Fortinet black logo

Liveness detection

6.4.0
Copy Link
Copy Doc ID cf31fe37-64b1-11eb-b9ad-00505692583a:871381
Download PDF

Liveness detection

Liveness detection can force the service insertion datapath not to use a specific VM until its service manager has updated the VM configuration. This can be required when a new FortiGate-VM is deployed and should not reply to liveness detection queries or forward any traffic until it has received the required configuration from the service manager or during maintenance of said VM. The service insertion platform instead uses an already configured VM if one is available.

NSX-T 2.5 and later versions support this feature. See VMware NSX-T documentation.

When configuring a service from FortiManager to VMware NSX-T, the option to enable or disable liveness detection is available. By default, liveness detection is disabled.

To configure NSX-T service with liveness detection:
  1. Create a service chain and profile in VMware NSX-T as Add Service Profile and Add Service Chain describe. When creating the service chain, in the Failure Policy field, set Allow to redirect traffic to the destination VM when the service VM fails.
  2. Add a service chain and configure liveness detection in FortiManager:
    1. Go to Policy & Objects > Object Configurations > Endpoint/Identity.
    2. Select the NSX-T connector, then click Configure.
    3. Click Add to add a new service chain.
    4. From the Device dropdown list, select the required VM or FortiGate.
    5. Ensure that Enable Liveness Detection is set to ON. It is enabled by default.
    6. Configure other fields as required.
    7. Click OK.
  3. In FortiManager, verify if liveness detection is enabled:
    1. Go to Policy & Objects > Object Configurations > Endpoint/Identity.
    2. Select the added NSX-T service, then click Configure.
    3. Select a service, then click Configure. FortiManager displays a list of all service chains with a Liveness Detection column.
    Note

    Liveness detection is a global setting for a FortiGate instance. If enabled, it applies across all VDOMs in the FortiGate.

  4. Import the device settings to the FortiGate:In FortiManager, go to Device Manager.Select the FortiGate to apply the newly created policy to.Run the install wizard to import the changed device settings.

Liveness detection

Liveness detection can force the service insertion datapath not to use a specific VM until its service manager has updated the VM configuration. This can be required when a new FortiGate-VM is deployed and should not reply to liveness detection queries or forward any traffic until it has received the required configuration from the service manager or during maintenance of said VM. The service insertion platform instead uses an already configured VM if one is available.

NSX-T 2.5 and later versions support this feature. See VMware NSX-T documentation.

When configuring a service from FortiManager to VMware NSX-T, the option to enable or disable liveness detection is available. By default, liveness detection is disabled.

To configure NSX-T service with liveness detection:
  1. Create a service chain and profile in VMware NSX-T as Add Service Profile and Add Service Chain describe. When creating the service chain, in the Failure Policy field, set Allow to redirect traffic to the destination VM when the service VM fails.
  2. Add a service chain and configure liveness detection in FortiManager:
    1. Go to Policy & Objects > Object Configurations > Endpoint/Identity.
    2. Select the NSX-T connector, then click Configure.
    3. Click Add to add a new service chain.
    4. From the Device dropdown list, select the required VM or FortiGate.
    5. Ensure that Enable Liveness Detection is set to ON. It is enabled by default.
    6. Configure other fields as required.
    7. Click OK.
  3. In FortiManager, verify if liveness detection is enabled:
    1. Go to Policy & Objects > Object Configurations > Endpoint/Identity.
    2. Select the added NSX-T service, then click Configure.
    3. Select a service, then click Configure. FortiManager displays a list of all service chains with a Liveness Detection column.
    Note

    Liveness detection is a global setting for a FortiGate instance. If enabled, it applies across all VDOMs in the FortiGate.

  4. Import the device settings to the FortiGate:In FortiManager, go to Device Manager.Select the FortiGate to apply the newly created policy to.Run the install wizard to import the changed device settings.