Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Configuring Application profiles

An application profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols.

Application profile usage describes usage for by application profile type, including compatible virtual server types, load balancing methods, persistence methods, and content route types.

Application profile usage

Profile Usage VS Type LB Methods Persistence

FTP

Use with FTP servers.

Layer 4

Round Robin, Least Connections, Fastest Response

Source Address, Source Address Hash

HTTP

Use for standard, unsecured web server traffic.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load

Layer 2: Same as Layer 7, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie

HTTPS

Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile.

Layer 7, Layer 2

Same as HTTP

Same as HTTP, plus SSL Session ID

TURBO HTTP

Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet.

This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets.

Layer 7

Round Robin, Least Connections, Fastest Response

Source Address

RADIUS

Use with RADIUS servers.

Layer 7

Round Robin

RADIUS attribute

RDP

Use with Windows Terminal Service(remote desktop protocol).

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie

SIP

 

Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video.

Layer 7

Round Robin, URI Hash, Full URI Hash

Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID

TCP

Use for other TCP protocols.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response

Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash

Source Address, Source Address Hash

TCPS

Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections

Layer 2: Round Robin, Least Connections, Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID

UDP

Use with UDP servers.

Layer 4, Layer 2

 

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Same as Layer 4, plus Destination IP Hash

Source Address, Source Address Hash

 

IP

Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first.

Layer 2

 

Round Robin only.

 

Source Address, Source Address Hash

 

DNS

Use with DNS servers.

Layer 7

Round Robin, Least Connections

Not supported yet.

SMTP

Use with SMTP servers.

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash

RTMP

A TCP-based protocol used for streaming audio, video, and data over the Internet

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

 

RTSP

A network control protocol used for establishing and controlling media sessions between end points

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

MySQL

MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets

Layer 7

 

Round Robin, Least Connection

 

N/A

DIAMETER

A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. Layer 7

Round Robin

Source Address.

DIAMETER Session ID (default)

Predefined profiles shows the default values of the predefined profiles. All values in the predefined profiles are view-only, and cannot be modified. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.

Predefined profiles

Profile Defaults

LB_PROF_DIAMETER

Identity—Blank

Realm—Blank

Vendor ID—Blank

Product Name—Blank

Idle Timeout—300 (seconds) (Note: This refers to the built-in session ID persistence timeout.)

Server Close Propagation—OFF (Note: This means that the connection on the client side stays open when the server closes any connection on its side.)

LB_PROF_TCP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP block list—None

Geo IP Whitelist—None

LB_PROF_UDP

Timeout UDP Session—100

IP Reputation—Disabled

Stateless—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP block list—None

Geo IP Whitelist—None

LB_PROF_HTTP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—Blank

IP Reputation—Disabled

HTTP Mode—Keep Alive

Customized SSL Ciphers Flag—Disabled

Compression—None.

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

LB_PROF_HTTP_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

Customized SSL Ciphers Flag—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

LB_PROF_TURBOHTTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

LB_PROF_FTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

Source Address—Off

LB_PROF_RADIUS

Dynamic Auth—Disable

Session Timeout—300

LB_PROF_SIP

SIP Max Size—65535

Server Keepalive Timeout—30

Server Keepalive—Enabled

Client Keepalive—Disabled

Client Protocol—UDP

Server Protocol—None

Failed Client Type—Drop

Failed Server Type—Drop

Insert Client IP—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

Source Address—Off

Media Address—0.0.0.0

LB_PROF_RDP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Buffer Pool—Enabled

Source Address—Disabled

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

LB_PROF_IP

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

Timeout IP Session—100

LB_PROF_DNS

DNS Cache Flag—Enabled

DNS Cache Ageout Time—3600

DNS Cache Size—10

DNS Cache Entry Size—512

DNS Cache Response Type—All Records

DNS Malform Query Action—Drop

DNA Max Query Length—512

DNS Authentication Flag—Disabled

LB_PROF_TCPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Buffer Pool—Enabled

