Configuring health checks

In server load balancing deployments, the system uses health checks to poll the members of the real server pool to test whether an application is available. You can also configure additional health checks to poll related servers, and you can include results for both in the health check rule. For example, you can configure an HTTP health check test and a RADIUS health check test. In a web application that requires user authentication, the web server is deemed available only if the web server and the related RADIUS server pass the health check.

In link load balancing deployments, the health check can poll either the ISP link group member itself or a “beacon” server that is deployed on the other side of the ISP link. A beacon is an IP address that must be reachable in order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual server at another data center.

If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing hardware repair, it is experiencing extended down time, or when you have removed it from the server farm, you can improve the performance of the FortiADC system by setting the status of the pool member to Disabled, rather than allowing the system to continue to attempt health checks.

Predefined health check configuration objects describes the predefined health checks. You can get started with these or create custom objects.

Predefined health check configuration objects

Predefined	Description
LB_HLTHCK_HTTP	Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200.
LB_HLTHCK_HTTPS	Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200.
LB_HLTHCK_ICMP	Pings the server.
LB_HLTHCK_TCP_ECHO	Sends a TCP echo to server port 7. Expects the server to respond with the corresponding TCP echo.

You can clone a predefined configuration object to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page.

Before you begin:

• You must have a good understanding of TCP/IP and knowledge of the services running on your backend servers.
• You must know the IP address, port, and configuration details for the applications running on backend servers. For some application protocol checks, you must specify user credentials.
• You must have Read-Write permission for Load Balance settings.

After you have configured a health check, you can select it in the SLB server pool, LLB link group, or GLB server configuration.

To configure a health check:

1. Go to Shared Resources > Health Check.
   The configuration page displays the Health Check tab.
2. Click Create New to display the configuration editor.
3. Enter a name for the Health Check configuration and select the Type. The Type option determines what parameters will need to be configured for that health check type.
   

4. Parameter	Guideline
   Name	Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
   Type	Select one of the following health check types: ICMP TCP Echo TCP HTTP HTTPS DNS RADIUS SMTP POP3 IMAP4 RADIUS Accounting FTP TCP Half Open Connection TCP SSL SNMP SSH L2 Detection UDP SIP SIP TCP SNMP Custom RTSP MySQL Diameter Script Oracle LDAP MSSQL LDAPS

5. Configure the General settings that apply to all health check types.
   

   Parameter	Guideline
   Destination Address Type	IPv4 IPv6 FQDN — destination FQDN type is only supported for LDAP and LDAPS health check types. Note: For the LDAP or LDAPS health check types, if Verify Host Certificate is enabled, the destination address type must match the CN in the LDAP/S server certificate as either IP address or FQDN. For example, if the CN in the LDAP/S server certificate is FQDN, then the destination address in the health check configuration must be FQDN as well.
   Destination Address	The Destination Address option is available if Destination Address Type is IPv4 or IPv6. IP address to send health check traffic. In server load balancing deployments, if you do not specify an IP address, the real server IP address is used. You might configure IP address for a health check if you are configuring a combination of health checks to poll related servers. In link load balancing deployments, if you do not specify an IP address, the destination IP address is the address of the gateway. You can configure IP address if you want to test connectivity to a beacon on the other side of the gateway, or if you want to test whether service traffic is allowed to pass through the link.
   FQDN	The FQDN option is available if Destination Address Type is FQDN. Specify the destination FQDN (Fully Qualified Domain Name).
   Hostname	For HTTP or HTTPS health checks, you can specify the hostname (FQDN) instead of the destination IP address. This is useful in VM environments where multiple applications have the same IP address.
   Interval	Seconds between each health check. Should be more than the timeout to prevent overlapping health checks. The default is 10.
   Timeout	Seconds to wait for a reply before assuming that the health check has failed. The default is 5.
   Up Retry	Attempts to retry the health check to see if a down server has become available. The default is 1.
   Down Retry	Attempts to retry the health check to see if an up server has become unavailable. The default is 1.

