config system health-check
Use this command to create health check configuration objects.
In server load balancing deployments, the system uses health checks to poll the members of the real server pool to test whether an application is available. You can also configure additional health checks to poll related servers, and you can include results for both in the health check rule. For example, you can configure an HTTP health check test and a RADIUS health check test. In a web application that requires user authentication, the web server is deemed available only if the web server and the related RADIUS server pass the health check.
In link load balancing deployments, the health check can poll either the ISP link group member itself or a “beacon” server that is deployed on the other side of the ISP link. A beacon is an IP address that must be reachable in order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual server at another data center.
If a pool member fails a health check and retries also fail, it is deemed unavailable. The ADC does not send it connections until it is deemed available.
|
If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing hardware repair, it is experiencing extended down time, or when you have removed it from the server farm, you can improve the performance of the FortiADC system by setting the status of the pool member to Disabled, rather than allowing the system to continue to attempt health checks. |
Table 21 describes the predefined health checks. You can get started with these or create custom objects.
| Predefined | Description |
|---|---|
|
LB_HLTHCK_HTTP |
Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200. |
|
LB_HLTHCK_HTTPS |
Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200. |
|
LB_HLTHCK_ICMP |
Pings the server. |
|
LB_HLTHCK_TCP_ECHO |
Sends a TCP echo to server port 7. Expects the server to respond with the corresponding TCP echo. |
Before you begin:
- You must have a good understanding of TCP/IP and knowledge of the services running on your backend servers.
- You must know the IP address, port, and configuration details for the applications running on backend servers. For some application protocol checks, you must specify user credentials.
- You must have read-write permission for load balancing settings.
After you have configured a health check, you can select it in the server load balacing real server configuration or in the link-load-balancing gateway link configuration.
Syntax
config system health-check
edit <name>
set type {diameter | dns | ftp | http | https | icmp | imap4 | l2-detection | ldap | ldaps | mssql | mysql | oracle | pop3 | radacct | radius | rtsp | script | sip | sip-tcp | smtp | snmp | snmp-custom | ssh | tcp | tcp-echo | tcphalf | tcpssl | udp}
set dest-addr-type {ipv4 | ipv6 | fqdn}
set dest-addr <ipv4 or ipv6>
set fqdn <fqdn>
set hostname <string>
set interval <integer>
set retry <integer>
set timeout <integer>
set up-retry <integer>
set port <integer>
set method-type {http_get | http_head}
set send-string <string>
set receive-string <string>
set status-code <integer>
set match-type {match_all | match_status | match_string}
set http-connect {local_connect | no_connect | remote_connect}
set http-version {http_1.0 | http_1.1}
set additional-string <additional string for http header content>
set remote-host <string>
set remote-port <integer>
set addr-type {ipv4 | ipv6}
set domain-name <string>
set host-addr <class_ip>
set nas-ip <string>
set username <username>
set password <password>
set password-type {user-password | chap-password}
set secret-key <string>
set sip-request-type {register|options}
set folder <string>
set file <string>
set passive {enable|disable}
set agent-type {UCD|WIN2000}
set community <string>
set cpu <integer>
set disk <integer>
set mem <integer>
set version {v1|v2c}
config snmp-custom
edit <name>
set oid <string>
set value-type {ASN_COUNTER | ASN_INTEGER | ASN_OCTET_STR | ASN_UINTEGER}
set compare-type {equal | greater | less }
set counter-value <integer>
set name <string>
set weight <integer>
next
set origin-host <string>
set origin-realm <string>
set vendor-id <integer>
set product-name <string>
set host-ip-addr <class_ip>
set host-ip6-addr <class_ip>
set auth-appid <integer>
set acct-appid <integer>
set connect-data-type {connect_string | service_name | sid}
set service_name <string>
set sid <string>
set connect-string <string>
set oracle-send-string <string>
set oracle-receive-string <string>
set script {<datasource> | CURL_HTTP_CODE | ICMP | PORT_STATUS }
set attribute <string>
set baseDN <string>
set bindDN <string>
set filter <string>
set database <string>
set mssql-send-string <string>
set mssql-receive-string <string>
set verify-host-cert {enable | disable}
set ca <datasource>
next
end
| Settings | Guidelines |
|---|---|
|
General |
|
|
<name> |
Configuration name. No spaces or special characters. After you initially save the configuration, you cannot edit the name. |
|
type |
Specify the health check type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.
|
|
dest-addr-type |
Specify the destination address type.