Source Address—Disabled

IP Reputation—Disabled

Dynamic Auth—Disabled

Customized SSL Ciphers Flag—Disabled

Client SNI Required—Disabled

Geo IP block list—None

Client SNI Required—disabled

Certificate Group—LOCAL_CERT_GROUP

Certificate Verify—None

LB_PROF_HTTPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Keep Alive

SSL Proxy Mode—Disabled

Customized SSL Ciphers Flag—Disabled

Client SNI Required—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

Certificate Group—LOCAL_CERT_GROUP

Certificate Verify—None

LB_PROF_HTTPS_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

SSL Proxy Mode—Disabled

Customized SSL Ciphers Flag—Disabled

SSL Cipher—Shows all available SSL ciphers, with the default ones selected

Allow SSL Versions—SSLv3, TLSv1.0, TLS1.1, TLSv1.2

Client SNI Required—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

Certificate Group—LOCAL_CERT_GROUP

Certificate Verify—None

LB_PROF_SMTP

Starttls Active Mode—require

Customized SSL Ciphers Flag—Disabled

SSL Ciphers—Shows all available SSL Ciphers, with the defaults ones selected

Allow SSL Versions —SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Forbidden Command—expn, turn, vrfy

Local Certificate Group—LOCAL_CERT_GROUP

LB_PROF_RTSP

Max Header Size—Default is 4096. Valid values range from 2048 to 65536.

Source Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

LB_PROF_RTMP

Source Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

Before you begin:

  • You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
  • You must have Read-Write permission for Load Balance settings.
To configure custom profiles:
  1. Go to Server Load Balance > Application Resources. Click the Application Profile tab.
  2. Click Create New to display the configuration editor.
  3. Give the profile a name, select a protocol type; then complete the configuration as described in Profile configuration guidelines.
  4. Save the configuration.

 

You can clone a predefined configuration object to help you get started with a user-defined configuration.

To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page.

 

Profile configuration guidelines

Type Profile Configuration Guidelines

TCP

Timeout TCP Session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Timeout TCP Session after FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

IP

 

IP Reputation

Enable to apply FortiGuard IP reputation service. IP reputation. See Managing IP Reputation policy settings.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

Timeout IP Session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

DNS

 

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

DNS Cache Flag

Enable/Disable DNS cache flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

DNS Cache Flag

Enable or disable the DNS Cache Flag.

DNS Cache Ageout Time

Enter a value from 0 to 65,535. The default is 3,600.

DNS Cache Size

Enter a value from 1 to 100. The default is 10.

DNS Cache Entry Size

Enter a value from 256 to 4,096. The default is 512.

DNS Malform Query Action

Choose either of the following:

  • Drop
  • Forward

DNS Max Query Length

Enter a value from 256 to 4.096. The default is 512.

DNS Authentication Flag

Enable or disable DNS authentication flag.

Special Note

With the 4.8.1 release. FortiADC supports DNS zone transfer, i.e., DNS traffic over TCP from servers and server-oriented requests from inside the server cluster.

UDP

 

Stateless

Enable to apply UDP stateless function.

Timeout UDP Session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

HTTP

Client Timeout

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

Server Timeout

This timeout is counted as the amount of time when the server did not send a complete response HTTP header to the FortiADC after the FortiADC sent a request to server. If this timeout expires, FortiADC will close the server side connection and send a 503 message to the client and close the connection to the client.

Connect Timeout

This timeout is counted as the amount of time during which FortiADC tried to connect to the server with TCP SYN. After this timeout, if TCP connection is not established, FortiADC will drop this current connection to server and respond with a 503 message to client side and close the connection to the client.

Queue Timeout

This timeout is counted as the amount of time during which the request is queued in the dispatched queue. When the request cannot be dispatched to a server by a load balance method (for example, the server's connection limited is reached), it will be put into a queue. If this timeout expires, the request in the queue will be dropped and FortiADC will respond with a 503 message to client side and close the connection to the client.

