Fortinet white logo
Fortinet white logo

CLI Reference

config system health-check

config system health-check

Use this command to create health check configuration objects.

In server load balancing deployments, the system uses health checks to poll the members of the real server pool to test whether an application is available. You can also configure additional health checks to poll related servers, and you can include results for both in the health check rule. For example, you can configure an HTTP health check test and a RADIUS health check test. In a web application that requires user authentication, the web server is deemed available only if the web server and the related RADIUS server pass the health check.

In link load balancing deployments, the health check can poll either the ISP link group member itself or a “beacon” server that is deployed on the other side of the ISP link. A beacon is an IP address that must be reachable in order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual server at another data center.

If a pool member fails a health check and retries also fail, it is deemed unavailable. The ADC does not send it connections until it is deemed available.

If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing hardware repair, it is experiencing extended down time, or when you have removed it from the server farm, you can improve the performance of the FortiADC system by setting the status of the pool member to Disabled, rather than allowing the system to continue to attempt health checks.

Table 21 describes the predefined health checks. You can get started with these or create custom objects.

Predefined health check configuration objects

Predefined Description

LB_HLTHCK_HTTP

Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200.

LB_HLTHCK_HTTPS

Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200.

LB_HLTHCK_ICMP

Pings the server.

LB_HLTHCK_TCP_ECHO

Sends a TCP echo to server port 7. Expects the server to respond with the corresponding TCP echo.

Before you begin:

  • You must have a good understanding of TCP/IP and knowledge of the services running on your backend servers.
  • You must know the IP address, port, and configuration details for the applications running on backend servers. For some application protocol checks, you must specify user credentials.
  • You must have read-write permission for load balancing settings.

After you have configured a health check, you can select it in the server load balacing real server configuration or in the link-load-balancing gateway link configuration.

Syntax

config system health-check

edit <name>

set type {dns | ftp | http | https | icmp | imap4 | l2-detection | mssql | pop3 | radacct | radius | sip | sip-tcp | smtp | snmp | snmp-custom | ssh | tcp | tcp-echo | tcphalf | tcpssl | udp | mysql | oracle | script}

set connect-data-type {service_name | sid | connect_string }

set service_name <string>

set sid <string>

set script <datasource>

set connect-string <string>

set oracle-send-string <string>

set oracle-receive-string <string>

set row <integer>

set column <integer>

set dest-addr <class_ip>

set dest-addr-type {ipv4|ipv6}

set hostname <string>

set interval <integer>

set retry <integer>

set timeout <integer>

set up-retry <integer>

set addr-type {ivp4|ipv6}

set domain-name <string>

set host-addr <class_ip>

set port <integer>

set file <string>

set passive {enable|disable}

set username <string>

set password <passwd>

set database <database name>

set method-type {http_get | http_head}

set match-type {match_all | match_status | match_string}

set send-string <string>

set receive-string <string>

set status-code <integer>

set http-connect {local_connect|no_connect|remote_connect}

set remote-host <string>

set remote-port <integer>

set nas-ip <string>

set password-type {user-password | chap-password}

set secret-key <string>

set sip-request-type {register|options}

set folder <string>

set agent-type {UCD|WIN2000}

set community <string>

set cpu <integer>

set disk <integer>

set mem <integer>

set version {v1|v2c}

set oid <string>

set value-type {ASN_COUNTER | ASN_INTEGER | ASN_OBJECT_ID | ASN_OCTET_STR | ASN_UINTEGER}

set dest-addr <ip addr>

set port <port>

set http-version {http_1.0 | http_1.1}

set additional-string <additional string for http header content>

set mssql-send-string <sql statement>

set mssql-receive-string <response>

next

end

Health check configuration

Settings Guidelines

General

<name>

Configuration name. No spaces or special characters.