Note: For the LDAP or LDAPS health check types, if Verify Host Certificate is enabled, the destination address type must match the CN in the LDAP/S server certificate as either IP address or FQDN. For example, if the CN in the LDAP/S server certificate is FQDN, then the destination address in the health check configuration must be FQDN as well. |
|
dest-addr |
The dest-addr option is available if dest-addr-type is ipv4 or ipv6. Optional. If no destination IP address is specified, the real server health check is sent to the real server IP address and the gateway link health check is sent to the ISP link IP address. If you are creating rules that test related servers or a test to a “beacon” server, specify the destination IP address. If testing an HTTP proxy, specify the proxy address, not the remote server address. |
|
fqdn |
The fqdn option is available if dest-addr-type is fqdn. Specify the destination FQDN (Fully Qualified Domain Name). |
|
hostname |
For HTTP or HTTPS health checks, you can specify the hostname (FQDN) instead of the destination IP address. This is useful in VM environments where multiple applications have the same IP address. |
|
interval |
Seconds between each health check. Should be more than the timeout to prevent overlapping health checks. The default is 10. |
|
retry |
Attempts to retry the health check to confirm availability. The default is 1. |
|
timeout |
Seconds to wait for a reply before assuming that the health check has failed. The default is 5. |
|
up-retry |
Attempts to retry the health check to confirm availability. The default is 1. |
| ICMP | |
|
No specific options |
Simple ping to test connectivity. |
| TCP / TCP Half Open / TCP SSL / UDP | |
|
port |
Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161 or 162. |
|
HTTP/HTTPS |
|
|
port |
Listening port number of the backend server. Usually HTTP is 80. If testing an HTTP proxy server, specify the proxy port. |
|
method-type |
HTTP method for the test traffic:
|
|
send-string |
The request URL, such as /contact.php. |
|
receive-string |
A string expected in return when the HTTP GET request is successful. |
|
status-code |
The health check sends an HTTP request to the server. Specify the HTTP status code in the server reply that indicates a successful test. Typically, you use status code 200 (OK). Other status codes indicate errors. |
|
match-type |
What determines a failed health check?
Not applicable when using HTTP HEAD. HTTP HEAD requests test status code only. |
|
http-connect |
If the real server pool members are HTTP proxy servers, specify an HTTP CONNECT option:
See the FortiADC Deployment Guide for FortiCache for an example that uses this health check. |
|
http-version |
Specify the version of HTTP |
|
additional-string |
attach some string to HTTP header content |
|
remote-host |
If you use HTTP CONNECT to test proxy servers, specify the remote server IP address. |
|
remote-port |
If you use HTTP CONNECT to test proxy servers, specify the remote server port. |
|
DNS |
|
|
addr-type |
IPv4 or IPv6 |
|
domain-name |
The FQDN, such as www.example.com, to use in the DNS A/AAAA record health check. |
|
host-addr |
IP address that matches the FQDN, indicating a successful DNS health check. |
|
RADIUS / RADIUS Accounting |
|
|
port |
Listening port number of the backend server. Usually RADIUS is 1812 and RADIUS accounting is 1813. |
|
nas-ip |
NAS IP address. |
|
username |
User name of an account on the backend server. |
|
password |
The corresponding password. |
|
password-type |
|
|
secret-key |
The secret set on the backend server. |
| SIP / SIP TCP | |
|
sip-request-type |
Specify the SIP request type to be used for health checks:
|
|
status-code |
The expected response code. If not set, response code 200 is expected. Specify 0 if any reply should indicate the server is available. |
|
SMTP |
|
|
port |
Listening port number of the backend server. Usually SMTP is 25. |
|
domain-name |
The FQDN, such as www.example.com, to use in the SMTP health check. |
|
POP3 |
|
|
port |
Listening port number of the backend server. Usually POP3 is 110. |
|
username |
User name of an account on the backend server. |
|
password |
The corresponding password. |
|
IMAP4 |
|
|
port |
Listening port number of the backend server. Usually IMAP4 is 143. |
|
username |
User name of an account on the backend server. |
|
password |
The corresponding password. |
|
folder |
Specify a mail folder name. The default is INBOX. |
|
FTP |
|
|
port |
Listening port number of the backend server. Usually FTP is 21. |
|
username |
User name of an account on the backend server. |
|
password |
The corresponding password. |
|
file |
Specify a file that exists on the backend server. Path is relative to the initial login path. If the file does not exist or is not accessible, the health check fails. |
