Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nbctcp
New Contributor III

probe-response

In Fortigate VM64 ver October 2014 on port1 and port2.

It has PROBE-RESPONSE.

 

QUESTIONS:

1. Is PROBE-RESPONSE for checking sync attack

2. If yes, that mean I should set it as WAN port instead of LAN port, because attack mostly from internet

 

 

tq

 

 

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
1 Solution
Jeff_FTNT
Staff
Staff

" probe-response " is like  "Cisco IOS IP SLAs" feature.

If you set up FGT with CLI:config sys probe-reponse/set mode http-probe/twamp/end

Enable allowaccess for "probe-response" on interface, it will response request from other remote FGT, so remote FGT can use it as link-monitor or reachable detect, thanks.

View solution in original post

6 REPLIES 6
Jeff_FTNT
Staff
Staff

" probe-response " is like  "Cisco IOS IP SLAs" feature.

If you set up FGT with CLI:config sys probe-reponse/set mode http-probe/twamp/end

Enable allowaccess for "probe-response" on interface, it will response request from other remote FGT, so remote FGT can use it as link-monitor or reachable detect, thanks.

nbctcp
New Contributor III

Back to my questions

Because its related to network reliability

 

QUESTIONS

1. If I have 2 WAN link.

Do you think I need to use port1 and port2 as my WAN link, because only those ports, I can turn on probe link.

Another reason is because reliabilility usually related to WAN link. LAN link mostly always reliable compare to WAN link.

 

2. In what situation I need to turn on probe-response

Do you think its usefull when branch using FG using ISP2 while HQ using ISP1

Do you think, I need to turn it on all the times

 

3. After I do

config sys probe-reponse

set mode http-probe

end

What else I need to do to verify that probe-response work

 

tq

 

Jeff_FTNT wrote:

" probe-response " is like  "Cisco IOS IP SLAs" feature.

If you set up FGT with CLI:config sys probe-reponse/set mode http-probe/twamp/end

Enable allowaccess for "probe-response" on interface, it will response request from other remote FGT, so remote FGT can use it as link-monitor or reachable detect, thanks.

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
scheehan_FTNT

Hi,

 

- You need to configure web server info

config system server-probe     edit 1         set server "X.X.X.X"         set srcintf "port1"         set protocol http-get         set url www.mywebserver.com     next end

 

- You can verify with below diag command

# diag sys server-probe status all

 

 

Jeff_FTNT
Staff
Staff

Mostly not need enable "PROBE-RESPONSE"  on FGT. It support http/twamp light only.

If you  need HTTP fail detect on FGT, you may point detect server to public web server.

Twamp only support "light mode".Thanks.

 

nbctcp
New Contributor III

Based on your reply better to detect public web server

Let say I have scenario like this

HQ:

-2x web server NATted behind FortiGate and have public ip and have same dns name in round robin

 

BRANCH:

-set

WAN1 port: config system server-probe     edit 1         set server "X.X.X.X"         set srcintf "port1"         set protocol http-get         set url www.mywebserver.com     next end

 

QUESTIONS:

1. If branch FG detect link down to the web server, will it reroute its traffic to other web server ip

2. F5 can detect based on response.

Let say web service is not down but connection from web server to its database is down equal to service is down too.

Can FG detect failed based on respond not based on ping or port alive?

 

Jeff_FTNT wrote:

Mostly not need enable "PROBE-RESPONSE"  on FGT. It support http/twamp light only.

If you  need HTTP fail detect on FGT, you may point detect server to public web server.

Twamp only support "light mode".Thanks.

 

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
Jeff_FTNT
Staff
Staff

"server-probe" mostly is for detect outbound traffic, for example, the FGT have two ISP connection, if one of IPS is dead, "server-probe" can detect it and FGT will send traffic to another ISP.

 

For your new case, multiple web server behind FGT, you may try set up "Local Balance VIP" which have its own " Health Check", it will do load balance on multiple web server, if "health check " find one web server is done, it can find it ,

Below is a simple example:

config firewall vip     edit "test"         set type server-load-balance         set extip 192.168.70.200         set extintf "port9"         set server-type http         set monitor "loadbalancevip"         set extport 80             config realservers                 edit 1                     set ip 1.1.1.1                     set port 80                 next             end     next end

config firewall ldb-monitor     edit "loadbalancevip"         set type ping         set timeout 3         set retry 4     next end

 

Thanks

Labels
Top Kudoed Authors