Load balancing diagnose commands

Load balancing diagnose commands

You can also use the following diagnose commands to view status information for load balancing virtual servers and real servers:

diagnose firewall vip realserver {down | flush | healthcheck | list | up}

diagnose firewall vip virtual-server {filter | log | real-server | session | stats}

For example, the following command lists and displays status information for all real servers:

diagnose firewall vip virtual-server real-server

vd root/0 vs vs/2 addr 10.31.101.30:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

vd root/0 vs vs/2 addr 10.31.101.20:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

Many of the diagnostic commands involve retrieving information about one or more virtual servers. To control which servers are queried you can define a filter:

diagnose firewall vip virtual-server filter <filter_str>

Where <filter_str> can be:

 

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the vip name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

 

Logging Diagnostics

The logging diagnostics provide information about two separate features:

diagnose firewall vip virtual-server log {console | filter}

Where

  • console {disable | enable} enables or disables displaying the event log messages generated by virtual server traffic on the console to simplify debugging.
  • filter sets a filter for the virtual server debug log
  • The filter option controls what entries the virtual server daemon will log to the console if diagnose debug application vs level is non-zero. The filtering can be done on source, destination, virtual-server name, virtual domain, and so on:

diagnose firewall vip virtual-server log filter <filter_str>

Where <filter_str> can be

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the virtual-server name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

 

Real server diagnostics

Enter the following command to list all the real servers:

diag firewall vip virtual-server real-server list

In the following example there is only one virtual server called slb and it has two real-servers:

diag firewall vip virtual-server server

vd root/0 vs slb/2 addr 172.16.67.191:80 status 1/1

conn: max 10 active 0 attempts 0 success 0 drop 0 fail 0 http: available 0 total 0

vd root/0 vs slb/2 addr 172.16.67.192:80 status 1/1

conn: max 10 active 1 attempts 4 success 4 drop 0 fail 0 http: available 1 total 1

The status indicates the administrative and operational status of the real-server.

  • max indicates that the real-server will only allow 10 concurrent connections.
  • active is the number of current connections to the server attempts is the total number of connections attempted success is the total number of connections that were successful.
  • drop is the total number of connections that were dropped because the active count hit max.
  • fail is the total number of connections that failed to complete due to some internal problem (for example, lack of memory).

If the virtual server has HTTP multiplexing enabled then the HTTP section indicates how many established connections to the real-sever are available to service a HTTP request and also the total number of connections

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.