FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to configure DNS health check monitor for server load balancing.
Solution A DNS health check monitor can be configured for server load balancing. The monitor uses TCP or UDP DNS as the probes.
The request domain is matched against the configured IP address to verify the response. The DNS health check monitor does not support IPv6.
Example.
In this example, a DNS health check monitor is created and used in a VIP. The FortiGate sends the DNS request on UDP port 53 to the configured real servers every 30 seconds. If the DNS response from a real server matches the DNS match IP address, then the real server is marked as 'Active'. Otherwise, it is marked as Down.
To configure the health check monitor.
1) Create a new DNS health check monitor.
# config firewall ldb-monitor edit "dns-monitor-1" set type dns set interval 30 set port 53 set src-ip 172.16.200.10 set dns-request-domain "pc4.qa.fortinet.com" set dns-match-ip 172.16.200.44 next end
2) Apply the monitor to a virtual server.
# config firewall vip edit "test-vs-ip-1" set type server-load-balance set extip 10.1.100.153 set extintf "wan2" set server-type ip set monitor "dns-monitor-1" set ldb-method round-robin # config realservers edit 1 set ip 172.16.200.44 next edit 2 set ip 172.16.200.55 next end next end
