FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff
Staff
Description

This article describes the monitoring of FortiGate using server probes. 

 

Users can use server probes on interfaces on FortiGate to check the reachability and the response time of accessing FortiGate. You may configure one of the following probe response modes:

 

none: disable probe.

http-probe: HTTP probe.

twamp: Two-Way Active Measurement Protocol.

 

Once the targetted FortiGate is configured with server-probe on its interfaces, users may configure server probe monitoring on third-party monitoring tool (using http-get), or using the Link Monitor feature available on a remote FortiGate.

Scope  
Solution

1) To configure HTTP probe on a FortiGate to respond to the server probe request, the user must first specify the server probe response mode on the FortiGate:

 

# config system probe-response

set mode http

end

 

It is possibele to set additional configurations such as specifying custom port other than port 80.

 

Refer to https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/655978/system-probe-response for more information.

 

2) Once the above has been configured, configure the interfaces that are required to respond to the server probe request:

 

# config system interfaces

edit <interface> 

set allowaccess probe-response  --> This will only allow probe-response. If you require additional access such as https and ping, please include the respective in the command line

next

end

 

3) With the above settings, FortiGate will start to respond to server probe requests configured.

The following example uses another FortiGate to demonstrate HTTP server probe monitoring using Link Monitor feature:

 

# config system link-monitor

edit Probe

set srcintf <interface>

set server <FortiGate_IP> --> configure the FortiGate IP that has the server probe response configured

set gateway-ip <Gateway_IP>

set protocol http

set port <port> --> replace this with the port number configured in the probe response section if the custom port is used. The default port is 80

next

end

 

To verify that the server probe is working, you may issue the following command if the link monitor is used to send the server probe request.

 

This command is to be issued on the local FortiGate where probe-response is configured:

diag sys server-probe response

 

The following screenshot shows the expected output of the above command:

 

Probe_response.png

 

On the remote FortiGate that has been configured with the link monitor feature, the following command will show the response of the server probe request:

 

# diag sys link-monitor status Probe <----- Probe is the name of the link monitor that was configured. Replace that to the name of the link monitor name that you configured

 

The following screenshot shows the expected output of the above command:

 

link-monitor.png

Internal Notes  
Contributors