Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.2.2 CLI Reference
    7.2.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    system ha-aa-server-policy-hlck

    system ha-aa-server-policy-hlck

    To check whether the server policies are running properly on the HA cluster, you can configure server policy heath check. The configurations are synchronized to all members in the cluster. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA cluster member and the back-end server is not available. The system then generates event logs. The primary node will not distribute traffic to this HA member until the connection is recovered.

    Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Active-Active-Standard.

    You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, or enable it through the command config system ha, then configure a health check on the HA Health Check tab.

    FortiWeb only supports checking the health of server policies in the root administrative domain.

    To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system ha-aa-server-policy-hlck

    edit "<health-check_id>"

    set HTTPS {enable | disable}

    set client-cert <client-certificate-name>

    set relationship {and | or}

    config health-list

    edit <entry_index>

    set time-out <seconds_int>

    set retry-times <retries_int>

    set interval <seconds_int>

    set url-path "<request_str>"

    set method {get | head | post}

    set match-type {response-code | match-content | all}

    set response-code {response-code_int}

    set match-content "<match-content_str>"

    next

    end

    next

    end

    Variable Description Default

    "<health-check_id"

    Enter the ID of the server policy health check. The maximum length is 63 characters.

    To display the list of existing server health checks, enter:

    edit ?

    		No default.
    HTTPS {enable | disable} Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled.nd you can configure the client certificate for the connection.
    client-cert <client-certificate-name> If HTTPS is enabled, you can specify a Client Certificate for the connection. This is optional.
    The Client Certificate is imported on GUI in System > Certificates > Local or by CLI command config system certificate local.

    relationship {and |or}
    • andFortiWeb considers the server to be responsive when it passes all the tests in the list.
    • orFortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
    		 and

    <entry_index>

    		 Enter the index number of the individual rule in the table. The valid range is 1–16. No default.

    timeout <seconds_int>

    		 Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 .

    3

    retry-times <retries_int>

    		Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10.

    3

    interval <seconds_int>

    		Enter the number of seconds between each server health check. The valid range is from 1–10. 10

    url-path "<request_str>"

    Enter the URL, such as /index.html, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server.

    If the web server successfully returns this URL, and its content matches the expression specified by match-content, FortiWeb considers it to be responsive.

    		 No default.

    method {get | head | post}

    Specify whether the health check uses the HEAD, GET, or POST method.

    		get

    match-type {response-code | match-content | all}

    • response-code—If the web server successfully returns the URL specified by url-path and the code specified by response-code, FortiWeb considers the server to be responsive.
    • match-content—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, FortiWeb considers the server to be responsive.
    • all—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, and the code specified by response-code, FortiWeb considers the server to be responsive.

    match-content

    response-code {response-code_int}

    Enter the response code that you require the server to return to confirm that it is available, if match-type is response-code or all.

    		200

    match-content "<match-content_str>"

    Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if match-type is match-content or all.

    		 No default.

    Example

    This example configures a server policy health check that periodically requests the main page of the website, /index. If FortiWeb can't receive responses containing the required page (which contains the word “About”) every 10 seconds (the default), and the check fails at least three times in a row, FortiWeb considers the connection between itself and the server being broken. The primary node will then stop distributing traffic to this HA member until the connection is recovered.

    config config system ha-aa-server-policy-hlck

    edit "status_check1"

    set trigger-policy "notification-servers1"

    configure health-list

    edit 1

    set type HTTP

    set retry-times 3

    set url-path "/index"

    set method get

    set match-type match-content

    set regular About

    next

    end

    Previous
    Next

    system ha-aa-server-policy-hlck

    system ha-aa-server-policy-hlck

    To check whether the server policies are running properly on the HA cluster, you can configure server policy heath check. The configurations are synchronized to all members in the cluster. The system sends an HTTP or HTTPS request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the connection between the HA cluster member and the back-end server is not available. The system then generates event logs. The primary node will not distribute traffic to this HA member until the connection is recovered.

    Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Active-Active-Standard.

    You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, or enable it through the command config system ha, then configure a health check on the HA Health Check tab.

    FortiWeb only supports checking the health of server policies in the root administrative domain.

    To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system ha-aa-server-policy-hlck

    edit "<health-check_id>"

    set HTTPS {enable | disable}

    set client-cert <client-certificate-name>

    set relationship {and | or}

    config health-list

    edit <entry_index>

    set time-out <seconds_int>

    set retry-times <retries_int>

    set interval <seconds_int>

    set url-path "<request_str>"

    set method {get | head | post}

    set match-type {response-code | match-content | all}

    set response-code {response-code_int}

    set match-content "<match-content_str>"

    next

    end

    next

    end

    Variable Description Default

    "<health-check_id"

    Enter the ID of the server policy health check. The maximum length is 63 characters.

    To display the list of existing server health checks, enter:

    edit ?

    		No default.
    HTTPS {enable | disable} Enable to use the HTTPS protocol for the health check connections with the back-end server. The systems uses HTTP protocol if this option is disabled.nd you can configure the client certificate for the connection.
    client-cert <client-certificate-name> If HTTPS is enabled, you can specify a Client Certificate for the connection. This is optional.
    The Client Certificate is imported on GUI in System > Certificates > Local or by CLI command config system certificate local.

    relationship {and |or}
    • andFortiWeb considers the server to be responsive when it passes all the tests in the list.
    • orFortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
    		 and

    <entry_index>

    		 Enter the index number of the individual rule in the table. The valid range is 1–16. No default.

    timeout <seconds_int>

    		 Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 .

    3

    retry-times <retries_int>

    		Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10.

    3

    interval <seconds_int>

    		Enter the number of seconds between each server health check. The valid range is from 1–10. 10

    url-path "<request_str>"

    Enter the URL, such as /index.html, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server.

    If the web server successfully returns this URL, and its content matches the expression specified by match-content, FortiWeb considers it to be responsive.

    		 No default.

    method {get | head | post}

    Specify whether the health check uses the HEAD, GET, or POST method.

    		get

    match-type {response-code | match-content | all}

    • response-code—If the web server successfully returns the URL specified by url-path and the code specified by response-code, FortiWeb considers the server to be responsive.
    • match-content—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, FortiWeb considers the server to be responsive.
    • all—If the web server successfully returns the URL specified by url-path and its content matches the match-content value, and the code specified by response-code, FortiWeb considers the server to be responsive.

    match-content

    response-code {response-code_int}

    Enter the response code that you require the server to return to confirm that it is available, if match-type is response-code or all.

    		200

    match-content "<match-content_str>"

    Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if match-type is match-content or all.

    		 No default.

    Example

    This example configures a server policy health check that periodically requests the main page of the website, /index. If FortiWeb can't receive responses containing the required page (which contains the word “About”) every 10 seconds (the default), and the check fails at least three times in a row, FortiWeb considers the connection between itself and the server being broken. The primary node will then stop distributing traffic to this HA member until the connection is recovered.

    config config system ha-aa-server-policy-hlck

    edit "status_check1"

    set trigger-policy "notification-servers1"

    configure health-list

    edit 1

    set type HTTP

    set retry-times 3

    set url-path "/index"

    set method get

    set match-type match-content

    set regular About

    next

    end

    Previous
    Next