|
passive |
Select this option if the backend server uses passive FTP. |
|
SNMP |
|
|
port |
Listening port number of the backend server. Usually SNMP is 161. |
|
agent-type |
UCD or Windows 2000 |
|
community |
Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail. |
|
cpu |
Maximum normal CPU usage. If overburdened, the health check fails. |
|
disk |
Maximum normal disk usage. If the disk is too full, the health check fails. |
|
mem |
Maximum normal RAM usage. If overburdened, the health check fails. |
|
version |
SNMP v1 or v2c. |
| SNMP Custom | |
|
port |
Listening port number of the backend server. Usually SNMP is 161 or 162. |
|
community |
Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail. |
|
version |
SNMP v1 or v2c. |
|
config snmp-custom |
|
|
oid |
String specifying the OID to query. |
|
value-type |
Abstract syntax notation (ASN) value type:
|
|
compare-type |
The default option is less. |
|
counter-value |
Specify the value for the evaluation. The range is 1-2147483647. |
|
name |
Specify the SNMP custom name. |
|
weight |
Specify the SNMP custom weight. |
|
SSH |
|
|
port |
Listening port number of the backend server. Usually SSH is 22. |
|
username |
Username for test login. |
|
password |
Corresponding password. |
|
L2 Detection |
|
|
No specific options |
Link Layer health checker. Sends ARP (IPv4) or NDP (IPv6) packets to test whether a physically connected system is available. |
| MySQL | |
username
|
Specify the user name of the MySQL database. |
password
|
Specify the password corresponding to the MySQL database user name. |
dest-addr
|
Specify the IP address of the MySQL database server. |
port
|
Listening port number of the backend server. |
|
Diameter |
|
|
origin-host |
Specify the FortiADC appliance that originates the Diameter message. The value is in FQDN format and used to uniquely identify a Diameter node for duplicate connection and routing loop detection. Note: Some Diameter servers do not accept multiple connections from the same origin host. If you set the origin host the same as the origin host (Identity) of the Diameter load-balance profile and use the health check and Diameter load balance profile in the same virtual server, the health check or the Diameter load-balance profile may run into certain undefined problems. |
|
origin-realm |
Specify the realm of the FortiADC appliance that originates the Diameter message. The value is in FQDN format. |
|
vendor-id |
Specify the type Unsigned32 vendor ID which contains the IANA "SMI Network Management Private Enterprise Codes" value assigned to the vendor of a Diameter application. The default is 12356. |
|
product-name |
Specify the type UTF8String product name which contains the vendor assigned name for the product. |
|
host-ip-addr |
Specify the type IPv4 address used to inform a Diameter peer of the sender's IP address when the destination address type is IPv4. The default is blank, meaning that it is the address of the FortiADC's outgoing interface. |
|
host-ip6-addr |
Specify the type IPv6 address used to inform a Diameter peer of the sender's IP address when the destination address type is IPv6. The default is blank, meaning that it is the address of the FortiADC's outgoing interface. |
|
auth-appid |
Specify the type Unsigned32 authentication application ID used to advertise support of the authentication and authorization portion of an application. This filed is optional; the default is 0 (zero). |
|
acct-appid |
Specify the type Unsigned32 accounting application ID used to advertise support of the accounting portion of an application. This field is optional; the default is 0 (zero). |
| Oracle | |
port
|
Listening port number of the OracleDB server |
username
|
Specify the database username |
password
|
Specify the database password |
connect-data-type
|
Select either of the following:
Setting these configurations depends on the configuration of the server. |
service_name
|
When you select a Service name, use this to specify the Service name. |
sid
|
When you select an SID, use this to specify the SID. |
connect-string
|
When you select a service name, use this to specify connect string. |
oracle-send-string
|
Send a string (command) to OracleDb server. |
oracle-receive-string
|
The string we expect to receive. |
row
|
The row in which the send string (command) takes effect. |
column
|
The column in which the send string (command) takes effect. |
| Script | |
port
|
Specify the port that is used by the script. |
script
|
Specify the script we create or pre-define. Predefined scripts:
|
| LDAP | |
|
port |
Port Listening port number of the backend server. Usually LDAP is 389. |
|
password |
The corresponding password. |
|
attribute |
Attributes for the LDAP health check object. |
|
baseDN |
The distinguished name where a LDAP server will search from. |