After you initially save the configuration, you cannot edit the name.

type

Specify the health check type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

dest-addr

Optional. If no destination IP address is specified, the real server health check is sent to the real server IP address and the gateway link health check is sent to the ISP link IP address. If you are creating rules that test related servers or a test to a “beacon” server, specify the destination IP address. If testing an HTTP proxy, specify the proxy address, not the remote server address.

dest-addr-type

IPv4 or IPv6

hostname

For HTTP or HTTPS health checks, you can specify the hostname (FQDN) instead of the destination IP address. This is useful in VM environments where multiple applications have the same IP address.

interval

Seconds between each health check. Should be more than the timeout to prevent overlapping health checks. The default is 10.

retry

Attempts to retry the health check to confirm availability. The default is 1.

timeout

Seconds to wait for a reply before assuming that the health check has failed. The default is 5.

up-retry

Attempts to retry the health check to confirm availability. The default is 1.

ICMP

No specific options

Simple ping to test connectivity.

TCP / TCP Half Open / TCL SSL / UDP

port

Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161 or 162.

HTTP/HTTPS

port

Listening port number of the backend server. Usually HTTP is 80. If testing an HTTP proxy server, specify the proxy port.

method-type

HTTP method for the test traffic:

  • HTTP GET—Send an HTTP GET request to the server. A response to an HTTP GET request includes HTTP headers and HTTP body.
  • HTTP HEAD—Send an HTTP HEAD request. A response to an HTTP HEAD request includes HTTP headers only.

send-string

The request URL, such as /contact.php.

receive-string

A string expected in return when the HTTP GET request is successful.

status-code

The health check sends an HTTP request to the server. Specify the HTTP status code in the server reply that indicates a successful test. Typically, you use status code 200 (OK). Other status codes indicate errors.

match-type

What determines a failed health check?

  • Match String
  • Match Status
  • Match All (match both string and status)

Not applicable when using HTTP HEAD. HTTP HEAD requests test status code only.

http-connect

If the real server pool members are HTTP proxy servers, specify an HTTP CONNECT option:

  • local_connect—Use HTTP CONNECT to test the tunnel connection through the proxy to the remote server. The member is deemed available if the request returns status code 200 (OK).
  • remote_connect—Use HTTP CONNECT to test both the proxy server response and remote server application availability. If you select this option, you can configure an HTTP request within the tunnel. For example, you can configure an HTTP GET/HEAD request to the specified URL and the expected response.
  • no_connect—Do not use the HTTP CONNECT method. This option is the default. The HTTP CONNECT option is useful to test the availability of proxy servers only.

See the FortiADC Deployment Guide for FortiCache for an example that uses this health check.

http-version

Specify the version of HTTP

additional-string

attach some string to HTTP header content

remote-host

If you use HTTP CONNECT to test proxy servers, specify the remote server IP address.

remote-port

If you use HTTP CONNECT to test proxy servers, specify the remote server port.

DNS

addr-type

IPv4 or IPv6

domain-name

The FQDN, such as www.example.com, to use in the DNS A/AAAA record health check.

host-addr

IP address that matches the FQDN, indicating a successful DNS health check.

RADIUS / RADIUS Accounting

port

Listening port number of the backend server. Usually RADIUS is 1812 and RADIUS accounting is 1813.

nas-ip

NAS IP address.

username

User name of an account on the backend server.

password

The corresponding password.

password-type

  • User—If the backend server does not use CHAP, select this option.
  • CHAP—If the backend server uses CHAP and does not require a secret key, select this option.

secret-key

The secret set on the backend server.

SIP / SIP-TCP

sip-request-type

Specify the SIP request type to be used for health checks:

  • register
  • options

status-code

The expected response code. If not set, response code 200 is expected. Specify 0 if any reply should indicate the server is available.

SMTP

port

Listening port number of the backend server. Usually SMTP is 25.

domain-name

The FQDN, such as www.example.com, to use in the SMTP health check.

POP3

port

Listening port number of the backend server. Usually POP3 is 110.

username

User name of an account on the backend server.

password

The corresponding password.

IMAP4

port

Listening port number of the backend server. Usually IMAP4 is 143.

username

User name of an account on the backend server.

password

The corresponding password.

folder

Specify a mail folder name. The default is INBOX.