HTTP Send Timeout

This timeout is counted as the amount of time it took FortiADC to send a response body data (not including the header); the time is counted starting from when the body is transferred. If this timeout expires, FortiADC will close the connection of both side.

HTTP Request Timeout

This timeout is counted as the amount of time the client did not send a complete request (including both HTTP header and request body) to FortiADC after the client connected to FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

HTTP Keepalive Timeout

This timeout is counted as the time FortiADC can wait for a new request after the previous transaction is completed. This is an idle timeout if the client does not send anything in this period. If this timeout expires, FortiADC will close the connection to the client.

Source Address

Use the original client IP address as the source address when connecting to the real server.

X-Forwarded-For

Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it.

If you only enable http-x-forwarded-for and do not configure http-x-forwarded-for-header, the default is to add such a header: X-Forwarded-For: <client's ip>

X-Forwarded-For Header

Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Examples: Forwarded-For, Real-IP, or True-IP.

If http-x-forwarded-for-header <string> is configured, the added header is: <string>: <client's ip>,

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

HTTP Mode

  • Server Close—Close the connection to the real server after each HTTP transaction.
  • Once Only— An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
  • Keep Alive—Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.

Compression

Select a compression configuration object. See Configuring compression rules.

Caching

Select a caching configuration object. See Using caching features.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

Geo IP Redirect URL

For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL.

Tune Buffer Size

Adjust the value of the HTTP/HTTPS VS's connection buffer size.

  • For every session, there are two connection buffers.
  • The default size is 8030, it is not recommended that you edit it. It's hidden in the Advance tab, and when you edit it you will get a warning message.
  • Tuning this option is dangerous because it may lead to concurrent session number reduction or other unpredictable problems.

Max HTTP Headers

Adjust the max header number that HTTP/HTTPS VS can process for every request or response. If a request or response has a header over this limit, it will be dropped, and return error message 400.

  • The default value is 100, it's not recommended that you edit it. It is hidden in the Advance tab, and when you edit it you will get a warning message.
  • Tuning this option is dangerous and may lead to concurrent session number reduction or other unpredictable problems.

FTP

Timeout TCP Session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Timeout TCP Session after FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

RADIUS

Timeout RADIUS Session

The default is 300 seconds. The valid range is 1 to 3,600.

Dynamic Auth

Enable or disable Dynamic Authorization for RADIUS Change of Authorization(CoA)

Dynamic Auth Port

Configures the UDP port for CoA requests. The default is 3799.

RDP

Client Timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Server Timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Connect Timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

Queue Timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

Buffer Pool

Enable or disable buffering.

Source Address

Use the original client IP address as the source address in the connection to the real server.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

TCPS

Client Timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Server Timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Connect Timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

Queue Timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, the system drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

Buffer Pool

Enable or disable buffering.

Source Address

Use the original client IP address as the source address in the connection to the real server.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Customized SSL Ciphers Flag

Enable or disable the use of user-specified cipher suites.

Customized SSL Ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

SSL Ciphers

Ciphers are listed from strongest to weakest:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-DES-CBC3-SHA
  • ECDHE-ECDSA-RC4-SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES256-SHA
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA
  • ECDHE-RSA-RC4-SHA
  • RC4-SHA
  • RC4-MD5
  • ECDHE-RSA-DES-CBC3-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • eNULL

We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support.

Allow SSL Versions

You have the following options:

  • SSLv2
  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2

We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support.

Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started.

Client SNI Required

Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

Local Certificate Group

A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate. See Manage certificates.

Certificate Verify

Select a certificate validation policy. See Manage and validate certificates.

HTTPS

HTTPS

Same as HTTP, plus the certificate settings listed next.

See Chapter 17: SSL Transactions for an overview of HTTPS features.

SSL Proxy Mode

Enable or disable SSL forward proxy.

