Allow Gateway Load Balancer Health Checks
The AWS or Azure GWLB requires appliances to answer a health check properly. The GWLB will only send traffic to appliances that are considered healthy. You must configure the threat defense virtual to respond to an SSH, HTTP, or HTTPS health check.
Configure one of the following methods.
Procedure
Step 1 | Configure SSH. See Configure Secure Shell Allow SSH from the GWLB IP address. The GWLB will attempt to establish a connection to the threat defense virtual, and the threat defense virtual's prompt to log in is taken as proof of health. An SSH login attempt will time out after 1 minute. You will need to configure a longer health check interval on the GWLB to accommodate this timeout. |
Step 2 | Configure HTTP(S) Redirection Using Static Interface NAT with Port Translation. You can configure the threat defense virtual to redirect health checks to a metadata HTTP(S) server. For HTTP(S) health checks, the HTTP(S) server must reply to the GWLB with a status code in the range 200 to 399. Because the threat defense virtual has limits on the number of simultaneous management connections, you may choose to offload the health check to an external server. Static interface NAT with port translation lets you redirect a connection to a port (such as port 80) to a different IP address. For example, translate an HTTP packet from the GWLB with a destination of the threat defense virtual outside interface so that it appears to be from the threat defense virtual outside interface with a destination of the HTTP server. The threat defense virtual then forwards the packet to the mapped destination address. The HTTP server responds to the threat defense virtual outside interface, and then the threat defense virtual forwards the response back to the GWLB. You need an access rule that allows traffic from the GWLB to the HTTP server.
|