system ha-aa-server-policy-hlck
To check whether the server policies are running properly on the HA cluster, you can configure server policy heath check. The configurations are synchronized to all members in the cluster. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA cluster member and the back-end server is not available. The system then generates event logs. The master node will not distribute traffic to this HA member until the connection is recovered.
Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Active-Active-Standard.
You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, or enable it through the command config system ha
, then configure a health check on the HA Health Check tab.
FortiWeb only supports checking the health of server policies in the root administrative domain.
To use this command, your administrator account’s access control profile must have rw
or w
permission to the sysgrp
area. For details, see Permissions.
Syntax
config system ha-aa-server-policy-hlck
edit "<health-check_id>"
set HTTPS {enable | disable}
set client-cert <client-certificate-name>
set relationship {and | or}
config health-list
edit <entry_index>
set time-out <seconds_int>
set retry-times <retries_int>
set interval <seconds_int>
set url-path "<request_str>"
set method {get | head | post}
set match-type {response-code | match-content | all}
set response-code {response-code_int}
set match-content "<match-content_str>"
next
end
next
end
Variable | Description | Default |
Enter the ID of the server policy health check. The maximum length is 63 characters. To display the list of existing server health checks, enter:
|
No default. | |
HTTPS {enable | disable}
|
Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled.nd you can configure the client certificate for the connection. | |
client-cert <client-certificate-name>
|
If HTTPS is enabled, you can specify a Client Certificate for the connection. This is optional. The Client Certificate is imported on GUI in System > Certificates > Local or by CLI command config system certificate local . |
|
relationship {and |or} |
|
and
|
<entry_index> |
Enter the index number of the individual rule in the table. The valid range is 1–16. | No default. |
timeout <seconds_int> |
Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 . |
|
retry-times <retries_int> |
Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10. |
|
interval <seconds_int> |
Enter the number of seconds between each server health check. The valid range is from 1–10. |
10
|
url-path "<request_str>" |
Enter the URL, such as If the web server successfully returns this URL, and its content matches the expression specified by |
No default. |
method {get | head | post} |
Specify whether the health check uses the HEAD, GET, or POST method. |
get
|
match-type {response-code | match-content | all} |
|
|
response-code {response-code_int} |
Enter the response code that you require the server to return to confirm that it is available, if |
200
|
match-content "<match-content_str>" |
Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if |
No default. |
Example
This example configures a server policy health check that periodically requests the main page of the website, /index
. If FortiWeb can't receive responses containing the required page (which contains the word “About”) every 10 seconds (the default), and the check fails at least three times in a row, FortiWeb considers the connection between itself and the server being broken. The master node will then stop distributing traffic to this HA member until the connection is recovered.
config config system ha-aa-server-policy-hlck
edit "status_check1"
set trigger-policy "notification-servers1"
configure health-list
edit 1
set type http
set retry-times 3
set url-path "/index"
set method get
set match-type match-content
set regular About
next
end