses passive FTP. |
SNMP |
|
port |
Listening port number of the backend server. Usually SNMP is 161. |
agent-type |
UCD or Windows 2000 |
community |
Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail. |
cpu |
Maximum normal CPU usage. If overburdened, the health check fails. |
disk |
Maximum normal disk usage. If the disk is too full, the health check fails. |
mem |
Maximum normal RAM usage. If overburdened, the health check fails. |
version |
SNMP v1 or v2c. |
SNMP-Custom | |
oid |
String specifying the OID to query. |
value-type |
Abstract syntax notation (ASN) value type:
|
compare-type |
|
counter-value |
Specify the value for the evaluation. |
SSH |
|
port |
Listening port number of the backend server. Usually SSH is 22. |
username |
Username for test login. |
password |
Corresponding password. |
L2 Detection |
|
No specific options |
Link Layer health checker. Sends ARP (IPv4) or NDP (IPv6) packets to test whether a physically connected system is available. |
MSSQL |
|
port |
if not configured, use port of real server pool/member |
username |
Specify the username of the MSSQL database |
password |
Specify the password of the MSSQL database |
database |
Specify the name of the MSSQL database. Length range: 0 to 128 characters. |
mssql-send-string |
Send a string (command) to the MSSQL server |
mssql-receive-string |
The string you expect to receive |
row |
The row in which the send string (command) takes effect |
column |
The column in which the send string (command) takes effect |
MySQL | |
username
|
Specify the user name of the MySQL database. |
password
|
Specify the password corresponding to the MySQL database user name. |
dest-addr
|
Specify the IP address of the MySQL database server. |
port
|
Listening port number of the backend server. |
Oracle | |
port
|
Listening port number of the OracleDB server |
username
|
Specify the database username |
password
|
Specify the database password |
connect-type
|
Select either of the following:
Setting these configurations depends on the configuration of the server. |
service_name
|
When you select a Service name, use this to specify the Service name |
sid
|
When you select an SID, use this to specify the SID |
connect-string
|
When you select a service name, use this to specify connect string |
oracle-send-string
|
Send a string (command) to OracleDb server |
oracle-receive-string
|
The string we expect to receive |
row
|
The row in which the send string (command) takes effect |
column
|
The column in which the send string (command) takes effect |
Script | |
port
|
Specify the port that is used by the script |
script
|
Specify the script we create or pre-define |
In SLB deployments, a health check port configuration specifying port 0 acts as a wildcard.The port for health check traffic is imputed from the real server pool member. In LLB and GLB deployments, specifying port 0 is invalid because there is no associated configuration to impute a proper port. If your health check port configuration specifies port 0, you will not be able to use it in an LLB or GLB configuration. |
Example
The following is an example of an HTTP health check for HTTP proxy servers:
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit HTTP-CONNECT-TEST
Add new entry 'HTTP-CONNECT-TEST' for node 2763
FortiADC-VM (HTTP-CONNECT-T~S) # set type http
FortiADC-VM (HTTP-CONNECT-T~S) # set http-connect remote_connect
FortiADC-VM (HTTP-CONNECT-T~S) # get
type : http
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
method-type : http_head
send-string : /
status-code : 200
http-connect : remote_connect
remote-host :
remote-port : 0
FortiADC-VM (HTTP-CONNECT-T~S) # set remote-host 10.1.1.1
FortiADC-VM (HTTP-CONNECT-T~S) # set remote-port 113
FortiADC-VM (HTTP-CONNECT-T~S) # set send-string /myapp/index.html
FortiADC-VM (HTTP-CONNECT-T~S) # end
FortiADC-VM #
The following is an example of a SIP health check:
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit sip-health-check
Add new entry 'sip-health-check' for node 2763
FortiADC-VM (sip-health-check) # set type sip
FortiADC-VM (sip-health-check) # get
type : sip
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
status-code : 200
sip-request-type : register
FortiADC-VM (sip-health-check) # set interval 15
FortiADC-VM (sip-health-check) # set retry 2
FortiADC-VM (sip-health-check) # set timeout 3
FortiADC-VM (sip-health-check) # set status-code 403
FortiADC-VM (sip-health-check) # end
The following is an example of an SNMP health check for a server running the UCD agent:
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit lb-health-check
Add new entry 'lb-health-check' for node 2763
FortiADC-VM (lb-health-check) # set type snmp
FortiADC-VM (lb-health-check) # get
type : snmp
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
cpu : 96
mem : 96
disk : 96
agent-type : UCD
community :
version : v1
FortiADC-VM (lb-health-check) # set community company-string
FortiADC-VM (lb-health-check) # set port 161
FortiADC-VM (lb-health-check) # set cpu 50
FortiADC-VM (lb-health-check) # set mem 50
FortiADC-VM (lb-health-check) # set disk 50
FortiADC-VM (lb-health-check) # set version v2c
FortiADC-VM (lb-health-check) # get
type : snmp
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 161
dest-addr-type : ipv4
dest-addr : 0.0.0.0
cpu : 50
mem : 50
disk : 50
agent-type : UCD
community : company-string
version : v2c
FortiADC-VM (lb-health-check) # end
The following example configures a custom SNMP health check for a server that does not support the UCD or Windows 2000 agent type.
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit snmp-linux
Add new entry 'snmp-linux' for node 2763
FortiADC-VM (snmp-linux) # set type snmp-custom
FortiADC-VM (snmp-linux) # get
type : snmp-custom
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
community :
version : v1
oid :
value-type :
FortiADC-VM (snmp-linux) # set version v2c
FortiADC-VM (snmp-linux) # set oid ".1.3.6.1.4.1.2021.10.1.3.1"
FortiADC-VM (snmp-linux) # set value-type ASN_INTEGER
FortiADC-VM (snmp-linux) # set compare-type greater
FortiADC-VM (snmp-linux) # set counter-value 80
FortiADC-VM (snmp-linux) # end
FortiADC-VM #