Customized SSL Ciphers Flag

Enable or disable use of user-specified cipher suites.

Customized SSL Ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

SSL Ciphers

We recommend retaining the default list. If necessary, you can deselect ciphers you do not want to support.

Allow SSL Versions

We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support.

Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started.

Client SNI Required

Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.

Local Certificate Group

A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage certificates.

Certificate Verify

Select a certificate validation policy. See Manage and validate certificates.

TURBO HTTP

Timeout TCP Session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Timeout TCP Session after FIN

Client-side connection timeout. The default is 100 seconds. The valid range is from 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service.

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

SIP

SIP Max Size

Maximum message size. The default is 65535 bytes. The valid range is from 1 to 65,535.

Server Keepalive Timeout

Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300.

Server Keepalive

Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default.

Client Keepalive

Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default.

Client Protocol

Client-side transport protocol:

  • TCP
  • UDP (default)

Server Protocol

Server-side transport protocol.

  • TCP
  • UDP

Default is "unset", so the client-side protocol determines the server-side protocol.

Failed Client Type

Action when the SIP client cannot be reached:

  • Drop—Drop the connection.
  • Send—Drop the connection and send a message, for example, a status code and error message.

Failed Server Type

Action when the SIP server cannot be reached:

  • Drop—Drop the connection.
  • Send—Drop the connection and send a message, for example, a status code and error message.

Insert Client IP

Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request.

Client-Request-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Client-Request-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

Client-Response-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Client-Response-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

Server-Request-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Server-Request-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

Server-Response-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Server-Response-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

SMTP

Starttls Active Mode

Select one of the following:

  • Allow—The client can either use or not use the STARTTLS command.
  • Require—The STARTTLS command must be used to encrypt the connection first.
  • None—The STARTTLS command is NOT supported.

Forbidden Command

Select any, all, or none of the commands (i.e., expn, turn, vrfy).

If selected, the command or commands will be rejected by FortiADC; otherwise, the command or commands will be accepted and forwarded to the back end.

Domain Name

Specify the domain name.

Local Certificate Group

LOCAL_CERT_GROUP.

Certificate Verify

Specify the certificate verify configuration object.

RTMP

 

Source Address

When enabled, specify the client address to be used to connect to the server pool.

RTSP

 

Max Header Size

Specify the maximum size of the RTSP header.

Source Address

When enabled, specify the client address to be used to connect to the server pool.

MySQL

Note: The system does not provide default MyQSL profiles as it does with the other protocols.

Single Master

If selected, the profile will use the single-master mode. You will then need to specify and configure the master server and slave servers.

Sharding

If selected, the profile will use the sharding mode to load-balance MySQL traffic.

DIAMETER

FortiADC comes with a default load-balancing profile titled "LB_PROF_DIAMETER". If it is selected, FortiADC will not change Diameter packets except the host IP address AVP, which means that FortiADC functions as a relay agent.

Identity

Leave blank. If defined, FortiADC will change the Origin-Host AVP of the Diameter packet.

Realm

Leave blank. If defined, FortiADC will change the Origin-Realm AVP of the Diameter packet.

Vendor ID

Leave blank. If defined, FortiADC will change the Vendor-ID AVP of the Diameter packet.

Product Name

Leave blank. If defined, FortiADC will change the Product-Name AVP of the Diameter packet.

Idle Timeout

300 (seconds) by default. Valid values range from 1 to 86,400.

Server Close Propagation

OFF by default, which means that the connection on the client side stays open when the server closes the connection on its side.

Configuring Application profiles

An application profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols.

Application profile usage describes usage for by application profile type, including compatible virtual server types, load balancing methods, persistence methods, and content route types.

Application profile usage

Profile Usage VS Type LB Methods Persistence

FTP

Use with FTP servers.

Layer 4

Round Robin, Least Connections, Fastest Response

Source Address, Source Address Hash

HTTP

Use for standard, unsecured web server traffic.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load

Layer 2: Same as Layer 7, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie

HTTPS

Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile.