FTP

port

Listening port number of the backend server. Usually FTP is 21.

username

User name of an account on the backend server.

password

The corresponding password.

file

Specify a file that exists on the backend server. Path is relative to the initial login path. If the file does not exist or is not accessible, the health check fails.

passive

Select this option if the backend server uses passive FTP.

SNMP

port

Listening port number of the backend server. Usually SNMP is 161.

agent-type

UCD or Windows 2000

community

Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail.

cpu

Maximum normal CPU usage. If overburdened, the health check fails.

disk

Maximum normal disk usage. If the disk is too full, the health check fails.

mem

Maximum normal RAM usage. If overburdened, the health check fails.

version

SNMP v1 or v2c.

SNMP-Custom

oid

String specifying the OID to query.

value-type

Abstract syntax notation (ASN) value type:

  • ASN_COUNTER
  • ASN_INTEGER
  • ASN_OBJECT_ID
  • ASN_OCTET_STR
  • ASN_UINTEGER

compare-type

  • equal
  • greater
  • less

counter-value

Specify the value for the evaluation.

SSH

port

Listening port number of the backend server. Usually SSH is 22.

username

Username for test login.

password

Corresponding password.

L2 Detection

No specific options

Link Layer health checker. Sends ARP (IPv4) or NDP (IPv6) packets to test whether a physically connected system is available.

MSSQL

port

if not configured, use port of real server pool/member

username

Specify the username of the MSSQL database

password

Specify the password of the MSSQL database

database

Specify the name of the MSSQL database. Length range: 0 to 128 characters.

mssql-send-string

Send a string (command) to the MSSQL server

mssql-receive-string

The string you expect to receive

row

The row in which the send string (command) takes effect

column

The column in which the send string (command) takes effect

MySQL
username Specify the user name of the MySQL database.
password Specify the password corresponding to the MySQL database user name.
dest-addr Specify the IP address of the MySQL database server.
port Listening port number of the backend server.
Oracle
port Listening port number of the OracleDB server
username Specify the database username
password Specify the database password
connect-type

Select either of the following:

  • Service name
  • SID
  • Connect string

Setting these configurations depends on the configuration of the server.

service_name When you select a Service name, use this to specify the Service name
sid When you select an SID, use this to specify the SID
connect-string When you select a service name, use this to specify connect string
oracle-send-string Send a string (command) to OracleDb server
oracle-receive-string The string we expect to receive
row The row in which the send string (command) takes effect
column The column in which the send string (command) takes effect
Script
port Specify the port that is used by the script
script Specify the script we create or pre-define

In SLB deployments, a health check port configuration specifying port 0 acts as a wildcard.The port for health check traffic is imputed from the real server pool member.

In LLB and GLB deployments, specifying port 0 is invalid because there is no associated configuration to impute a proper port. If your health check port configuration specifies port 0, you will not be able to use it in an LLB or GLB configuration.

Example

The following is an example of an HTTP health check for HTTP proxy servers:

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit HTTP-CONNECT-TEST

Add new entry 'HTTP-CONNECT-TEST' for node 2763

FortiADC-VM (HTTP-CONNECT-T~S) # set type http

FortiADC-VM (HTTP-CONNECT-T~S) # set http-connect remote_connect

FortiADC-VM (HTTP-CONNECT-T~S) # get

type : http

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

method-type : http_head

send-string : /

status-code : 200

http-connect : remote_connect

remote-host :

remote-port : 0

FortiADC-VM (HTTP-CONNECT-T~S) # set remote-host 10.1.1.1

FortiADC-VM (HTTP-CONNECT-T~S) # set remote-port 113

FortiADC-VM (HTTP-CONNECT-T~S) # set send-string /myapp/index.html

FortiADC-VM (HTTP-CONNECT-T~S) # end

FortiADC-VM #

The following is an example of a SIP health check:

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit sip-health-check

Add new entry 'sip-health-check' for node 2763

FortiADC-VM (sip-health-check) # set type sip

FortiADC-VM (sip-health-check) # get

type : sip

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

status-code : 200

sip-request-type : register

FortiADC-VM (sip-health-check) # set interval 15

FortiADC-VM (sip-health-check) # set retry 2

FortiADC-VM (sip-health-check) # set timeout 3

FortiADC-VM (sip-health-check) # set status-code 403

FortiADC-VM (sip-health-check) # end

The following is an example of an SNMP health check for a server running the UCD agent:

