Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 5.4.0 CLI Reference
    5.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config load-balance persistence

    config load-balance persistence

    Use this command to configure persistence rules.

    Persistence rules identify traffic that should not be load balanced, but instead forwarded to the same backend server that has seen requests from that source before. Typically, you configure persistence rules to support server transactions that depend on an established client-server session, like e-commerce transactions or SIP voice calls.

    The system maintains persistence session tables to map client traffic to backend servers based on the session attribute specified by the persistence rule.

    The persistence table is evaluated before load balancing rules. If the packets received by the ADC match an entry in the persistence session table, the packets are forwarded to the server that established the connection, and load balancing rules are not applicable.

    Most persistence rule types have a timeout. When the time that has elapsed since the system last received a request from the client IP address is greater than the timeout, the system does not use the mapping table to forward the request. Instead, it again selects the server using the method specified in the virtual server configuration. Hash-based rule types have a timeout built into the hash algorithm. For other types, you can specify the timeout.

    Table 9 describes the predefined persistence rules. You can get started with these commonly used persistence methods or create custom objects.

    Predefined persistence rules
    Predefined Description

    LB_PERSIS_SIP

    Persistence based on source IP address or subnet.

    LB_PERSIS_CONSISTENT_SIP

    Persistence based on a hash of source IP address.

    LB_PERSIS_HASH_SRC_ADDR_PORT

    Persistence based on a hash that includes source IP address and port.

    LB_PERSIS_HASH_COOKIE

    Persistence based on a hash of a session cookie provided by the backend server.
    LB_PERSIS_RDP_COOKIE Persistence based on RDP cookie sent by RDP clients in the initial connection request.

    LB_PERSIS_SSL_SESS_ID

    Persistence based on the SSL session ID.
    LB_PERSIS_SIP_CALL_ID

    Persistence based on the SIP call ID.

    Before you begin:

    • You must have a good understanding and knowledge of the applications that require persistent sessions and the methods that can be used to identify application sessions.
    • You must have read-write permission for load balancing settings.

    After you have configured a persistence rule, you can select it in the virtual server configuration.

    Syntax

    config load-balance persistence

    edit <name>

    set type {consistent-hash-ip | embedded-cookie | hash-cookie | hash-http-header | hash-http-request | hash-source-address-port | insert-cookie | persistent-cookie | radius-attribute | rdp-cookie | rewrite-cookie | source-address | ssl-session-id}

    set timeout <integer>

    set keyword <string>

    set match-across-servers {enable|disable}

    set ipv4-maskbits <integer>

    set ipv6-maskbits <integer>

    set override-connection-limit {enable|disable}

    set radius-attribute-relation {AND|OR}

    config radius-attribute

    edit <No.>

    set type {1-user-name | 4-nas-ip-address | 5-nas-port | 6-service-type | 7-framed-protocol | 8-framed-ip-address | 9-framed-ip-netmask | 12-framed-mtu | 13-framed-compression | 14-login-ip-host | 19-callback-number | 24-state | 26-vendor-specific | 30-called-station-id | 31-calling-station-id | 32-nas-identifier | 33-proxy-state | 34-login-lat-service | 35-login-lat-node | 36-login-lat-group | 60-chap-challenge | 61-nas-port-type | 62-port-limit | 63-login-lat-port}

    set vendor-id <integer>

    set vendor-type <integer>

    next

    end

    next

    end

    type

    Specify the persistence type:

    • consistent-hash-ip: Persistence is based on a hash of the IP address of the client making an initial request.
    • embedded-cookie: Persistence is based on the cookie provided in the backend server response.
    • hash-cookie: Persistence is based on a hash of the cookie provided by the backend server.
    • hash-http-header: Persistence is based on a hash of the specified header value found in an initial client request.
    • hash-http-request:
    • hash-source-address-port: Persistence is based on a hash of the IP address and port of an initial client request.
    • insert-cookie: Persistence is based on a cookie inserted by the FortiADC system.
    • persistent-cookie: Persistence is based on the cookie provided in the backend server response.
    • radius-attribute: Persistence is based on a specified RADIUS attribute.
    • rewrite-cookie: Persistence is based on the cookie provided in the backend server response, but the system rewrites the cookie.
    • rdp-cookie: Persistence based on RDP cookie sent by RDP clients in the initial connection request.
    • sip-call-id: Persistence is based on SIP call ID.
    • source-address: Persistence is based on source IP address.
    • ssl-session-id: Persistence is based on SSL session ID.