Layer 7, Layer 2

Same as HTTP

Same as HTTP, plus SSL Session ID

TURBO HTTP

Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet.

This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets.

Layer 7

Round Robin, Least Connections, Fastest Response

Source Address

RADIUS

Use with RADIUS servers.

Layer 7

Round Robin

RADIUS attribute

RDP

Use with Windows Terminal Service(remote desktop protocol).

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie

SIP

 

Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video.

Layer 7

Round Robin, URI Hash, Full URI Hash

Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID

TCP

Use for other TCP protocols.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response

Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash

Source Address, Source Address Hash

TCPS

Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections

Layer 2: Round Robin, Least Connections, Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID

UDP

Use with UDP servers.

Layer 4, Layer 2

 

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Same as Layer 4, plus Destination IP Hash

Source Address, Source Address Hash

 

IP

Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first.

Layer 2

 

Round Robin only.

 

Source Address, Source Address Hash

 

DNS

Use with DNS servers.

Layer 7

Round Robin, Least Connections

Not supported yet.

SMTP

Use with SMTP servers.

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash

RTMP

A TCP-based protocol used for streaming audio, video, and data over the Internet

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

 

RTSP

A network control protocol used for establishing and controlling media sessions between end points

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

MySQL

MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets

Layer 7

 

Round Robin, Least Connection

 

N/A

DIAMETER

A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. Layer 7

Round Robin

Source Address.

DIAMETER Session ID (default)

Predefined profiles shows the default values of the predefined profiles. All values in the predefined profiles are view-only, and cannot be modified. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.

Predefined profiles

Profile Defaults

LB_PROF_DIAMETER

Identity—Blank

Realm—Blank

Vendor ID—Blank

Product Name—Blank

Idle Timeout—300 (seconds) (Note: This refers to the built-in session ID persistence timeout.)

Server Close Propagation—OFF (Note: This means that the connection on the client side stays open when the server closes any connection on its side.)

LB_PROF_TCP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP block list—None

Geo IP Whitelist—None

LB_PROF_UDP

Timeout UDP Session—100

IP Reputation—Disabled

Stateless—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP block list—None

Geo IP Whitelist—None

LB_PROF_HTTP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—Blank

IP Reputation—Disabled

HTTP Mode—Keep Alive

Customized SSL Ciphers Flag—Disabled

Compression—None.

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

LB_PROF_HTTP_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

Customized SSL Ciphers Flag—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

LB_PROF_TURBOHTTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

LB_PROF_FTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

Source Address—Off

LB_PROF_RADIUS

Dynamic Auth—Disable

Session Timeout—300

LB_PROF_SIP

SIP Max Size—65535

Server Keepalive Timeout—30

Server Keepalive—Enabled

Client Keepalive—Disabled

Client Protocol—UDP

Server Protocol—None

Failed Client Type—Drop

Failed Server Type—Drop

Insert Client IP—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

Source Address—Off

Media Address—0.0.0.0

LB_PROF_RDP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Buffer Pool—Enabled

Source Address—Disabled

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

LB_PROF_IP

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP Whitelist—None

Timeout IP Session—100

LB_PROF_DNS

DNS Cache Flag—Enabled

DNS Cache Ageout Time—3600

DNS Cache Size—10

DNS Cache Entry Size—512

DNS Cache Response Type—All Records

DNS Malform Query Action—Drop

DNA Max Query Length—512

DNS Authentication Flag—Disabled

LB_PROF_TCPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Buffer Pool—Enabled

Source Address—Disabled

IP Reputation—Disabled

Dynamic Auth—Disabled

Customized SSL Ciphers Flag—Disabled

Client SNI Required—Disabled

Geo IP block list—None

Client SNI Required—disabled

Certificate Group—LOCAL_CERT_GROUP

Certificate Verify—None

LB_PROF_HTTPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Keep Alive

SSL Proxy Mode—Disabled

Customized SSL Ciphers Flag—Disabled

Client SNI Required—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

Certificate Group—LOCAL_CERT_GROUP

Certificate Verify—None

LB_PROF_HTTPS_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Source Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

