server-policy health

Use this command to configure server health checks.

Tests for server responsiveness (called “server health checks” in the web UI) poll web servers that are members of a server pool to determine their availability before forwarding traffic. Server health checks can use TCP, HTTP/HTTPS, ICMP ECHO_REQUEST (ping), TCP SSL, or TCP half-open.

The FortiWeb appliance polls the server at the frequency set in the interval <seconds_int> option. If the appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to unresponsive servers by disabling traffic to that server until it becomes responsive.

If a back-end server will be unavailable for a long period, such as when a server is undergoing hardware repair, it is experiencing extended downtime, or when you have removed a server from the server pool, you can improve the performance of your FortiWeb appliance by disabling the back-end server, rather than allowing the server health check to continue to check for responsiveness. For details, see server-policy server-pool.

To apply server health checks, select them in a server pool configuration. For details, see server-policy server-pool.

To use this command, your administrator account’s access control profile requires either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy health

edit "<health-check_name>"

set trigger-policy "<trigger-policy_name>"

set relationship {and |or}

set group-id <int>

set role {master | slave | standalone}

configure health-list

edit <entry_index>

set type {icmp | tcp | HTTP | tcp-ssl | tcp-half-open}

set timeout <seconds_int>

set retry-times <retries_int>

set interval <seconds_int>

set url-path "<request_str>"

set method {get | head | post}

set match-type {response-code | match-content | all}

set response-code {response-code_int}

set match-content "<match-content_str>"

end

Variable	Description	Default
"<health-check_name>"	Enter the name of the server health check. The maximum length is 63 characters. To display the list of existing server health checks, enter: `edit ?`	No default.
trigger-policy "<trigger-policy_name>"	Enter the name of the trigger to apply when the health check detects a failed server (see log trigger-policy). The maximum length is 63 characters. To display the list of existing trigger policies, enter: `set trigger ?`	No default.
relationship {and \|or}	`and`—FortiWeb considers the server to be responsive when it passes all the tests in the list. `or`—FortiWeb considers the server to be responsive when it passes at least one of the tests in the list.	`and`
group-id <int>	`group-id` is used together with `role {master \| slave}`. FortiWeb performs health check on the server pool which has referenced a "master" health check, then synchronize the result to all the server pools which have referenced the "slave" health check of the same group-id. This can avoid unnecessary health checks in certain cases such as when different server pools sharing the same IP address. This option is not available if the role is standalone.	No default.
role {master \| slave \| standalone}	If you want the health check result to be shared across multiple server pools, then specify whether this health check is a master or a slave. This is used together with the above command `group-id <int>`. If the health check result is not to be shared, then choose `standalone`.	standalone
<entry_index>	Enter the index number of the individual rule in the table. The valid range is 1–16.	No default.
type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open}	Select either: `icmp`—Send ICMP type 8 (`ECHO_REQUEST`) and listen for either ICMP type 0 (`ECHO_RESPONSE`) indicating responsiveness, or timeout indicating that the host is not responsive. `tcp`—Send TCP `SYN` and listen for either TCP `SYN ACK` indicating responsiveness, or timeout indicating that the host is not responsive. `HTTP`—Send an HTTP request and listen for the code specified by `response-code`, the page content specified by `match-content`, or both the code and the content, or timeout indicating that the host is not responsive. Apply to server pool members only if the SSL setting for the member is disabled. `tcp-ssl`—Send a TCP SSL request. FortiWeb considers the host to be responsive if the SSL handshake is successful, and closes the connection once the handshake is complete. This type of health check requires fewer resources than `HTTP` or `HTTPS`. Apply to server pool members only if the SSL setting for the member is enabled. `tcp-half-open`—Send TCP `SYN` and listen for either TCP `SYN ACK` indicating responsiveness, or timeout indicating that the host is not responsive. If the response is `SYN ACK`, send TCP `RST` to terminate the connection. This type of health check requires fewer resources from the pool member than `tcp`.	`ping`
timeout <seconds_int>	Enter the number of seconds which must pass after the server health check to indicate a failed health check. The valid range is 1–10 . For instance, if this value is set to 5, and FortiWeb hasn't received a response from a server within 5 seconds after sending a health check request, FortiWeb will consider the server unhealthy, and its status will be marked as OFF. Please note that this value should be smaller than the value of `interval <seconds_int>`. If it is not, there's a risk that FortiWeb will send another health check request before receiving a response from the previous one, potentially causing the health check process to loop indefinitely.	`3`
retry-times <retries_int>	Enter the number of times, if any, a failed health check will be retried before the server is determined to be unresponsive. The valid range is 1–10.	`3`
interval <seconds_int>	Enter the number of seconds between each server health check. The valid range is from 1–10. Please note that this value should be larger than the value of `timeout <seconds_int>`. Refer to the description of `timeout <seconds_int>` to understand the rationale behind this requirement.	`10`
url-path "<request_str>"	Enter the URL, such as `/index.html`, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server. If the web server successfully returns this URL, and its content matches the expression specified by `match-content`, FortiWeb considers it to be responsive. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	No default.
method {get \| head \| post}	Specify whether the health check uses the HEAD, GET, or POST method. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	`get`
match-type {response-code \| match-content \| all}	response-code—If the web server successfully returns the URL specified by `url-path` and the code specified by `response-code`, FortiWeb considers the server to be responsive. `match-content`—If the web server successfully returns the URL specified by `url-path` and its content matches the `match-content` value, FortiWeb considers the server to be responsive. `all`—If the web server successfully returns the URL specified by `url-path` and its content matches the `match-content` value, and the code specified by `response-code`, FortiWeb considers the server to be responsive. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	`match-content`
response-code {response-code_int}	Enter the response code that you require the server to return to confirm that it is available, if `match-type` is `response-code` or `all`. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	`200`
match-content "<match-content_str>"	Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if `match-type` is `match-content` or `all`. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	No default.

Example

This example configures a server health check that periodically requests the main page of the website, /index. If a physical server does not successfully return that page (which contains the word “About”) every 10 seconds (the default), and fails the check at least three times in a row, FortiWeb considers it unresponsive and forwards subsequent HTTP requests to other physical servers in the server farm.

config server-policy health

edit "status_check1"

set trigger-policy "notification-servers1"

configure health-list

edit 1

set type HTTP

set retry-times 3

set url-path "/index"

set method get

set match-type match-content

set regular About

end