|
bindDN |
The distinguished name used to bind to a LDAP server. |
|
filter |
Criteria to use in selecting results. |
| MSSQL | |
|
port |
Specify the listening port number of the MSSQL server. Valid values range from 0 to 65535. |
|
username |
Specify the database user name. (Optional) |
|
password |
Specify the database password, if applicable. |
|
database |
Specify the name of the MSSQL database. |
|
mssql-send-string |
Specify the MSSQL send string. |
|
mssql-receive-string |
Specify the MSSQL receive string. |
|
row |
The row in which the send string (command) takes effect. |
|
column |
The column in which the send string (command) takes effect. |
|
LDAPS |
|
|
port |
Port Listening port number of the backend server. The default port is 636 for LDAPS. |
|
password |
The corresponding password. |
|
bindDN |
The distinguished name used to bind to a LDAPS server. |
|
baseDN |
The distinguished name where a LDAPS server will search from. |
|
filter |
Criteria to use in selecting results. |
|
attribute |
Attributes for the LDAPS health check object. |
|
verify-host-cert |
Enable to verify the LDAPS server certificate. This is disabled by default. |
|
ca |
The CA option is available if Verify Host Certificate is enabled. Specify the CA certificate. |
|
|
In SLB deployments, a health check port configuration specifying port 0 acts as a wildcard.The port for health check traffic is imputed from the real server pool member. In LLB and GLB deployments, specifying port 0 is invalid because there is no associated configuration to impute a proper port. If your health check port configuration specifies port 0, you will not be able to use it in an LLB or GLB configuration. |
Example
The following is an example of an HTTP health check for HTTP proxy servers:
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit HTTP-CONNECT-TEST
Add new entry 'HTTP-CONNECT-TEST' for node 2763
FortiADC-VM (HTTP-CONNECT-T~S) # set type http
FortiADC-VM (HTTP-CONNECT-T~S) # set http-connect remote_connect
FortiADC-VM (HTTP-CONNECT-T~S) # get
type : http
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
method-type : http_head
send-string : /
status-code : 200
http-connect : remote_connect
remote-host :
remote-port : 0
FortiADC-VM (HTTP-CONNECT-T~S) # set remote-host 10.1.1.1
FortiADC-VM (HTTP-CONNECT-T~S) # set remote-port 113
FortiADC-VM (HTTP-CONNECT-T~S) # set send-string /myapp/index.html
FortiADC-VM (HTTP-CONNECT-T~S) # end
FortiADC-VM #
The following is an example of a SIP health check:
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit sip-health-check
Add new entry 'sip-health-check' for node 2763
FortiADC-VM (sip-health-check) # set type sip
FortiADC-VM (sip-health-check) # get
type : sip
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
status-code : 200
sip-request-type : register
FortiADC-VM (sip-health-check) # set interval 15
FortiADC-VM (sip-health-check) # set retry 2
FortiADC-VM (sip-health-check) # set timeout 3
FortiADC-VM (sip-health-check) # set status-code 403
FortiADC-VM (sip-health-check) # end
The following is an example of an SNMP health check for a server running the UCD agent:
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit lb-health-check
Add new entry 'lb-health-check' for node 2763
FortiADC-VM (lb-health-check) # set type snmp
FortiADC-VM (lb-health-check) # get
type : snmp
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
cpu : 96
mem : 96
disk : 96
agent-type : UCD
community :
version : v1
FortiADC-VM (lb-health-check) # set community company-string
FortiADC-VM (lb-health-check) # set port 161
FortiADC-VM (lb-health-check) # set cpu 50
FortiADC-VM (lb-health-check) # set mem 50
FortiADC-VM (lb-health-check) # set disk 50
FortiADC-VM (lb-health-check) # set version v2c
FortiADC-VM (lb-health-check) # get
type : snmp
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 161
dest-addr-type : ipv4
dest-addr : 0.0.0.0
cpu : 50
mem : 50
disk : 50
agent-type : UCD
community : company-string
version : v2c
FortiADC-VM (lb-health-check) # end
The following example configures a custom SNMP health check for a server that does not support the UCD or Windows 2000 agent type.
FortiADC-VM # config system health-check
FortiADC-VM (health-check) # edit snmp-linux
Add new entry 'snmp-linux' for node 2763
FortiADC-VM (snmp-linux) # set type snmp-custom
FortiADC-VM (snmp-linux) # get
type : snmp-custom
interval : 10
timeout : 5
retry : 1
up-retry : 1
port : 0
dest-addr-type : ipv4
dest-addr : 0.0.0.0
community :
version : v1
oid :
value-type :
FortiADC-VM (snmp-linux) # set version v2c
FortiADC-VM (snmp-linux) # set oid ".1.3.6.1.4.1.2021.10.1.3.1"
FortiADC-VM (snmp-linux) # set value-type ASN_INTEGER
FortiADC-VM (snmp-linux) # set compare-type greater
FortiADC-VM (snmp-linux) # set counter-value 80
FortiADC-VM (snmp-linux) # end
FortiADC-VM #