search cancel

Proactively set up and run Health Checks before passing traffic for a doubtful application

book

Article ID: 253725

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Customer had removed a certain application from production in the past and, currently do not feel comfortable putting the same equipment 100% active without a health check of it. 

The customer would have to proactively set up and run Health Checks on ProxySG.

Environment

Release :

Resolution

We have shared the guidance in the Tech. Article with the URL below, to set up and run the requested health checks on the appliance.

https://knowledge.broadcom.com/external/article/165591/configuring-icap-health-checks.html

To view Health Checks, use the following URLs:

https://<ProxySG_IP_address>:8082/health_check/view (to list all health check configurations)
https://<ProxySG_IP_address>:8082/health_check/statistics (to view statistics for active Health Checks)

Note: Please run the above, for the health checks, before and after adding the reported application. This will help confirm the impact the application would have on the current working state of the appliance. If there is no negative impact, you may monitor the same for some time, and if a good performing state is maintained, you may go ahead with re-introducing the application back into production. It's always will recommend to run all of the tests in the test environment, validating the performance, before going live in PROD.

Having run the same in the lab environment, we have the below, for the two. This is just a sample and the you should expect to see a lot more, coming from a bigger test/PROD environment.

Health Check Configuration

Health Check Status

  Status check target: None

Authentication

  auth.symcdemos
    Authentication realm: symcdemos
      Type of test: Authentication   Enable state: Enabled
      E-Mail Notifications:     Use default
      Event Log Notifications:  Use default
      SNMP Notifications:       Use default
      Monitoring Notifications: Use default
      Limits: Use default

Authentication

  auth.symcdemos.local
    Authentication domain: symcdemos.local
      Type of test: Authentication   Enable state: Enabled
      E-Mail Notifications:     Use default
      Event Log Notifications:  Use default
      SNMP Notifications:       Use default
      Monitoring Notifications: Use default
      Limits: Use default

DNS Server

  dns.10.0.0.1
    DNS Server: 10.0.0.1
      Type of test: DNS Server   Enable state: Enabled
      E-Mail Notifications:     Use default
      Event Log Notifications:  Use default
      SNMP Notifications:       Use default
      Monitoring Notifications: Use default
      Limits: Use default
      Hostname: Use default: www.bluecoat.com

DNS Server

  dns.10.0.0.10
    DNS Server: 10.0.0.10
      Type of test: DNS Server   Enable state: Enabled
      E-Mail Notifications:     Use default
      Event Log Notifications:  Use default
      SNMP Notifications:       Use default
      Monitoring Notifications: Use default
      Limits: Use default
      Hostname: Use default: www.bluecoat.com

Content analysis services

  icap.contentanalysis_respmod
    ICAP service:contentanalysis_respmod
      Type of test: ICAP   Enable state: Enabled
      E-Mail Notifications:     Use default
      Event Log Notifications:  Use default
      SNMP Notifications:       Use default
      Monitoring Notifications: Use default
      Limits: Use default

Isolation

  iso.server
    Isolation: 
      Type of test: TCP   Enable state: Disabled: Healthy
      E-Mail Notifications:     Use default
      Event Log Notifications:  Use default
      SNMP Notifications:       Use default
      Monitoring Notifications: Use default
      Limits: Use default

Default Configuration Settings
  E-Mail Notifications:     
      Change to healthy:   disabled   Change to sick:      disabled
      Report for all IPs:  disabled
  Event Log Notifications:  
      Change to healthy:   disabled   Event log as severe: disabled
      Change to sick:      disabled   Event log as severe: enabled
      Report for all IPs:  disabled
  SNMP Notifications:       
      Change to healthy:   disabled   Change to sick:      disabled
      Report for all IPs:  disabled
  Monitoring Notifications: 
      Severity: Warning
  Limits: 
      Healthy interval:        10 seconds   Sick interval:   10 seconds
      Healthy threshold:       1      Sick threshold:  1
      Response time threshold: disabled   Failure trigger: disabled

 

Health Check Statistics
Authentication
  auth.symcdemos
    Enabled   OK   UP
    Last status: Success.
    Successes (total): 1849   (last): Sat, 05 Nov 2022 20:36:44 GMT   (consecutive): 1849
    Failures  (total): 0   (last): Never   (consecutive): 0   (external): 0
    Last response time: 0 ms   Average response time: 0 ms
    Minimum response time: 0 ms   Maximum response time: 0 ms
Authentication
  auth.symcdemos.local
    Enabled   OK   UP
    Last status: Success.
    Successes (total): 1849   (last): Sat, 05 Nov 2022 20:36:44 GMT   (consecutive): 1849
    Failures  (total): 0   (last): Never   (consecutive): 0   (external): 0
    Last response time: 51 ms   Average response time: 48 ms
    Minimum response time: 42 ms   Maximum response time: 51 ms
DNS Server
  dns.10.0.0.1
    Enabled   OK   UP
    Last status: Success.
    Successes (total): 1849   (last): Sat, 05 Nov 2022 20:36:50 GMT   (consecutive): 1849
    Failures  (total): 0   (last): Never   (consecutive): 0   (external): 0
    Last response time: 1 ms   Average response time: 3 ms
    Minimum response time: 1 ms   Maximum response time: 24 ms
DNS Server
  dns.10.0.0.10
    Enabled   OK   UP
    Last status: Success.
    Successes (total): 1849   (last): Sat, 05 Nov 2022 20:36:50 GMT   (consecutive): 1849
    Failures  (total): 0   (last): Never   (consecutive): 0   (external): 0
    Last response time: 0 ms   Average response time: 3 ms
    Minimum response time: 0 ms   Maximum response time: 23 ms
Content analysis services
  icap.contentanalysis_respmod
    Enabled   OK   UP
    Last status: Success.
    Successes (total): 1834   (last): Sat, 05 Nov 2022 20:36:46 GMT   (consecutive): 1834
    Failures  (total): 9   (last): Sat, 05 Nov 2022 15:29:34 GMT   (consecutive): 0   (external): 0
    Last response time: 14 ms   Average response time: 18 ms
    Minimum response time: 3 ms   Maximum response time: 9600 ms
Isolation
  iso.server
    Domain name: isolation-jump.prod.fire.glass   DNS status: success
      Disabled: Healthy   Last health was: Unknown   UP
      IP address: 35.201.102.245           Disabled: Healthy   Last health was: Unknown   UP
        Last status: Success.
        Successes (total): 0   (last): Never   (consecutive): 0
        Failures  (total): 0   (last): Never   (consecutive): 0   (external): 0
        Last response time: 0 ms   Average response time: 0 ms
        Minimum response time: 0 ms   Maximum response time: 0 ms

For the possible Health Check tests on ProxySG, please refer to the details in the Tech. doc. with the URL below.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/introduction/verifying-service-health-and-status/health-check-tests.html

Alternatively, the customer may run the CLI command below, on the ProxySG appliance, export the entire output to clipboard, and upload the same to the ticket, for checks.

# (config health-check) view Health Check Configuration