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit lb-health-check

Add new entry 'lb-health-check' for node 2763

FortiADC-VM (lb-health-check) # set type snmp

FortiADC-VM (lb-health-check) # get

type : snmp

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

cpu : 96

mem : 96

disk : 96

agent-type : UCD

community :

version : v1

FortiADC-VM (lb-health-check) # set community company-string

FortiADC-VM (lb-health-check) # set port 161

FortiADC-VM (lb-health-check) # set cpu 50

FortiADC-VM (lb-health-check) # set mem 50

FortiADC-VM (lb-health-check) # set disk 50

FortiADC-VM (lb-health-check) # set version v2c

FortiADC-VM (lb-health-check) # get

type : snmp

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 161

dest-addr-type : ipv4

dest-addr : 0.0.0.0

cpu : 50

mem : 50

disk : 50

agent-type : UCD

community : company-string

version : v2c

FortiADC-VM (lb-health-check) # end

The following example configures a custom SNMP health check for a server that does not support the UCD or Windows 2000 agent type.

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit snmp-linux

Add new entry 'snmp-linux' for node 2763

FortiADC-VM (snmp-linux) # set type snmp-custom

FortiADC-VM (snmp-linux) # get

type : snmp-custom

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

community :

version : v1

oid :

value-type :

FortiADC-VM (snmp-linux) # set version v2c

FortiADC-VM (snmp-linux) # set oid ".1.3.6.1.4.1.2021.10.1.3.1"

FortiADC-VM (snmp-linux) # set value-type ASN_INTEGER

FortiADC-VM (snmp-linux) # set compare-type greater

FortiADC-VM (snmp-linux) # set counter-value 80

FortiADC-VM (snmp-linux) # end

FortiADC-VM #

config system health-check

config system health-check

Use this command to create health check configuration objects.

In server load balancing deployments, the system uses health checks to poll the members of the real server pool to test whether an application is available. You can also configure additional health checks to poll related servers, and you can include results for both in the health check rule. For example, you can configure an HTTP health check test and a RADIUS health check test. In a web application that requires user authentication, the web server is deemed available only if the web server and the related RADIUS server pass the health check.

In link load balancing deployments, the health check can poll either the ISP link group member itself or a “beacon” server that is deployed on the other side of the ISP link. A beacon is an IP address that must be reachable in order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual server at another data center.

If a pool member fails a health check and retries also fail, it is deemed unavailable. The ADC does not send it connections until it is deemed available.

If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing hardware repair, it is experiencing extended down time, or when you have removed it from the server farm, you can improve the performance of the FortiADC system by setting the status of the pool member to Disabled, rather than allowing the system to continue to attempt health checks.

Table 21 describes the predefined health checks. You can get started with these or create custom objects.

Predefined health check configuration objects

Predefined Description

LB_HLTHCK_HTTP

Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200.

LB_HLTHCK_HTTPS

Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200.

LB_HLTHCK_ICMP

Pings the server.

LB_HLTHCK_TCP_ECHO

Sends a TCP echo to server port 7. Expects the server to respond with the corresponding TCP echo.

Before you begin:

  • You must have a good understanding of TCP/IP and knowledge of the services running on your backend servers.
  • You must know the IP address, port, and configuration details for the applications running on backend servers. For some application protocol checks, you must specify user credentials.
  • You must have read-write permission for load balancing settings.

After you have configured a health check, you can select it in the server load balacing real server configuration or in the link-load-balancing gateway link configuration.

