Symantec Privileged Access Management

Some customers use external load balancers rather than use PAM's load balancer functionality.  When a cluster member becomes unavailable, either functionally or administratively, the external load balancer needs some way to know this, in order to avoid directing users to a device that is not available to them.  With 2.8.2 a health check was introduced.  The load balancer can add /health.php to the url for a specific PAM instance, for example https://<your ip address>/health.php.  A health PAM instance will return 200 OK.  Initally, there was no way to inform the load balancer that the PAM instance was in Maintenance Mode, administratively unavailable.  With 3.1.1 the health check was enhanced, with 503 returned when PAM under the following conditions:

• The node is in maintenance mode
• The appliance's local PA database is inactive
• A secondary site node's PA database is inactive
• A secondary site node's access database is inactive

This should enable you to prevent your users from being sent, by your external load balancer, to a cluster member that is not available.

@ voged01 ,  We have a F5 LB in our setup, LB team is unable to setup the health monitor, They are asking for Send and Receive String, Would it be possible for you to share that, please.

We have CA PAM version 2.8.4.1

Thanks Ralf, Let me try this and see if it works.

This is the exact String which needs to be added to make the health check work, Hope this helps our fellow co

SEND      : HEAD /health.php HTTP/1.1\\r\\nHost:\\r\\n\\r\\n

RECEIVE :HTTP/1.(0|1) 200 OK