Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
161162163164165166167168169170
Additional Firewall Configurations
May 31, 2012 © 2012 Brocade Communications Systems, Inc. A - 5
Enabling Layer 4 Path Health Checks for FWLB
By default, the ServerIron performs Layer 3 health checks of firewall paths, but does not perform Layer 4 health
checks of the paths. You can configure the ServerIrons in an FWLB configuration to use Layer 4 health checks
instead of Layer 3 health checks for firewall paths. When you configure a Layer 4 health check, the Layer 3 (ICMP)
health check, which is used by default, is disabled.
NOTE: The Layer 4 health check applies only to firewall paths. The ServerIron always uses a Layer 3 (ICMP)
health check to test the path to the router.
When you configure a Layer 4 health check for firewall paths, the ServerIron sends Layer 4 health checks and also
responds at Layer 4 to health checks from the ServerIron at the other end of the firewall path.
To configure a Layer 4 health check, specify the protocol (TCP or UDP). Optionally, you also can specify the port.
UDP – The ServerIron sends and listens for path health check packets on the port you specify. If you do not
specify a port, the ServerIron uses port 7777 by default. The port number is used as both the source and
destination UDP port number in the health check packets.
TCP – The ServerIron listens for path health check packets on the port you specify, but sends them using a
randomly generated port number. If you do not specify a port, the ServerIron uses port 999 as the destination
port by default.
NOTE: You must configure the same Layer 4 health check parameters on all the ServerIrons in the FWLB
configuration. Otherwise, the paths will fail the health checks.
To configure a Layer 4 health check for firewall paths, enter a command such as the following at the firewall group
configuration level:
ServerIron(config-tc-2)# fw-health-check udp
The command in this example enables Layer 4 health checks on UDP port 7777. This ServerIron sends firewall
path health checks to UDP port 7777 and listens for health checks on UDP port 7777.
Syntax: [no] fw-health-check udp | tcp [<tcp/udp-portnum> <num>]
The <tcp/udp-portnum> parameter specifies the TCP or UDP port and can be a number in one of the following
ranges:
For TCP, from 1 – 65535
For UDP, from 1 – 1032 or 2033 – 65535
NOTE: Do not use a number from 1033 – 2032 for UDP. Port numbers in this range are not supported for
FWLB UDP health checks.
The <num> parameter specifies the maximum number of retries and can be a number from 8 – 31. The default is
3.
Disabling Layer 4 Path Health Checks on Individual Firewalls
and Application Ports
To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as
the following at the firewall configuration level of the CLI:
ServerIron(config-rs-FW1)# port http no-health-check
The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.
Syntax: [no] no-health-check