    After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

    timeout

    Timeout for an inactive persistence session table entry. The default is 300 seconds. The valid range is 1-86,400.

    When the time that has elapsed since the system last received a request from the client IP is greater than the timeout, the system does not use the mapping table to forward the request. Instead, it again selects the server using the method specified in the virtual server configuration.

    keyword

    A value found in an HTTP header or cookie.

    match-across-servers

    An option for radius-attribute and source-address persistence methods. Enable so clients continue to access the same backend server through different virtual servers for the duration of a session.

    ipv4-maskbits

    Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

    For example, if IPv4 maskbits is set to 24, and the backend server A responds to a client with the source IP 192.168.1.100, server A also responds to all clients from subnet 192.168.1.0/24.

    ipv6-maskbits

    Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

    override-connection-limit

    An option for radius-attribute only. Disabled by default.

    If the real server connection limit is reached and this option is enabled, the new connection will neither persist to the new server nor go to another node.

    radius-attribute-relation

    An option for radius-attribute only. The relation when multiple radius attributes are configured.

    AND—All of the specified radius attributes must be the same in the hash table to be persistent.

    OR—Search the first radius attribute in the hash table for persistence if the first radius attribute exists. If not, search the following radius attributes in sequence.

    config radius-attribute

    type

    Radius attribute type.

    vendor-id

    An option for radius attribute type 26-vendor-specific only. The number specifies vendor id. 0 means the entire attribute will be used as a persistence input.

    vendor-type

    An option for radius attribute type 26-vendor-specific only. The number specifies vendor type. 0 means the entire attribute will be used as a persistence input.
    Previous
    Next

    config load-balance persistence

    config load-balance persistence

    Use this command to configure persistence rules.

    Persistence rules identify traffic that should not be load balanced, but instead forwarded to the same backend server that has seen requests from that source before. Typically, you configure persistence rules to support server transactions that depend on an established client-server session, like e-commerce transactions or SIP voice calls.

    The system maintains persistence session tables to map client traffic to backend servers based on the session attribute specified by the persistence rule.

    The persistence table is evaluated before load balancing rules. If the packets received by the ADC match an entry in the persistence session table, the packets are forwarded to the server that established the connection, and load balancing rules are not applicable.

    Most persistence rule types have a timeout. When the time that has elapsed since the system last received a request from the client IP address is greater than the timeout, the system does not use the mapping table to forward the request. Instead, it again selects the server using the method specified in the virtual server configuration. Hash-based rule types have a timeout built into the hash algorithm. For other types, you can specify the timeout.

    Table 9 describes the predefined persistence rules. You can get started with these commonly used persistence methods or create custom objects.

    Predefined persistence rules
    Predefined Description

    LB_PERSIS_SIP

    Persistence based on source IP address or subnet.

    LB_PERSIS_CONSISTENT_SIP

    Persistence based on a hash of source IP address.

    LB_PERSIS_HASH_SRC_ADDR_PORT

    Persistence based on a hash that includes source IP address and port.

    LB_PERSIS_HASH_COOKIE

    Persistence based on a hash of a session cookie provided by the backend server.
    LB_PERSIS_RDP_COOKIE Persistence based on RDP cookie sent by RDP clients in the initial connection request.

    LB_PERSIS_SSL_SESS_ID

    Persistence based on the SSL session ID.
    LB_PERSIS_SIP_CALL_ID

    Persistence based on the SIP call ID.

    Before you begin:

    • You must have a good understanding and knowledge of the applications that require persistent sessions and the methods that can be used to identify application sessions.
    • You must have read-write permission for load balancing settings.