6. Configure the Specifics settings as required.
   

   Setting	Guidelines
   ICMP
   No specific options	Simple ping to test connectivity.
   TCP Echo
   No specific options	Simple ping to test connectivity.
   TCP / TCP Half Open Connection / UDP
   Port	Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161.
   TCP SSL
   Port	Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161.
   SSL Ciphers	Default selections are recommended.
   Local Cert	For TCP SSL only. Click the down arrow and select a local SSL Health Check Client certificate from the list menu. The certificate titled "Factory" is the default certificate shipped with your FortiADC. The rest, if any, are the custom certificates that you have created.
   HTTP/HTTPS
   Port	Listening port number of the backend server. Usually HTTP is 80. If testing an HTTP proxy server, specify the proxy port.
   SSL Ciphers	For HTTPS only. Default selections are recommended.
   Local Cert	For HTTPS only. See TCP / TCP Half Open Connection / TCP SSL / UDP above.
   Http-version	Specify the HTTP version
   Additional-string	Attach some string to HTTP header content
   HTTP CONNECT	If the real server pool members are HTTP proxy servers, specify an HTTP CONNECT option: Local CONNECT—Use HTTP CONNECT to test the tunnel connection through the proxy to the remote server. The member is deemed available if the request returns status code 200 (OK). Remote CONNECT—Use HTTP CONNECT to test both the proxy server response and remote server application availability. If you select this option, you can configure an HTTP request within the tunnel. For example, you can configure an HTTP GET/HEAD request to the specified URL and the expected response. No CONNECT—Do not use the HTTP CONNECT method. This option is the default. The HTTP CONNECT option is useful to test the availability of proxy servers only. See the FortiADC Deployment Guide for FortiCache for an example that uses this health check.
   Remote Host	If you use HTTP CONNECT to test proxy servers, specify the remote server IP address.
   Remote Port	If you use HTTP CONNECT to test proxy servers, specify the remote server port.
   Method Type	HTTP method for the test traffic: HTTP GET—Send an HTTP GET request to the server. A response to an HTTP GET request includes HTTP headers and HTTP body. HTTP HEAD—Send an HTTP HEAD request. A response to an HTTP HEAD request includes HTTP headers only.
   Send String	The request URL, such as /contact.php.
   Receive String	A string expected in return when the HTTP GET request is successful.
   Status Code	The health check sends an HTTP request to the server. Specify the HTTP status code in the server reply that indicates a successful test. Typically, you use status code 200 (OK). Other status codes indicate errors.
   Match Type	What determines a failed health check? Match String Match Status Match All (match both string and status) Not applicable when using HTTP HEAD. HTTP HEAD requests test status code only.
   DNS
   Domain Name	The FQDN, such as www.example.com, to use in the DNS A/AAAA record health check.
   Address Type	IPv4 IPv6
   Host Address	IP address that matches the FQDN, indicating a successful health check.
   RADIUS / RADIUS Accounting
   Port	Listening port number of the backend server. Usually RADIUS is 1812 and RADIUS accounting is 1813.
   Username	User name of an account on the backend server.
   Password	The corresponding password.
   Password Type	User—If the backend server does not use CHAP, select this option. CHAP—If the backend server uses CHAP and does not require a secret key, select this option.
   Secret Key	The secret set on the backend server.
   NAS IP Address	NAS IP address RADIUS attribute (if the RADIUS server requires this attribute to make a connection).
   SIP / SIP TCP
   Port	Specify the port number. Valid values range from 0 to 65535.
   SIP Request Type	Specify the SIP request type to be used for health checks: SIP Options SIP Register
   Status Code	The expected response code. If not set, response code 200 is expected. Specify 0 if any reply should indicate the server is available.
   SMTP
   Port	Listening port number of the backend server. Usually SMTP is 25.
   Domain Name	The FQDN, such as www.example.com, to use in the SMTP HELO request used for health checks. If the response is OK (250), the server is considered as up. If there is error response (501) or no response at all, the server is considered down.
   POP3
   Port	Listening port number of the backend server. Usually POP3 is 110.
   Username	User name of an account on the backend server.
   Password	The corresponding password.
   IMAP4
   Port	Listening port number of the backend server. Usually IMAP4 is 143.
   Username	User name of an account on the backend server.
   Password	The corresponding password.
   Folder	Select an email mailbox to use in the health check. If the mailbox does not exist or is not accessible, the health check fails. The default is INBOX.
   FTP
   Port	Listening port number of the backend server. Usually FTP is 21.
   User name	User name of an account on the backend server.
   Password	The corresponding password.
   File	Specify a file that exists on the backend server. Path is relative to the initial login path. If the file does not exist or is not accessible, the health check fails.
   Passive	Select this option if the backend server uses passive FTP.
   SNMP
   Port	Listening port number of the backend server. Usually SNMP is 161 or 162.
   CPU	Maximum normal CPU usage. If overburdened, the health check fails.
   Memory	Maximum normal RAM usage. If overburdened, the health check fails.
   Disk	Maximum normal disk usage. If the disk is too full, the health check fails.
   Agent type	UCD Windows 2000
   Community	Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail.
   Version	SNMP v1 or v2c.
   CPU Weight	100
   Memory Weight	100
   Disk Weight	100
   SNMP Custom
   Port	Listening port number of the backend server. Usually SNMP is 161 or 162.
