Checking Firewall Health
Firewall Keep Alive
Aviatrix Controller checks the health of a firewall by pinging the firewall’s management IP address. You can check the firewall instance health by pinging its LAN interface from the connecting Aviatrix FireNet Gateway. This is an alternative approach which improves firewall failure detection time and accuracy.
The firewall instance LAN is pinged every five seconds with a ping time-out of 20 seconds. If the first ping times out, it immediately pings again. Two consecutive ping failures indicate that the firewall is in 'down' state, and it is detached from the FireNet Gateway pool. The ping function continues and once it detects that the firewall instance has come up (pings are successful), it is attached back to the FireNet Gateway pool.
With LAN interface pinging, the firewall instance fail over time is reduced.
As of Controller version 7.2.4820 the Keep Alive via Firewall Lan Interface option has been removed from the Controller UI and the action is performed automatically. |
Azure and GCP Firewall Health
Adding FireNet to a Transit gateway in Azure or GCP automatically creates Load Balancers in those clouds. HTTPS in these Load Balancers performs the firewall health check (not ping). You must disable ping in the interface management profile of your Azure or GCP firewalls.
For more information on load balancing between different firewalls, see Load Balancing Traffic Between Different Firewalls.
In Azure:
-
You can check the health probe status under Monitor > Metrics. See this article for more information.
-
The State column on the Gateway page in the Aviatrix Controller only reflects if the firewall is up or not. It does not reflect if the firewall is responding to health checks. You must check the health of the firewall in the Azure portal.
In GCP:
-
You can check the health status of the backend under Network services > Load balancing > Load balancer details. See this article for more information.
-
The State column on the Gateway page in the Aviatrix Controller reflects the health status of the firewall from the GCP load balancer.