    After you have configured a persistence rule, you can select it in the virtual server configuration.

    Syntax

    config load-balance persistence

    edit <name>

    set type {consistent-hash-ip | embedded-cookie | hash-cookie | hash-http-header | hash-http-request | hash-source-address-port | insert-cookie | persistent-cookie | radius-attribute | rdp-cookie | rewrite-cookie | source-address | ssl-session-id}

    set timeout <integer>

    set keyword <string>

    set match-across-servers {enable|disable}

    set ipv4-maskbits <integer>

    set ipv6-maskbits <integer>

    set override-connection-limit {enable|disable}

    set radius-attribute-relation {AND|OR}

    config radius-attribute

    edit <No.>

    set type {1-user-name | 4-nas-ip-address | 5-nas-port | 6-service-type | 7-framed-protocol | 8-framed-ip-address | 9-framed-ip-netmask | 12-framed-mtu | 13-framed-compression | 14-login-ip-host | 19-callback-number | 24-state | 26-vendor-specific | 30-called-station-id | 31-calling-station-id | 32-nas-identifier | 33-proxy-state | 34-login-lat-service | 35-login-lat-node | 36-login-lat-group | 60-chap-challenge | 61-nas-port-type | 62-port-limit | 63-login-lat-port}

    set vendor-id <integer>

    set vendor-type <integer>

    next

    end

    next

    end

    type

    Specify the persistence type:

    • consistent-hash-ip: Persistence is based on a hash of the IP address of the client making an initial request.
    • embedded-cookie: Persistence is based on the cookie provided in the backend server response.
    • hash-cookie: Persistence is based on a hash of the cookie provided by the backend server.
    • hash-http-header: Persistence is based on a hash of the specified header value found in an initial client request.
    • hash-http-request:
    • hash-source-address-port: Persistence is based on a hash of the IP address and port of an initial client request.
    • insert-cookie: Persistence is based on a cookie inserted by the FortiADC system.
    • persistent-cookie: Persistence is based on the cookie provided in the backend server response.
    • radius-attribute: Persistence is based on a specified RADIUS attribute.
    • rewrite-cookie: Persistence is based on the cookie provided in the backend server response, but the system rewrites the cookie.
    • rdp-cookie: Persistence based on RDP cookie sent by RDP clients in the initial connection request.
    • sip-call-id: Persistence is based on SIP call ID.
    • source-address: Persistence is based on source IP address.
    • ssl-session-id: Persistence is based on SSL session ID.

    After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

    timeout

    Timeout for an inactive persistence session table entry. The default is 300 seconds. The valid range is 1-86,400.

    When the time that has elapsed since the system last received a request from the client IP is greater than the timeout, the system does not use the mapping table to forward the request. Instead, it again selects the server using the method specified in the virtual server configuration.

    keyword

    A value found in an HTTP header or cookie.

    match-across-servers

    An option for radius-attribute and source-address persistence methods. Enable so clients continue to access the same backend server through different virtual servers for the duration of a session.

    ipv4-maskbits

    Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

    For example, if IPv4 maskbits is set to 24, and the backend server A responds to a client with the source IP 192.168.1.100, server A also responds to all clients from subnet 192.168.1.0/24.

    ipv6-maskbits

    Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

    override-connection-limit

    An option for radius-attribute only. Disabled by default.

    If the real server connection limit is reached and this option is enabled, the new connection will neither persist to the new server nor go to another node.

    radius-attribute-relation

    An option for radius-attribute only. The relation when multiple radius attributes are configured.

    AND—All of the specified radius attributes must be the same in the hash table to be persistent.

    OR—Search the first radius attribute in the hash table for persistence if the first radius attribute exists. If not, search the following radius attributes in sequence.

    config radius-attribute

    type

    Radius attribute type.

    vendor-id

    An option for radius attribute type 26-vendor-specific only. The number specifies vendor id. 0 means the entire attribute will be used as a persistence input.

    vendor-type

    An option for radius attribute type 26-vendor-specific only. The number specifies vendor type. 0 means the entire attribute will be used as a persistence input.
    Previous
    Next