In Fortigate VM64 ver October 2014 on port1 and port2.
It has PROBE-RESPONSE.
QUESTIONS:
1. Is PROBE-RESPONSE for checking sync attack
2. If yes, that mean I should set it as WAN port instead of LAN port, because attack mostly from internet
tq
Solved! Go to Solution.
" probe-response " is like "Cisco IOS IP SLAs" feature.
If you set up FGT with CLI:config sys probe-reponse/set mode http-probe/twamp/end
Enable allowaccess for "probe-response" on interface, it will response request from other remote FGT, so remote FGT can use it as link-monitor or reachable detect, thanks.
" probe-response " is like "Cisco IOS IP SLAs" feature.
If you set up FGT with CLI:config sys probe-reponse/set mode http-probe/twamp/end
Enable allowaccess for "probe-response" on interface, it will response request from other remote FGT, so remote FGT can use it as link-monitor or reachable detect, thanks.
Back to my questions
Because its related to network reliability
QUESTIONS
1. If I have 2 WAN link.
Do you think I need to use port1 and port2 as my WAN link, because only those ports, I can turn on probe link.
Another reason is because reliabilility usually related to WAN link. LAN link mostly always reliable compare to WAN link.
2. In what situation I need to turn on probe-response
Do you think its usefull when branch using FG using ISP2 while HQ using ISP1
Do you think, I need to turn it on all the times
3. After I do
config sys probe-reponse
set mode http-probe
end
What else I need to do to verify that probe-response work
tq
Jeff_FTNT wrote:" probe-response " is like "Cisco IOS IP SLAs" feature.
If you set up FGT with CLI:config sys probe-reponse/set mode http-probe/twamp/end
Enable allowaccess for "probe-response" on interface, it will response request from other remote FGT, so remote FGT can use it as link-monitor or reachable detect, thanks.
Hi,
- You need to configure web server info
config system server-probe edit 1 set server "X.X.X.X" set srcintf "port1" set protocol http-get set url www.mywebserver.com next end
- You can verify with below diag command
# diag sys server-probe status all
Mostly not need enable "PROBE-RESPONSE" on FGT. It support http/twamp light only.
If you need HTTP fail detect on FGT, you may point detect server to public web server.
Twamp only support "light mode".Thanks.
Based on your reply better to detect public web server
Let say I have scenario like this
HQ:
-2x web server NATted behind FortiGate and have public ip and have same dns name in round robin
BRANCH:
-set
WAN1 port: config system server-probe edit 1 set server "X.X.X.X" set srcintf "port1" set protocol http-get set url www.mywebserver.com next end
QUESTIONS:
1. If branch FG detect link down to the web server, will it reroute its traffic to other web server ip
2. F5 can detect based on response.
Let say web service is not down but connection from web server to its database is down equal to service is down too.
Can FG detect failed based on respond not based on ping or port alive?
Jeff_FTNT wrote:Mostly not need enable "PROBE-RESPONSE" on FGT. It support http/twamp light only.
If you need HTTP fail detect on FGT, you may point detect server to public web server.
Twamp only support "light mode".Thanks.
"server-probe" mostly is for detect outbound traffic, for example, the FGT have two ISP connection, if one of IPS is dead, "server-probe" can detect it and FGT will send traffic to another ISP.
For your new case, multiple web server behind FGT, you may try set up "Local Balance VIP" which have its own " Health Check", it will do load balance on multiple web server, if "health check " find one web server is done, it can find it ,
Below is a simple example:
config firewall vip edit "test" set type server-load-balance set extip 192.168.70.200 set extintf "port9" set server-type http set monitor "loadbalancevip" set extport 80 config realservers edit 1 set ip 1.1.1.1 set port 80 next end next end
config firewall ldb-monitor edit "loadbalancevip" set type ping set timeout 3 set retry 4 next end
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.