Syntax

config system health-check

edit <name>

set type {dns | ftp | http | https | icmp | imap4 | l2-detection | mssql | pop3 | radacct | radius | sip | sip-tcp | smtp | snmp | snmp-custom | ssh | tcp | tcp-echo | tcphalf | tcpssl | udp | mysql | oracle | script}

set connect-data-type {service_name | sid | connect_string }

set service_name <string>

set sid <string>

set script <datasource>

set connect-string <string>

set oracle-send-string <string>

set oracle-receive-string <string>

set row <integer>

set column <integer>

set dest-addr <class_ip>

set dest-addr-type {ipv4|ipv6}

set hostname <string>

set interval <integer>

set retry <integer>

set timeout <integer>

set up-retry <integer>

set addr-type {ivp4|ipv6}

set domain-name <string>

set host-addr <class_ip>

set port <integer>

set file <string>

set passive {enable|disable}

set username <string>

set password <passwd>

set database <database name>

set method-type {http_get | http_head}

set match-type {match_all | match_status | match_string}

set send-string <string>

set receive-string <string>

set status-code <integer>

set http-connect {local_connect|no_connect|remote_connect}

set remote-host <string>

set remote-port <integer>

set nas-ip <string>

set password-type {user-password | chap-password}

set secret-key <string>

set sip-request-type {register|options}

set folder <string>

set agent-type {UCD|WIN2000}

set community <string>

set cpu <integer>

set disk <integer>

set mem <integer>

set version {v1|v2c}

set oid <string>

set value-type {ASN_COUNTER | ASN_INTEGER | ASN_OBJECT_ID | ASN_OCTET_STR | ASN_UINTEGER}

set dest-addr <ip addr>

set port <port>

set http-version {http_1.0 | http_1.1}

set additional-string <additional string for http header content>

set mssql-send-string <sql statement>

set mssql-receive-string <response>

next

end

Health check configuration

Settings Guidelines

General

<name>

Configuration name. No spaces or special characters.

After you initially save the configuration, you cannot edit the name.

type

Specify the health check type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

dest-addr

Optional. If no destination IP address is specified, the real server health check is sent to the real server IP address and the gateway link health check is sent to the ISP link IP address. If you are creating rules that test related servers or a test to a “beacon” server, specify the destination IP address. If testing an HTTP proxy, specify the proxy address, not the remote server address.

dest-addr-type

IPv4 or IPv6

hostname

For HTTP or HTTPS health checks, you can specify the hostname (FQDN) instead of the destination IP address. This is useful in VM environments where multiple applications have the same IP address.

interval

Seconds between each health check. Should be more than the timeout to prevent overlapping health checks. The default is 10.

retry

Attempts to retry the health check to confirm availability. The default is 1.

timeout

Seconds to wait for a reply before assuming that the health check has failed. The default is 5.

up-retry

Attempts to retry the health check to confirm availability. The default is 1.

ICMP

No specific options

Simple ping to test connectivity.

TCP / TCP Half Open / TCL SSL / UDP

port

Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161 or 162.

HTTP/HTTPS

port

Listening port number of the backend server. Usually HTTP is 80. If testing an HTTP proxy server, specify the proxy port.

method-type

HTTP method for the test traffic:

  • HTTP GET—Send an HTTP GET request to the server. A response to an HTTP GET request includes HTTP headers and HTTP body.
  • HTTP HEAD—Send an HTTP HEAD request. A response to an HTTP HEAD request includes HTTP headers only.

send-string

The request URL, such as /contact.php.

receive-string

A string expected in return when the HTTP GET request is successful.

status-code

The health check sends an HTTP request to the server. Specify the HTTP status code in the server reply that indicates a successful test. Typically, you use status code 200 (OK). Other status codes indicate errors.

match-type

What determines a failed health check?

  • Match String
  • Match Status
  • Match All (match both string and status)

Not applicable when using HTTP HEAD. HTTP HEAD requests test status code only.

http-connect

If the real server pool members are HTTP proxy servers, specify an HTTP CONNECT option:

  • local_connect—Use HTTP CONNECT to test the tunnel connection through the proxy to the remote server. The member is deemed available if the request returns status code 200 (OK).
  • remote_connect—Use HTTP CONNECT to test both the proxy server response and remote server application availability. If you select this option, you can configure an HTTP request within the tunnel. For example, you can configure an HTTP GET/HEAD request to the specified URL and the expected response.
  • no_connect—Do not use the HTTP CONNECT method. This option is the default. The HTTP CONNECT option is useful to test the availability of proxy servers only.

