Fortinet black logo

CLI Reference

system ha-aa-server-policy-hlck

system ha-aa-server-policy-hlck

To check whether the server policies are running properly on the HA cluster, you can configure server policy heath check. The configurations are synchronized to all members in the cluster. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA cluster member and the back-end server is not available. The system then generates event logs. The primary node will not distribute traffic to this HA member until the connection is recovered.

Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Active-Active-Standard.

You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, or enable it through the command config system ha, then configure a health check on the HA Health Check tab.

FortiWeb only supports checking the health of server policies in the root administrative domain.

To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp area. For details, see Permissions.

Syntax

config system ha-aa-server-policy-hlck

edit "<health-check_id>"

set HTTPS {enable | disable}

set client-cert <client-certificate-name>

set relationship {and | or}

config health-list

edit <entry_index>

set time-out <seconds_int>

set retry-times <retries_int>

set interval <seconds_int>

set url-path "<request_str>"

set method {get | head | post}

set match-type {response-code | match-content | all}

set response-code {response-code_int}

set match-content "<match-content_str>"

next

end

next

end

Variable Description Default

"<health-check_id"

Enter the ID of the server policy health check. The maximum length is 63 characters.

To display the list of existing server health checks, enter:

edit ?

No default.
HTTPS {enable | disable} Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled.nd you can configure the client certificate for the connection.
client-cert <client-certificate-name> If HTTPS is enabled, you can specify a Client Certificate for the connection. This is optional.
The Client Certificate is imported on GUI in System > Certificates > Local or by CLI command config system certificate local.

relationship {and |or}

  • andFortiWeb considers the server to be responsive when it passes all the tests in the list.
  • orFortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
and

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–16. No default.

timeout <seconds_int>

Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 .

3

retry-times <retries_int>

Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10.

3

interval <seconds_int>

Enter the number of seconds between each server health check. The valid range is from 1–10. 10

url-path "<request_str>"

Enter the URL, such as /index.html, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server.

If the web server successfully returns this URL, and its content matches the expression specified by match-content, FortiWeb considers it to be responsive.

No default.

method {get | head | post}

Specify whether the health check uses the HEAD, GET, or POST method.

get

match-type {response-code | match-content | all}

  • response-code—If the web server successfully returns the URL specified by url-path and the code specified by response-code, FortiWeb considers the server to be responsive.
  • match-content—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, FortiWeb considers the server to be responsive.
  • all—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, and the code specified by response-code, FortiWeb considers the server to be responsive.

match-content

response-code {response-code_int}

Enter the response code that you require the server to return to confirm that it is available, if match-type is response-code or all.

200

match-content "<match-content_str>"

Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if match-type is match-content or all.

No default.

Example

This example configures a server policy health check that periodically requests the main page of the website, /index. If FortiWeb can't receive responses containing the required page (which contains the word “About”) every 10 seconds (the default), and the check fails at least three times in a row, FortiWeb considers the connection between itself and the server being broken. The primary node will then stop distributing traffic to this HA member until the connection is recovered.

config config system ha-aa-server-policy-hlck

edit "status_check1"

set trigger-policy "notification-servers1"

configure health-list

edit 1

set type http

set retry-times 3

set url-path "/index"

set method get

set match-type match-content

set regular About

next

end

system ha-aa-server-policy-hlck

To check whether the server policies are running properly on the HA cluster, you can configure server policy heath check. The configurations are synchronized to all members in the cluster. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA cluster member and the back-end server is not available. The system then generates event logs. The primary node will not distribute traffic to this HA member until the connection is recovered.

Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Active-Active-Standard.

You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, or enable it through the command config system ha, then configure a health check on the HA Health Check tab.

FortiWeb only supports checking the health of server policies in the root administrative domain.

To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp area. For details, see Permissions.

Syntax

config system ha-aa-server-policy-hlck

edit "<health-check_id>"

set HTTPS {enable | disable}

set client-cert <client-certificate-name>

set relationship {and | or}

config health-list

edit <entry_index>

set time-out <seconds_int>

set retry-times <retries_int>

set interval <seconds_int>

set url-path "<request_str>"

set method {get | head | post}

set match-type {response-code | match-content | all}

set response-code {response-code_int}

set match-content "<match-content_str>"

next

end

next

end

Variable Description Default

"<health-check_id"

Enter the ID of the server policy health check. The maximum length is 63 characters.

To display the list of existing server health checks, enter:

edit ?

No default.
HTTPS {enable | disable} Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled.nd you can configure the client certificate for the connection.
client-cert <client-certificate-name> If HTTPS is enabled, you can specify a Client Certificate for the connection. This is optional.
The Client Certificate is imported on GUI in System > Certificates > Local or by CLI command config system certificate local.

relationship {and |or}

  • andFortiWeb considers the server to be responsive when it passes all the tests in the list.
  • orFortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
and

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–16. No default.

timeout <seconds_int>

Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 .

3

retry-times <retries_int>

Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10.

3

interval <seconds_int>

Enter the number of seconds between each server health check. The valid range is from 1–10. 10

url-path "<request_str>"

Enter the URL, such as /index.html, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server.

If the web server successfully returns this URL, and its content matches the expression specified by match-content, FortiWeb considers it to be responsive.

No default.

method {get | head | post}

Specify whether the health check uses the HEAD, GET, or POST method.

get

match-type {response-code | match-content | all}

  • response-code—If the web server successfully returns the URL specified by url-path and the code specified by response-code, FortiWeb considers the server to be responsive.
  • match-content—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, FortiWeb considers the server to be responsive.
  • all—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, and the code specified by response-code, FortiWeb considers the server to be responsive.

match-content

response-code {response-code_int}

Enter the response code that you require the server to return to confirm that it is available, if match-type is response-code or all.

200

match-content "<match-content_str>"

Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if match-type is match-content or all.

No default.

Example

This example configures a server policy health check that periodically requests the main page of the website, /index. If FortiWeb can't receive responses containing the required page (which contains the word “About”) every 10 seconds (the default), and the check fails at least three times in a row, FortiWeb considers the connection between itself and the server being broken. The primary node will then stop distributing traffic to this HA member until the connection is recovered.

config config system ha-aa-server-policy-hlck

edit "status_check1"

set trigger-policy "notification-servers1"

configure health-list

edit 1

set type http

set retry-times 3

set url-path "/index"

set method get

set match-type match-content

set regular About

next

end