server-policy health

Use this command to configure server health checks.

Tests for server responsiveness (called “server health checks” in the web UI) poll web servers that are members of a server pool to determine their availability before forwarding traffic. Server health checks can use TCP, HTTP/HTTPS, ICMP ECHO_REQUEST (ping), TCP SSL, or TCP half-open.

The FortiWeb appliance polls the server at the frequency set in the timeout <seconds_int> option. If the appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to unresponsive servers by disabling traffic to that server until it becomes responsive.

If a back-end server will be unavailable for a long period, such as when a server is undergoing hardware repair, it is experiencing extended downtime, or when you have removed a server from the server pool, you can improve the performance of your FortiWeb appliance by disabling the back-end server, rather than allowing the server health check to continue to check for responsiveness. For details, see server-policy server-pool.

To apply server health checks, select them in a server pool configuration. For details, see server-policy server-pool.

To use this command, your administrator account’s access control profile requires either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy health

edit "<health-check_name>"

set trigger-policy "<trigger-policy_name>"

set relationship {and |or}

set group-id <int>

set role {master | slave | standalone}

configure health-list

edit <entry_index>

set type {icmp | tcp | HTTP | tcp-ssl | tcp-half-open}

set timeout <seconds_int>

set url-path "<request_str>"

set method {get | head | post}

set match-type {response-code | match-content | all}

set response-code {response-code_int}

set match-content "<match-content_str>"

end

Variable	Description	Default
"<health-check_name>"	Enter the name of the server health check. The maximum length is 63 characters. To display the list of existing server health checks, enter: `edit ?`	No default.
trigger-policy "<trigger-policy_name>"	Enter the name of the trigger to apply when the health check detects a failed server (see log trigger-policy). The maximum length is 63 characters. To display the list of existing trigger policies, enter: `set trigger ?`	No default.
relationship {and \|or}	`and`—FortiWeb considers the server to be responsive when it passes all the tests in the list. `or`—FortiWeb considers the server to be responsive when it passes at least one of the tests in the list.	`and`
group-id <int>	`group-id` is used together with `role {master \| slave}`. FortiWeb performs health check on the server pool which has referenced a "master" health check, then synchronize the result to all the server pools which have referenced the "slave" health check of the same group-id. This can avoid unnecessary health checks in certain cases such as when different server pools sharing the same IP address. This option is not available if the role is standalone.	No default.
role {master \| slave \| standalone}	If you want the health check result to be shared across multiple server pools, then specify whether this health check is a master or a slave. This is used together with the above command `group-id <int>`. If the health check result is not to be shared, then choose `standalone`.	standalone
<entry_index>	Enter the index number of the individual rule in the table. The valid range is 1–16.	No default.
type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open}	Select either: `icmp`—Send ICMP type 8 (`ECHO_REQUEST`) and listen for either ICMP type 0 (`ECHO_RESPONSE`) indicating responsiveness, or timeout indicating that the host is not responsive. `tcp`—Send TCP `SYN` and listen for either TCP `SYN ACK` indicating responsiveness, or timeout indicating that the host is not responsive. `HTTP`—Send an HTTP request and listen for the code specified by `response-code`, the page content specified by `match-content`, or both the code and the content, or timeout indicating that the host is not responsive. Apply to server pool members only if the SSL setting for the member is disabled. `tcp-ssl`—Send a TCP SSL request. FortiWeb considers the host to be responsive if the SSL handshake is successful, and closes the connection once the handshake is complete. This type of health check requires fewer resources than `HTTP` or `HTTPS`. Apply to server pool members only if the SSL setting for the member is enabled. `tcp-half-open`—Send TCP `SYN` and listen for either TCP `SYN ACK` indicating responsiveness, or timeout indicating that the host is not responsive. If the response is `SYN ACK`, send TCP `RST` to terminate the connection. This type of health check requires fewer resources from the pool member than `tcp`.	`ping`
timeout <seconds_int> retry-times <retries_int> interval <seconds_int>	`timeout <seconds_int>`: The maximum duration (in seconds) FortiWeb will wait for a response from a back-end server during a health check. If the server does not respond within this time frame, the health check is considered failed. The valid range is 1–30 . `retry-times <retries_int>`: The number of consecutive retries FortiWeb will perform—each with the configured timeout—if no response is received from the server. The server is marked down only after all retries fail. The valid range is 1 - 10. `interval <seconds_int>`: The frequency (in seconds) at which FortiWeb performs health checks on the back-end server. The valid range is from 1 - 300. The diagram illustrates how FortiWeb’s health check mechanism uses `timeout`, `retry-times`, and `interval`. In this example: Each health check (HC) begins and, if no response is received, performs up to two retries (retry-times = 2), with each retry waiting up to the configured `timeout` duration. Health checks can run concurrently—starting a new health check does not cancel or override an existing one that is still active. As shown in the diagram, HC2 begins while the second retry of HC1 is still in progress. Best Practice Strategy We recommend setting the interval so that the next health check begins when the last retry of the current health check is underway, as shown in the diagram above. Example If: timeout = 3 seconds retry-times = 2 Then, the recommended interval is between 6 and 9 seconds. This ensures: Minimal overlap between health check cycles. Efficient use of CPU and memory by reducing unnecessary concurrency. Faster failover or recovery detection without redundant checks. Special Notice for Public Cloud Deployments If FortiWeb and your back-end resources are hosted on public cloud platforms, be aware that network latency is typically higher compared to on-premises environments. As a result, the default timeout value of 3 seconds may be too short for receiving a response from the server. We recommend configuring a longer `timeout` and `interval` based on the observed network conditions in your environment to ensure reliable health check results.	timeout : `3` retry-times: 3 interval:10
url-path "<request_str>"	Enter the URL, such as `/index.html`, that FortiWeb uses in the HTTP/HTTPS request to verify the responsiveness of the server. If the web server successfully returns this URL, and its content matches the expression specified by `match-content`, FortiWeb considers it to be responsive. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	No default.
method {get \| head \| post}	Specify whether the health check uses the HEAD, GET, or POST method. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	`get`
match-type {response-code \| match-content \| all}	response-code—If the web server successfully returns the URL specified by `url-path` and the code specified by `response-code`, FortiWeb considers the server to be responsive. `match-content`—If the web server successfully returns the URL specified by `url-path` and its content matches the `match-content` value, FortiWeb considers the server to be responsive. `all`—If the web server successfully returns the URL specified by `url-path` and its content matches the `match-content` value, and the code specified by `response-code`, FortiWeb considers the server to be responsive. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	`match-content`
response-code {response-code_int}	Enter the response code that you require the server to return to confirm that it is available, if `match-type` is `response-code` or `all`. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	`200`
match-content "<match-content_str>"	Enter a regular expression that matches the content that must be present in the HTTP reply to indicate proper server connectivity, if `match-type` is `match-content` or `all`. Available when type {icmp \| tcp \| HTTP \| tcp-ssl \| tcp-half-open} is `HTTP` or `HTTPS`.	No default.

Example

This example configures a server health check that periodically requests the main page of the website, /index. If a physical server does not successfully return that page (which contains the word “About”) every 10 seconds (the default), and fails the check at least three times in a row, FortiWeb considers it unresponsive and forwards subsequent HTTP requests to other physical servers in the server farm.

config server-policy health

edit "status_check1"

set trigger-policy "notification-servers1"

configure health-list

edit 1

set type HTTP

set retry-times 3

set url-path "/index"

set method get

set match-type match-content

set regular About

end