XG firewall HTTP/HTTPS health checks for server load balancing rules
If you have multiple IIS servers behind an XG firewall and you want to load balance them and each IIS server has multiple web sites configured(each with specific IP bindings) then the XG firewall with the TCP check on port 80 or 443 cannot tell that a site is down if the web site is stopped or its associated app pool is stopped to be able to remove that site from the load balancing pool.
This is because IIS still responds to requests (with a 400/404 when the site is stopped or with a 503 when an app pool is stopped for that site), hence the XG receives the SYN-ACK response to its SYN check. It can be seen with ”netstat –ano” that the IIS server still listens to the stopped site’s IP (if this was added with “netsh http add iplisten ipaddress=” along other sites’ IPs removing the default all IP addresses 0.0.0.0) if the other sites are still enabled. IIS will stop listening only if all web sites are stopped.
IIS’ behavior basically renders XG’s TCP checks useless and has the XG forwarding requests to the site which is down.
The Sophos UTM has the HTTP/HTTPS hosts checks which help somewhat. But the XG only has TCP/ICMP checks.