SSL Proxy Mode—Disabled

Customized SSL Ciphers Flag—Disabled

SSL Cipher—Shows all available SSL ciphers, with the default ones selected

Allow SSL Versions—SSLv3, TLSv1.0, TLS1.1, TLSv1.2

Client SNI Required—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Whitelist—None

Geo IP Redirect URL—http://

Certificate Group—LOCAL_CERT_GROUP

Certificate Verify—None

LB_PROF_SMTP

Starttls Active Mode—require

Customized SSL Ciphers Flag—Disabled

SSL Ciphers—Shows all available SSL Ciphers, with the defaults ones selected

Allow SSL Versions —SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Forbidden Command—expn, turn, vrfy

Local Certificate Group—LOCAL_CERT_GROUP

LB_PROF_RTSP

Max Header Size—Default is 4096. Valid values range from 2048 to 65536.

Source Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

LB_PROF_RTMP

Source Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

Before you begin:

  • You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
  • You must have Read-Write permission for Load Balance settings.
To configure custom profiles:
  1. Go to Server Load Balance > Application Resources. Click the Application Profile tab.
  2. Click Create New to display the configuration editor.
  3. Give the profile a name, select a protocol type; then complete the configuration as described in Profile configuration guidelines.
  4. Save the configuration.

 

You can clone a predefined configuration object to help you get started with a user-defined configuration.

To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page.

 

Profile configuration guidelines

Type Profile Configuration Guidelines

TCP

Timeout TCP Session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Timeout TCP Session after FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

IP

 

IP Reputation

Enable to apply FortiGuard IP reputation service. IP reputation. See Managing IP Reputation policy settings.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

Timeout IP Session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

DNS

 

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

DNS Cache Flag

Enable/Disable DNS cache flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

DNS Cache Flag

Enable or disable the DNS Cache Flag.

DNS Cache Ageout Time

Enter a value from 0 to 65,535. The default is 3,600.

DNS Cache Size

Enter a value from 1 to 100. The default is 10.

DNS Cache Entry Size

Enter a value from 256 to 4,096. The default is 512.

DNS Malform Query Action

Choose either of the following:

  • Drop
  • Forward

DNS Max Query Length

Enter a value from 256 to 4.096. The default is 512.

DNS Authentication Flag

Enable or disable DNS authentication flag.

Special Note

With the 4.8.1 release. FortiADC supports DNS zone transfer, i.e., DNS traffic over TCP from servers and server-oriented requests from inside the server cluster.

UDP

 

Stateless

Enable to apply UDP stateless function.

Timeout UDP Session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

HTTP

Client Timeout

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

Server Timeout

This timeout is counted as the amount of time when the server did not send a complete response HTTP header to the FortiADC after the FortiADC sent a request to server. If this timeout expires, FortiADC will close the server side connection and send a 503 message to the client and close the connection to the client.

Connect Timeout

This timeout is counted as the amount of time during which FortiADC tried to connect to the server with TCP SYN. After this timeout, if TCP connection is not established, FortiADC will drop this current connection to server and respond with a 503 message to client side and close the connection to the client.

Queue Timeout

This timeout is counted as the amount of time during which the request is queued in the dispatched queue. When the request cannot be dispatched to a server by a load balance method (for example, the server's connection limited is reached), it will be put into a queue. If this timeout expires, the request in the queue will be dropped and FortiADC will respond with a 503 message to client side and close the connection to the client.

HTTP Send Timeout

This timeout is counted as the amount of time it took FortiADC to send a response body data (not including the header); the time is counted starting from when the body is transferred. If this timeout expires, FortiADC will close the connection of both side.

