|
In the Azure or AWS load balancer, if the FortiGate-VM probe is enabled, the Azure or AWS load balancer sends out a probe to a TCP/UDP port to verify if the VM is up and running.
In the FortiGate, a specific probe config is activated on TCP/8008.
To probe detect in Azure or AWS load balancer, FortiGate needs to configure the below step via CLI:
config system probe-response
set port 8008
set http-probe-value "OK"
set mode http-probe
end
config system interface
edit "2"
set ip 10.10.10.10 255.255.255.0
set allowaccess probe-response <-- This will only allow probe-response. If other access is required, include it in this command. Alternatively, use command < append allowaccess probe-response > to append existing settings.
set device-identification enable
set role wan
set snmp-index 16
next
end
config firewall local-in-policy
edit 1
set uuid 80d9ad84-c99c-51ed-3072-b327f1deb659
set intf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "TCP_8008
next
end
A sample config of Azure or AWS load balancer.
Note that if the devices are configured in Active-Passive mode, it is expected that the secondary firewall will not respond to Load balancer probes.
Additional Notes:
The probe-response feature is currently supported only for IPv4 and is not available for IPv6, both in Cloud environments (for example: Azure, AWS) and on physical devices.
As a result, it is not possible to monitor traffic when an Azure or AWS load balancer is configured for IPv6, nor can the monitoring of Fortinet devices using IPv6 probes be performed.
config system interface
config ipv6
set ip6-allowaccess?
ping PING access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
http HTTP access.
telnet TELNET access.
fgfm FortiManager access.
fabric Fabric access.
|
