Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akamath
Staff
Staff

Created on ‎09-22-2020 12:52 AM Edited on ‎09-28-2023 08:47 AM By Moderator

Article Id 198246

Technical Tip: SD-WAN enhanced health check options

Description

 

This article describes advanced options for SD-WAN health checks, which include several protocols and protocol specific options.

Scope

 
FortiGate v6.4.2.


Solution

 

The health check protocol may include the following options.

 

  1. To use UDP-echo and TCP-echo as health checks:

config system sdwan
    set status enable

config health-check
    edit "h4_udp1"
        set protocol udp-echo
        set port 7
        set server <server>
    next
        edit "h4_tcp1"
            set protocol tcp-echo
            set port 7
            set server <server>
        next
            edit "h6_udp1"
                set addr-mode ipv6
                set server "2032::12"
                set protocol udp-echo
                set port 7
            next
        end
    end

 

  1. To use TCP Open (SYN/SYN-ACK) and TCP Close (FIN/FIN-ACK) to verify connections:

config system sdwan
    set status enable

config health-check
    edit "h4_tcpconnect1"
        set protocol tcp-connect
        set port 443
        set quality-measured-method {half-open | half-close}
        set server <server>
    next
        edit "h6_tcpconnect1"
            set addr-mode ipv6
            set server "2032::13"
            set protocol tcp-connect
            set port 444
            set quality-measured-method {half-open | half-close}
        next
    end
end

 

TCP connect works by starting TCP connections to the configured servers using a specific port that can be manually configured. TCP connect provides the ability to test connectivity to any internal TCP application running on the target servers by monitoring packets exchanged for TCP connection setup and tear-down. Choose the quality-measured-method to half-close or half-open based on environment needs.

 

  • half-open: Measure the round trip between syn and ack.
  • half-close: Measure the round trip between fin and ack.

 

  1. To use active or passive mode FTP to verify connections:

config system sdwan
    set status enable

config health-check
    edit "h4_ftp1"
        set protocol ftp
        set port 21
        set user "root"
        set password ***********
        set ftp-mode {passive | port}
        set ftp-file "1.txt"
        set server <server>
    next
        edit "h6_ftp1"
            set addr-mode ipv6
            set server "2032::11"
            set protocol ftp
            set port 21
            set user "root"
            set password ***********
            set ftp-mode {passive | port}
            set ftp-file "2.txt"
        next
    end
end

 

  1. To use DNS as a health check and define the IP address that the response has to match:

config system sdwan
    set status enable

config health-check
    edit "h4_dns1"
        set protocol dns
        set dns-request-domain "ip41.forti2.com"
        set dns-match-ip 1.1.1.1
    next
        edit "h6_dns1"
            set addr-mode ipv6
            set server "2000::15.1.1.4"
            set protocol dns
            set port 53
            set dns-request-domain "ip61.xxx.com"
        next
    end
end

 

For more info on CLI commands for SD-WAN, refer to the CLI reference.

Labels:
5413
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.