Staff

Technical Tip: How to configure Health Check Monitoring policy for FortiAnalyzer as the backend real server of a Virtual Server

Description

This article describes the health check configuration for FortiAnalyzer as the backend real server of a Virtual Server.

Scope

FortiADC.

Solution

Prerequisites:

Explanations and Configurations:

On some occasions, the FortiAnalyzer is proxied through FortiADC and the FortiAnalyzer IP will be configured as the Real Server Pool of a Virtual Server in FortiADC. The default HTTPS health check monitoring of FortiADC would fail to connect and check the HTTPS health status of the FortiAnalyzer.

Since the FortiAnalyzer version 7.4.x and above, the supported SSL cipher list of the HTTPS protocol has been further restricted. The list of supported cipher lists can be referred to in the screenshot.
FortiADC's default HTTPS monitoring policy does not include the SSL cipher list that is supported by FortiADC which causes the HTTPS connection error.
In the FortiADC health check policy dedicated to FortiAnalyzer, select to enable the 2 ciphers 'ECDHE-RSA-AES256-GCM-SHA384” and “ECDHE-RSA-AES128-GCM-SHA256'. De-select the unsupported TLS protocol and other SSL cipher lists since they are no longer required. It is also important to make sure the Status Code is ‘301’.
Update the FortiAnalyzer Real Server Pool Health Check List settings to use the dedicated health check monitoring policy for FortiAnalyzer.
The FortiADC Health Check Event log should have the event of the FortiAnalyzer Real Server Pool member being identified as UP after configuring the health checklist.

Related document:

Configuring health checks

Sign up