HTTP Request Timeout

This timeout is counted as the amount of time the client did not send a complete request (including both HTTP header and request body) to FortiADC after the client connected to FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

HTTP Keepalive Timeout

This timeout is counted as the time FortiADC can wait for a new request after the previous transaction is completed. This is an idle timeout if the client does not send anything in this period. If this timeout expires, FortiADC will close the connection to the client.

Source Address

Use the original client IP address as the source address when connecting to the real server.

X-Forwarded-For

Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it.

If you only enable http-x-forwarded-for and do not configure http-x-forwarded-for-header, the default is to add such a header: X-Forwarded-For: <client's ip>

X-Forwarded-For Header

Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Examples: Forwarded-For, Real-IP, or True-IP.

If http-x-forwarded-for-header <string> is configured, the added header is: <string>: <client's ip>,

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

HTTP Mode

  • Server Close—Close the connection to the real server after each HTTP transaction.
  • Once Only— An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
  • Keep Alive—Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.

Compression

Select a compression configuration object. See Configuring compression rules.

Caching

Select a caching configuration object. See Using caching features.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

Geo IP Redirect URL

For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL.

Tune Buffer Size

Adjust the value of the HTTP/HTTPS VS's connection buffer size.

  • For every session, there are two connection buffers.
  • The default size is 8030, it is not recommended that you edit it. It's hidden in the Advance tab, and when you edit it you will get a warning message.
  • Tuning this option is dangerous because it may lead to concurrent session number reduction or other unpredictable problems.

Max HTTP Headers

Adjust the max header number that HTTP/HTTPS VS can process for every request or response. If a request or response has a header over this limit, it will be dropped, and return error message 400.

  • The default value is 100, it's not recommended that you edit it. It is hidden in the Advance tab, and when you edit it you will get a warning message.
  • Tuning this option is dangerous and may lead to concurrent session number reduction or other unpredictable problems.

FTP

Timeout TCP Session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Timeout TCP Session after FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

RADIUS

Timeout RADIUS Session

The default is 300 seconds. The valid range is 1 to 3,600.

Dynamic Auth

Enable or disable Dynamic Authorization for RADIUS Change of Authorization(CoA)

Dynamic Auth Port

Configures the UDP port for CoA requests. The default is 3799.

RDP

Client Timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Server Timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Connect Timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

Queue Timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

Buffer Pool

Enable or disable buffering.

Source Address

Use the original client IP address as the source address in the connection to the real server.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

TCPS

Client Timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Server Timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Connect Timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

Queue Timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, the system drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

Buffer Pool

Enable or disable buffering.

Source Address

Use the original client IP address as the source address in the connection to the real server.

IP Reputation

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Customized SSL Ciphers Flag

Enable or disable the use of user-specified cipher suites.

Customized SSL Ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

SSL Ciphers

Ciphers are listed from strongest to weakest:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-DES-CBC3-SHA
  • ECDHE-ECDSA-RC4-SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES256-SHA
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA
  • ECDHE-RSA-RC4-SHA
  • RC4-SHA
  • RC4-MD5
  • ECDHE-RSA-DES-CBC3-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • eNULL

We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support.

Allow SSL Versions

You have the following options:

  • SSLv2
  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2

We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support.

Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started.

Client SNI Required

Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

Local Certificate Group

A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate. See Manage certificates.

Certificate Verify

Select a certificate validation policy. See Manage and validate certificates.

HTTPS

HTTPS

Same as HTTP, plus the certificate settings listed next.

See Chapter 17: SSL Transactions for an overview of HTTPS features.

SSL Proxy Mode

Enable or disable SSL forward proxy.

Customized SSL Ciphers Flag

Enable or disable use of user-specified cipher suites.

Customized SSL Ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

SSL Ciphers

We recommend retaining the default list. If necessary, you can deselect ciphers you do not want to support.

Allow SSL Versions

We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support.

Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started.

Client SNI Required

Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.

Local Certificate Group

A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage certificates.

