Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akamath
Staff
Staff

Created on ‎09-22-2020 12:52 AM

Article Id 198246

Technical Tip: SD-WAN enhanced health check options

Description
Health checks include several protocols and protocol specific options.

This article describes these options.

Scope
For version 6.4.2.

Solution
Health Check protocol includes.

1) To use UDP-echo and TCP-echo as health checks.
# config system sdwan
    set status enable
# config health-check
    edit "h4_udp1"
        set protocol udp-echo
        set port 7
        set server <server>
    next
        edit "h4_tcp1"
            set protocol tcp-echo
            set port 7
            set server <server>
        next
            edit "h6_udp1"
                set addr-mode ipv6
                set server "2032::12"
                set protocol udp-echo
                set port 7
            next
        end
    end

2) To use TCP Open (SYN/SYN-ACK) and TCP Close (FIN/FIN-ACK) to verify connections.
# config system sdwan
    set status enable
# config health-check
    edit "h4_tcpconnect1"
        set protocol tcp-connect
        set port 443
        set quality-measured-method {half-open | half-close}
        set server <server>
    next
        edit "h6_tcpconnect1"
            set addr-mode ipv6
            set server "2032::13"
            set protocol tcp-connect
            set port 444
            set quality-measured-method {half-open | half-close}
        next
    end
end
3) To use active or passive mode FTP to verify connections.
# config system sdwan
    set status enable
# config health-check
    edit "h4_ftp1"
        set protocol ftp
        set port 21
        set user "root"
        set password ***********
        set ftp-mode {passive | port}
        set ftp-file "1.txt"
        set server <server>
    next
        edit "h6_ftp1"
            set addr-mode ipv6
            set server "2032::11"
            set protocol ftp
            set port 21
            set user "root"
            set password ***********
            set ftp-mode {passive | port}
            set ftp-file "2.txt"
        next
    end
end
4) To use DNS as a health check, and define the IP address that the response has to match.
# config system sdwan
    set status enable
# config health-check
    edit "h4_dns1"
        set protocol dns
        set dns-request-domain "ip41.forti2.com"
        set dns-match-ip 1.1.1.1
    next
        edit "h6_dns1"
            set addr-mode ipv6
            set server "2000::15.1.1.4"
            set protocol dns
            set port 53
            set dns-request-domain "ip61.xxx.com"
        next
    end
end

Labels:
3227
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.