I have an AWS external Alb which forwards external traffic to a pair of fortinets. There are a no of websites hosted on this load balancer each redirecting via a diff port. to these fortinets. Each target group of lb is sending a probe on 8008 to fortinets.I created a new target group with similar probe but the lb health check for it is inconsistent and keeps on failing and randomly coming up..due to these fluctuations my externally published url is getting affected and is accessible intermittently...do I need to add anything else in fortigates to enable the new target group probe ? Pls assist
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi lostboy10,
Thank you for reaching out. that sounds like a routing problem and those probes are intermittently not received by the firewalls. I would recommend checking the routes advertising the subnets for the probes destination addresses on AWS. You can verify this first by running sniffer packet capture on the 2 firewalls simultaneously assuming there is no active-passive cluster here:
- sniffer command: diag sniffer packet any "host x.x.x.x and port 8008" 4 0 l
- packet capture from gui on 7.2 fortios or higher: "network>diagnostics"
You can also check routing on the firewalls:
get router info routing-table all
get router info routing-table details x.x.x.x
If traffic is inconsistently coming in to the fortigate, this is incoming traffic which means there is a need to verify on aws routing, security groups, ACL rules, etc.
If the traffic is coming in with no issues put reply is inconsistent then we would have to troubleshoot the firewall itself checking resource usage such as memory and cpu, session count, traffic logs among other steps.
Thank you,
saleha
A simple test to isolate this on the firewall, run a packet capture for these probes, for example:
diag sniffer packet any "port 8008" 4 0 l (you can also add a specific host IP in the filter)
Keep it running until you see probes were lost. Stop the packet capture and load it in notepad.
Count the occurences of " in " and " out ". If the numbers match, the probes are lost before reaching Fortigate
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.