How to Configure Security Policies to Allow Service Health Check

The firewall periodically sends probe packets to learn the health status of the real server and schedules services based on the health status. The firewall supports TCP, HTTP, HTTPS, DNS, RADIUS, and ICMP probe packets.

In earlier versions, you need to configure security policies for service health check. Since USG6000/USG9500 V500R005C10, the firewall does not perform security policy check when sending probe packets. No security policy needs to be configured for the USG6000E.

In a probe packet, the source IP address is the IP address of the outbound interface, the destination IP address is the IP address of the real server, the source security zone is Local, and the destination security zone is the security zone where the real server resides.

If the probe packet is a TCP, HTTP, HTTPS, DNS, or RADIUS packet, you can manually specify the destination port of the probe packet. If no destination port is specified, the firewall detects the service port opened by the real server. If the service port of the real server is not configured, the firewall detects the service port of the virtual server. Therefore, configure a security policy based on the SLB service configuration.