|
There are three types of health checks used.
- Active Monitoring.
- Passive Monitoring.
- Prefer Passive Monitoring.
- Active Monitoring: In this type, active probes are used to check whether the link is up and running. In this method a server is set up in the other end and different types of Probes are used to contact the remote end server. This is the most common monitoring method.
Below are the different types of probes used in this setup:
| Ping |
TCP echo/ UDP echo |
TCP Connect |
TWAMP |
Application Specific Protocols Eg.http |
|
config health-check
edit "Ping"
set detect-mode active
set server "8.8.8.8" "1.1.1.1"
set detect-mode active
set protocol ping
set members 1 2
|
config health-check
edit "Echo"
set detect-mode active
set server "1.1.1.1" "2.2.2.2"
set protocol [tcp-echo | udp-echo]
set port 7 (default)
set members 1 2
|
config health-check
edit "TCPconnect"
set detect-mode active
set server "100.100.2.20"
set protocol tcp-connect
set port 22
set quality-measured-method [half-open | half-open]
|
config health-check
edit "TWAMPclient"
set detect-mode active
set server "100.65.10.3"
set protocol twamp
set port 862
set security-mode [ authentication | none]
set password password
|
config health-check
edit"something.com"
set detect-mode active
set server "something.com"
set protocol http
set http-get "/"
set http-agent "Chrome/ Safari/Explore"
Set http-match "success"
set member 1 2
|
| |
|
|
TWAMP server:
config system probe-response
set port 862
set mode twamp
set security-mode [authentication | none]
set password password
Config system interface
edit port 1
set allowaccess probe response
|
|
- Passive Monitoring: In passive monitoring, there will be no probes used to monitor the link, instead it uses network traffic to decide the performance of the link. TCP traffic is used to measure packet loss, jitter, and latency. RTT of TCP is used for latency calculation and TCP header information is used for jitter and packet loss calculation. Passive monitoring is considered more accurate than active monitoring as it uses real traffic. The other disadvantage is it does not detect dead members. Also, hardware acceleration is disabled on traffic subjected to passive monitoring:
config system sdwan
config health-check
edit " passive"
set detect-mode passive
set member 3 4
config firewall policy
edit 10
set passive-wan-health-measurement enable
Per-application passive monitoring can be done as below, Upon configuring the above, it is possible to use below for per-application passive monitoring:
config system sdwan
config service
edit 1
set name " microsoft"
set src 'all"
set internet-service enable
set internet-service app-ctrl xxxxx yyyyy <----- Application signature ID can get from Security Profiles -> Application signatures.
set health-check passive <----- Name of the above health check.
set priority member 1 4
set passive-measurement enable
end
- Prefer Passive monitoring: This uses both active and passive monitoring. It will use passive monitoring and if there is no traffic on the link for 3 minutes (this value is hard-coded). It will switch to active monitoring. If TCP traffic is monitored on the link it will switch back to passive monitoring. This will also result in disabling auto-asic-offload on the respective Firewall policies.
config system sdwan
config health-check
edit "prefer-passive"
set server "10.10.10.1"
set protocol ping
set detect-mode prefer-passive
set members 4
next
end
end
In the example above, passive monitoring is preferred. FortiGate starts pinging 10.10.10.1 only after no TCP traffic has been seen through member 4 for three minutes.
As with passive monitoring, it is necessary to enable 'passive-wan-health-measurement' on the firewall rules that accept traffic for the monitoring member.
|