See the FortiADC Deployment Guide for FortiCache for an example that uses this health check.

http-version

Specify the version of HTTP

additional-string

attach some string to HTTP header content

remote-host

If you use HTTP CONNECT to test proxy servers, specify the remote server IP address.

remote-port

If you use HTTP CONNECT to test proxy servers, specify the remote server port.

DNS

addr-type

IPv4 or IPv6

domain-name

The FQDN, such as www.example.com, to use in the DNS A/AAAA record health check.

host-addr

IP address that matches the FQDN, indicating a successful DNS health check.

RADIUS / RADIUS Accounting

port

Listening port number of the backend server. Usually RADIUS is 1812 and RADIUS accounting is 1813.

nas-ip

NAS IP address.

username

User name of an account on the backend server.

password

The corresponding password.

password-type

  • User—If the backend server does not use CHAP, select this option.
  • CHAP—If the backend server uses CHAP and does not require a secret key, select this option.

secret-key

The secret set on the backend server.

SIP / SIP-TCP

sip-request-type

Specify the SIP request type to be used for health checks:

  • register
  • options

status-code

The expected response code. If not set, response code 200 is expected. Specify 0 if any reply should indicate the server is available.

SMTP

port

Listening port number of the backend server. Usually SMTP is 25.

domain-name

The FQDN, such as www.example.com, to use in the SMTP health check.

POP3

port

Listening port number of the backend server. Usually POP3 is 110.

username

User name of an account on the backend server.

password

The corresponding password.

IMAP4

port

Listening port number of the backend server. Usually IMAP4 is 143.

username

User name of an account on the backend server.

password

The corresponding password.

folder

Specify a mail folder name. The default is INBOX.

FTP

port

Listening port number of the backend server. Usually FTP is 21.

username

User name of an account on the backend server.

password

The corresponding password.

file

Specify a file that exists on the backend server. Path is relative to the initial login path. If the file does not exist or is not accessible, the health check fails.

passive

Select this option if the backend server uses passive FTP.

SNMP

port

Listening port number of the backend server. Usually SNMP is 161.

agent-type

UCD or Windows 2000

community

Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail.

cpu

Maximum normal CPU usage. If overburdened, the health check fails.

disk

Maximum normal disk usage. If the disk is too full, the health check fails.

mem

Maximum normal RAM usage. If overburdened, the health check fails.

version

SNMP v1 or v2c.

SNMP-Custom

oid

String specifying the OID to query.

value-type

Abstract syntax notation (ASN) value type:

  • ASN_COUNTER
  • ASN_INTEGER
  • ASN_OBJECT_ID
  • ASN_OCTET_STR
  • ASN_UINTEGER

compare-type

  • equal
  • greater
  • less

counter-value

Specify the value for the evaluation.

SSH

port

Listening port number of the backend server. Usually SSH is 22.

username

Username for test login.

password

Corresponding password.

L2 Detection

No specific options

Link Layer health checker. Sends ARP (IPv4) or NDP (IPv6) packets to test whether a physically connected system is available.

MSSQL

port

if not configured, use port of real server pool/member

username

Specify the username of the MSSQL database

password

Specify the password of the MSSQL database

database

Specify the name of the MSSQL database. Length range: 0 to 128 characters.

mssql-send-string

Send a string (command) to the MSSQL server

mssql-receive-string

The string you expect to receive

row

The row in which the send string (command) takes effect

column

The column in which the send string (command) takes effect

MySQL
username Specify the user name of the MySQL database.
password Specify the password corresponding to the MySQL database user name.
dest-addr Specify the IP address of the MySQL database server.
port Listening port number of the backend server.
Oracle
port Listening port number of the OracleDB server
username Specify the database username
password Specify the database password
connect-type

Select either of the following:

  • Service name
  • SID
  • Connect string

Setting these configurations depends on the configuration of the server.

service_name When you select a Service name, use this to specify the Service name
sid When you select an SID, use this to specify the SID
connect-string When you select a service name, use this to specify connect string
oracle-send-string Send a string (command) to OracleDb server
oracle-receive-string The string we expect to receive
row The row in which the send string (command) takes effect
column The column in which the send string (command) takes effect
Script
port Specify the port that is used by the script
script Specify the script we create or pre-define

In SLB deployments, a health check port configuration specifying port 0 acts as a wildcard.The port for health check traffic is imputed from the real server pool member.