   Community	Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail.
   Version	SNMP v1 or v2c.
   SNMP Custom List
   OID	String specifying the OID to query
   Value Type	Abstract syntax notation (ASN) value type: ASN_INTEGER ASN_OCTET_STR ASN_OBJECT_ID ASN_COUNTER ASN_UINTEGER
   SNMP Counter	Specify the value for the evaluation. The range is 1-2147483647.
   SNMP Compare	Equal Less Greater Less is the default option.
   Name	Specify the SNMP custom name.
   Weight	Specify the SNMP custom weight.
   SSH
   Port	Listening port number of the backend server. Usually SSH is 22.
   Username	Username for test login.
   Password	Corresponding password.
   L2 Detection
   No specific options	Link Layer health checker. Sends ARP (IPv4) or NDP (IPv6) packets to test whether a physically connected system is available.
   RTSP
   Port	Specify the listening port number. Valid values range from 0 to 65535.
   RTSP Method Type	RTSP Options
   Status Code	200
   MySQL
   Port	Specify the listening port number of the MySQL server. Valid values range from 0 to 65535.
   Username	Specify the database user name. (Optional)
   Password	Specify the database password, if applicable.
   MySQL Server Type	Select either of the following: Primary (Default) Secondary
   Diameter
   Origin Host	Specify the FortiADC appliance that originates the Diameter message. The value is in FQDN format and used to uniquely identify a Diameter node for duplicate connection and routing loop detection. Note: Some Diameter servers do not accept multiple connections from the same origin host. If you set the origin host the same as the origin host (Identity) of the Diameter load-balance profile and use the health check and Diameter load balance profile in the same virtual server, the health check or the Diameter load-balance profile may run into certain undefined problems.
   Origin Realm	Specify the realm of the FortiADC appliance that originates the Diameter message. The value is in FQDN format.
   Vendor ID	Specify the type Unsigned32 vendor ID which contains the IANA "SMI Network Management Private Enterprise Codes" value assigned to the vendor of a Diameter application. The default is 12356.
   Product Name	Specify the type UTF8String product name which contains the vendor assigned name for the product.
   Host IPv4 Address	Specify the type IPv4 address used to inform a Diameter peer of the sender's IP address when the destination address type is IPv4. The default is blank, meaning that it is the address of the FortiADC's outgoing interface.
   Host IPv6 Address	Specify the type IPv6 address used to inform a Diameter peer of the sender's IP address when the destination address type is IPv6. The default is blank, meaning that it is the address of the FortiADC's outgoing interface.
   Auth Application ID	Specify the type Unsigned32 authentication application ID used to advertise support of the authentication and authorization portion of an application. This filed is optional; the default is 0 (zero).
   Acct Application ID	Specify the type Unsigned32 accounting application ID used to advertise support of the accounting portion of an application. This field is optional; the default is 0 (zero).
   Oracle	Note: Oracle DB HC only supports Hardware models in 5.1.0.
   Port	Listening port number of the OracleDB server.
   Username	Specify the database username.
   Password	Specify the database password.
   Connect type	Select one of the following: Service name SID Connect string
   Service name	Use this to specify the service name.
   SID	Use this to specify the SID.
   Connect String	Use this to specify the connect string.
   Oracle-send-string	Send a string (command) to the OracleDb server.
   Oracle-receive-string	The string we accept in order to receive.
   Row	The row in which the send string (command) takes effect.
   Column	The column in which the send string (command) takes effect.
   Script
   Port	Specify the port that the script uses
   Script	Specify the script which we create or which we have pre-defined
   LDAP
   Port	Port Listening port number of the backend server. Usually LDAP is 389.
   Password	The corresponding password.
   Attribute	Attributes for the LDAP health check object.
   BaseDN	The distinguished name where a LDAP server will search from.
   BindDN	The distinguished name used to bind to a LDAP server.
   Filter	Criteria to use in selecting results.
   MSSQL
   Port	Specify the listening port number of the MSSQL server. Valid values range from 0 to 65535.
   Username	Specify the database user name. (Optional)
   Password	Specify the database password, if applicable.
   Database	Specify the name of the MSSQL database.
   MSSQL Send String	Specify the MSSQL send string.
   MSSQL Receive String	Specify the MSSQL receive string.
   Row	The row in which the send string (command) takes effect.
   Column	The column in which the send string (command) takes effect.
   LDAPS
   Port	Port Listening port number of the backend server. The default port is 636 for LDAPS.
   Password	The corresponding password.
   Bind DN	The distinguished name where a LDAPS server will search from.
   Base DN	The distinguished name used to bind to a LDAPS server.
   Filter	Criteria to use in selecting results.
   Attribute	Attributes for the LDAPS health check object.
   Verify Host Certificate	Enable to verify the LDAPS server certificate. This is disabled by default.
   CA	The CA option is available if Verify Host Certificate is enabled. Specify the CA certificate.

7. Click Save.
   After the Health Check configuration is saved, you can select it in the SLB server pool, LLB link group, or GLB server configuration.

In SLB deployments, a health check port configuration specifying port 0 acts as a wildcard.The port for health check traffic is imputed from the real server pool member. In LLB and GLB deployments, specifying port 0 is invalid because there is no associated configuration to impute a proper port. If your health check port configuration specifies port 0, you will not be able to use it in an LLB or GLB configuration.