Certificate Verify

Select a certificate validation policy. See Manage and validate certificates.

TURBO HTTP

Timeout TCP Session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Timeout TCP Session after FIN

Client-side connection timeout. The default is 100 seconds. The valid range is from 1 to 86,400.

IP Reputation

Enable to apply the FortiGuard IP reputation service.

Customized SSL Ciphers Flag

Enable or disable the Customized SSL Ciphers Flag.

Geo IP Block List

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Geo IP Whitelist

Select a whitelist configuration object. See Using the Geo IP whitelist.

SIP

SIP Max Size

Maximum message size. The default is 65535 bytes. The valid range is from 1 to 65,535.

Server Keepalive Timeout

Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300.

Server Keepalive

Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default.

Client Keepalive

Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default.

Client Protocol

Client-side transport protocol:

  • TCP
  • UDP (default)

Server Protocol

Server-side transport protocol.

  • TCP
  • UDP

Default is "unset", so the client-side protocol determines the server-side protocol.

Failed Client Type

Action when the SIP client cannot be reached:

  • Drop—Drop the connection.
  • Send—Drop the connection and send a message, for example, a status code and error message.

Failed Server Type

Action when the SIP server cannot be reached:

  • Drop—Drop the connection.
  • Send—Drop the connection and send a message, for example, a status code and error message.

Insert Client IP

Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request.

Client-Request-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Client-Request-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

Client-Response-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Client-Response-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

Server-Request-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Server-Request-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

Server-Response-Header-Insert (maximum 4 members)

Type

  • Insert If Not Exist—Insert before the first header only if the header is not already present.
  • Insert Always—Insert before the first header even if the header is already present.
  • Append If Not Exist—Append only if the header is not present.
  • Append Always—Append after the last header.

HeaderName:Value

The header:value pair to be inserted.

Server-Response-Header-Erase (maximum 4 members)

Type

  • All—Parse all headers for a match.
  • First—Parse the first header for a match.

HeaderName

Header to be erased.

SMTP

Starttls Active Mode

Select one of the following:

  • Allow—The client can either use or not use the STARTTLS command.
  • Require—The STARTTLS command must be used to encrypt the connection first.
  • None—The STARTTLS command is NOT supported.

Forbidden Command

Select any, all, or none of the commands (i.e., expn, turn, vrfy).

If selected, the command or commands will be rejected by FortiADC; otherwise, the command or commands will be accepted and forwarded to the back end.

Domain Name

Specify the domain name.

Local Certificate Group

LOCAL_CERT_GROUP.

Certificate Verify

Specify the certificate verify configuration object.

RTMP

 

Source Address

When enabled, specify the client address to be used to connect to the server pool.

RTSP

 

Max Header Size

Specify the maximum size of the RTSP header.

Source Address

When enabled, specify the client address to be used to connect to the server pool.

MySQL

Note: The system does not provide default MyQSL profiles as it does with the other protocols.

Single Master

If selected, the profile will use the single-master mode. You will then need to specify and configure the master server and slave servers.

Sharding

If selected, the profile will use the sharding mode to load-balance MySQL traffic.

DIAMETER

FortiADC comes with a default load-balancing profile titled "LB_PROF_DIAMETER". If it is selected, FortiADC will not change Diameter packets except the host IP address AVP, which means that FortiADC functions as a relay agent.

Identity

Leave blank. If defined, FortiADC will change the Origin-Host AVP of the Diameter packet.

Realm

Leave blank. If defined, FortiADC will change the Origin-Realm AVP of the Diameter packet.

Vendor ID

Leave blank. If defined, FortiADC will change the Vendor-ID AVP of the Diameter packet.

Product Name

Leave blank. If defined, FortiADC will change the Product-Name AVP of the Diameter packet.

Idle Timeout

300 (seconds) by default. Valid values range from 1 to 86,400.

Server Close Propagation

OFF by default, which means that the connection on the client side stays open when the server closes the connection on its side.