Fortinet black logo

CLI Reference

server-policy health

server-policy health

Use this command to configure server health checks.

Tests for server responsiveness (called “server health checks” in the web UI) poll web servers that are members of a server pool to determine their availability before forwarding traffic. Server health checks can use TCP, HTTP/HTTPS, ICMP ECHO_REQUEST (ping), TCP SSL, or TCP half-open.

The FortiWeb appliance polls the server at the frequency set in the interval <seconds_int> option. If the appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to unresponsive servers by disabling traffic to that server until it becomes responsive.

If a back-end server will be unavailable for a long period, such as when a server is undergoing hardware repair, it is experiencing extended downtime, or when you have removed a server from the server pool, you can improve the performance of your FortiWeb appliance by disabling the back-end server, rather than allowing the server health check to continue to check for responsiveness. For details, see server-policy server-pool.

To apply server health checks, select them in a server pool configuration. For details, see server-policy server-pool.

To use this command, your administrator account’s access control profile requires either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy health

edit "<health-check_name>"

set trigger-policy "<trigger-policy_name>"

set relationship {and |or}

configure health-list

edit <entry_index>

set type {icmp | tcp | http | https | tcp-ssl | tcp-half-open}

set timeout <seconds_int>

set retry-times <retries_int>

set interval <seconds_int>

set url-path "<request_str>"

set method {get | head | post}

set host "<host_str>"

set match-type {response-code | match-content | all}

set response-code {response-code_int}

set match-content "<match-content_str>"

next

end

Variable Description Default

"<health-check_name>"

Enter the name of the server health check. The maximum length is 63 characters.

To display the list of existing server health checks, enter:

edit ?

No default.

trigger-policy "<trigger-policy_name>"

Enter the name of the trigger to apply when the health check detects a failed server (see log trigger-policy). The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

relationship {and |or}

  • andFortiWeb considers the server to be responsive when it passes all the tests in the list.
  • orFortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
and

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–16. No default.

type {icmp | tcp | http | https | tcp-ssl | tcp-half-open}

Select either:

  • icmp—Send ICMP type 8 (ECHO_REQUEST) and listen for either ICMP type 0 (ECHO_RESPONSE) indicating responsiveness, or timeout indicating that the host is not responsive.
  • tcp—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive.
  • http—Send an HTTP request and listen for the code specified by response-code, the page content specified by match-content, or both the code and the content, or timeout indicating that the host is not responsive.

    Apply to server pool members only if the SSL setting for the member is disabled.
  • https—Send an HTTPS request and listen for the code specified by response-code, the page content specified by match-content, or both the code and the content, or timeout indicating that the host is not responsive.

    Apply to server pool members only if the SSL setting for the member is enabled.
  • tcp-ssl—Send an HTTPS request. FortiWeb considers the host to be responsive if the SSL handshake is successful, and closes the connection once the handshake is complete. This type of health check requires fewer resources than http or https.

    Apply to server pool members only if the SSL setting for the member is enabled.
  • tcp-half-open—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive. If the response is SYN ACK, send TCP RST to terminate the connection. This type of health check requires fewer resources from the pool member than tcp.
ping

timeout <seconds_int>

Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 .

3

retry-times <retries_int>

Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10.

3

interval <seconds_int>

Enter the number of seconds between each server health check. The valid range is from 1–10. 10

url-path "<request_str>"

Enter the URL, such as /index.html, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server.

If the web server successfully returns this URL, and its content matches the expression specified by match-content, FortiWeb considers it to be responsive.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

No default.

method {get | head | post}

Specify whether the health check uses the HEAD, GET, or POST method.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

get

host "<host_str>"

Optionally, enter the HTTP host header name of a specific host.

This is useful if the pool member hosts multiple websites (virtual hosting environment).

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.
No default.

match-type {response-code | match-content | all}

  • response-code—If the web server successfully returns the URL specified by url-path and the code specified by response-code, FortiWeb considers the server to be responsive.
  • match-content—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, FortiWeb considers the server to be responsive.
  • all—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, and the code specified by response-code, FortiWeb considers the server to be responsive.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

match-content

response-code {response-code_int}

Enter the response code that you require the server to return to confirm that it is available, if match-type is response-code or all.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

200

match-content "<match-content_str>"

Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if match-type is match-content or all.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

No default.

Example

This example configures a server health check that periodically requests the main page of the website, /index. If a physical server does not successfully return that page (which contains the word “About”) every 10 seconds (the default), and fails the check at least three times in a row, FortiWeb considers it unresponsive and forwards subsequent HTTP requests to other physical servers in the server farm.

config server-policy health

edit "status_check1"

set trigger-policy "notification-servers1"

configure health-list

edit 1

set type http

set retry-times 3

set url-path "/index"

set method get

set match-type match-content

set regular About

next

end

Related topics

server-policy health

Use this command to configure server health checks.

