FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff
Article Id 250184
Description

This article describes how to enable FortiGate to probe traffic on the Azure or AWS load balancer.

Scope FortiGate.
Solution

In the Azure or AWS load balancer, if the FortiGate-VM probe is enabled, the Azure or AWS load balancer sends out a probe to a TCP/UDP port to verify if the VM is up and running.

In the FortiGate, a specific probe config is activated on TCP/8008.

 

To probe detect in Azure or AWS load balancer, FortiGate needs to configure the below step via CLI:

 

config system probe-response

    set port 8008

    set http-probe-value "OK"

    set mode http-probe

end

 

config system interface

    edit "2"

        set ip 10.10.10.10 255.255.255.0

        set allowaccess probe-response  <-- This will only allow probe-response. If other access is required, include it in this command. Alternatively, use command < append allowaccess probe-response > to append existing settings.

        set device-identification enable

        set role wan

        set snmp-index 16

    next

end

 

config firewall local-in-policy

    edit 1

        set uuid 80d9ad84-c99c-51ed-3072-b327f1deb659

        set intf "port2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set service "TCP_8008

    next

end

 

A sample config of Azure or AWS load balancer.

 

Note that if the devices are configured in Active-Passive mode, it is expected that the secondary firewall will not respond to Load balancer probes.

 

Additional Notes:

The probe-response feature is currently supported only for IPv4 and is not available for IPv6, both in Cloud environments (for example: Azure, AWS) and on physical devices.

As a result, it is not possible to monitor traffic when an Azure or AWS load balancer is configured for IPv6, nor can the monitoring of Fortinet devices using IPv6 probes be performed.

 

config system interface
    config ipv6
        set ip6-allowaccess?
ping PING access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
http HTTP access.
telnet TELNET access.
fgfm FortiManager access.
fabric Fabric access.