In LLB and GLB deployments, specifying port 0 is invalid because there is no associated configuration to impute a proper port. If your health check port configuration specifies port 0, you will not be able to use it in an LLB or GLB configuration.

Example

The following is an example of an HTTP health check for HTTP proxy servers:

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit HTTP-CONNECT-TEST

Add new entry 'HTTP-CONNECT-TEST' for node 2763

FortiADC-VM (HTTP-CONNECT-T~S) # set type http

FortiADC-VM (HTTP-CONNECT-T~S) # set http-connect remote_connect

FortiADC-VM (HTTP-CONNECT-T~S) # get

type : http

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

method-type : http_head

send-string : /

status-code : 200

http-connect : remote_connect

remote-host :

remote-port : 0

FortiADC-VM (HTTP-CONNECT-T~S) # set remote-host 10.1.1.1

FortiADC-VM (HTTP-CONNECT-T~S) # set remote-port 113

FortiADC-VM (HTTP-CONNECT-T~S) # set send-string /myapp/index.html

FortiADC-VM (HTTP-CONNECT-T~S) # end

FortiADC-VM #

The following is an example of a SIP health check:

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit sip-health-check

Add new entry 'sip-health-check' for node 2763

FortiADC-VM (sip-health-check) # set type sip

FortiADC-VM (sip-health-check) # get

type : sip

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

status-code : 200

sip-request-type : register

FortiADC-VM (sip-health-check) # set interval 15

FortiADC-VM (sip-health-check) # set retry 2

FortiADC-VM (sip-health-check) # set timeout 3

FortiADC-VM (sip-health-check) # set status-code 403

FortiADC-VM (sip-health-check) # end

The following is an example of an SNMP health check for a server running the UCD agent:

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit lb-health-check

Add new entry 'lb-health-check' for node 2763

FortiADC-VM (lb-health-check) # set type snmp

FortiADC-VM (lb-health-check) # get

type : snmp

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

cpu : 96

mem : 96

disk : 96

agent-type : UCD

community :

version : v1

FortiADC-VM (lb-health-check) # set community company-string

FortiADC-VM (lb-health-check) # set port 161

FortiADC-VM (lb-health-check) # set cpu 50

FortiADC-VM (lb-health-check) # set mem 50

FortiADC-VM (lb-health-check) # set disk 50

FortiADC-VM (lb-health-check) # set version v2c

FortiADC-VM (lb-health-check) # get

type : snmp

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 161

dest-addr-type : ipv4

dest-addr : 0.0.0.0

cpu : 50

mem : 50

disk : 50

agent-type : UCD

community : company-string

version : v2c

FortiADC-VM (lb-health-check) # end

The following example configures a custom SNMP health check for a server that does not support the UCD or Windows 2000 agent type.

FortiADC-VM # config system health-check

FortiADC-VM (health-check) # edit snmp-linux

Add new entry 'snmp-linux' for node 2763

FortiADC-VM (snmp-linux) # set type snmp-custom

FortiADC-VM (snmp-linux) # get

type : snmp-custom

interval : 10

timeout : 5

retry : 1

up-retry : 1

port : 0

dest-addr-type : ipv4

dest-addr : 0.0.0.0

community :

version : v1

oid :

value-type :

FortiADC-VM (snmp-linux) # set version v2c

FortiADC-VM (snmp-linux) # set oid ".1.3.6.1.4.1.2021.10.1.3.1"

FortiADC-VM (snmp-linux) # set value-type ASN_INTEGER

FortiADC-VM (snmp-linux) # set compare-type greater

FortiADC-VM (snmp-linux) # set counter-value 80

FortiADC-VM (snmp-linux) # end

FortiADC-VM #