Tests for server responsiveness (called “server health checks” in the web UI) poll web servers that are members of a server pool to determine their availability before forwarding traffic. Server health checks can use TCP, HTTP/HTTPS, ICMP ECHO_REQUEST (ping), TCP SSL, or TCP half-open.

The FortiWeb appliance polls the server at the frequency set in the interval <seconds_int> option. If the appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to unresponsive servers by disabling traffic to that server until it becomes responsive.

If a back-end server will be unavailable for a long period, such as when a server is undergoing hardware repair, it is experiencing extended downtime, or when you have removed a server from the server pool, you can improve the performance of your FortiWeb appliance by disabling the back-end server, rather than allowing the server health check to continue to check for responsiveness. For details, see server-policy server-pool.

To apply server health checks, select them in a server pool configuration. For details, see server-policy server-pool.

To use this command, your administrator account’s access control profile requires either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy health

edit "<health-check_name>"

set trigger-policy "<trigger-policy_name>"

set relationship {and |or}

configure health-list

edit <entry_index>

set type {icmp | tcp | http | https | tcp-ssl | tcp-half-open}

set timeout <seconds_int>

set retry-times <retries_int>

set interval <seconds_int>

set url-path "<request_str>"

set method {get | head | post}

set host "<host_str>"

set match-type {response-code | match-content | all}

set response-code {response-code_int}

set match-content "<match-content_str>"

next

end

Variable Description Default

"<health-check_name>"

Enter the name of the server health check. The maximum length is 63 characters.

To display the list of existing server health checks, enter:

edit ?

No default.

trigger-policy "<trigger-policy_name>"

Enter the name of the trigger to apply when the health check detects a failed server (see log trigger-policy). The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

relationship {and |or}

  • andFortiWeb considers the server to be responsive when it passes all the tests in the list.
  • orFortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
and

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–16. No default.

type {icmp | tcp | http | https | tcp-ssl | tcp-half-open}

Select either:

  • icmp—Send ICMP type 8 (ECHO_REQUEST) and listen for either ICMP type 0 (ECHO_RESPONSE) indicating responsiveness, or timeout indicating that the host is not responsive.
  • tcp—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive.
  • http—Send an HTTP request and listen for the code specified by response-code, the page content specified by match-content, or both the code and the content, or timeout indicating that the host is not responsive.

    Apply to server pool members only if the SSL setting for the member is disabled.
  • https—Send an HTTPS request and listen for the code specified by response-code, the page content specified by match-content, or both the code and the content, or timeout indicating that the host is not responsive.

    Apply to server pool members only if the SSL setting for the member is enabled.
  • tcp-ssl—Send an HTTPS request. FortiWeb considers the host to be responsive if the SSL handshake is successful, and closes the connection once the handshake is complete. This type of health check requires fewer resources than http or https.

    Apply to server pool members only if the SSL setting for the member is enabled.
  • tcp-half-open—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive. If the response is SYN ACK, send TCP RST to terminate the connection. This type of health check requires fewer resources from the pool member than tcp.
ping

timeout <seconds_int>

Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 .

3

retry-times <retries_int>

Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10.

3

interval <seconds_int>

Enter the number of seconds between each server health check. The valid range is from 1–10. 10

url-path "<request_str>"

Enter the URL, such as /index.html, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server.

If the web server successfully returns this URL, and its content matches the expression specified by match-content, FortiWeb considers it to be responsive.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

No default.

method {get | head | post}

Specify whether the health check uses the HEAD, GET, or POST method.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

get

host "<host_str>"

Optionally, enter the HTTP host header name of a specific host.

This is useful if the pool member hosts multiple websites (virtual hosting environment).

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.
No default.

match-type {response-code | match-content | all}

  • response-code—If the web server successfully returns the URL specified by url-path and the code specified by response-code, FortiWeb considers the server to be responsive.
  • match-content—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, FortiWeb considers the server to be responsive.
  • all—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, and the code specified by response-code, FortiWeb considers the server to be responsive.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

match-content

response-code {response-code_int}

Enter the response code that you require the server to return to confirm that it is available, if match-type is response-code or all.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

200

match-content "<match-content_str>"

Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if match-type is match-content or all.

Available when type {icmp | tcp | http | https | tcp-ssl | tcp-half-open} is http or https.

No default.

Example

This example configures a server health check that periodically requests the main page of the website, /index. If a physical server does not successfully return that page (which contains the word “About”) every 10 seconds (the default), and fails the check at least three times in a row, FortiWeb considers it unresponsive and forwards subsequent HTTP requests to other physical servers in the server farm.

config server-policy health

edit "status_check1"

set trigger-policy "notification-servers1"

configure health-list

edit 1

set type http

set retry-times 3

set url-path "/index"

set method get

set match-type match-content

set regular About

next

end

Related topics