config load-balance profile
Use this command to configure virtual server profiles. A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols. Virtual server profiles determine settings used in network communication on the client-FortiADC segment, in contrast to real server profiles, which determine the settings used in network communication on the FortiADC-real server segment.
Table 10 describes usage for profile type, including compatible virtual server types, load balancing methods, and persistence methods.
| Profile | Usage | VS Type | LB Methods | Persistence |
|---|---|---|---|---|
|
FTP |
Use with FTP servers. Note: The setting |
Layer 7, 4, 2 |
Round Robin, Least Connections, Fastest Response |
Source Address, Source Address Hash |
|
HTTP |
Use for standard, unsecured web server traffic. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash
Layer 2: Same as Layer 7, plus Destination IP Hash |
Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie |
|
HTTPS |
Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile. |
Layer 7, Layer 2 |
Same as HTTP |
Same as HTTP, plus SSL Session ID |
|
HTTP Turbo |
Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet. This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets. |
Layer 7 |
Round Robin, Least Connections, Fastest Response |
Source Address |
|
RADIUS |
Use with RADIUS servers. |
Layer 7 |
Round Robin |
RADIUS attribute |
| RDP | Use with Windows Terminal Server (remote desktop protocol). | Layer 7 | Round Robin, Least Connections | Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie |
| SIP | Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video. | Layer 7 | Round Robin, URI Hash, Full URI Hash | Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID |
|
TCP |
Use for other TCP protocols. |
Layer 4, Layer 2 |
Layer 4: Round Robin, Least Connections, Fastest Response Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash |
Source Address, Source Address Hash |
|
TCPS |
Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections Layer 2: Round Robin, Least Connections, Destination IP Hash |
Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID |
|
UDP |
Use for other UDP protocols. |
Layer 4, Layer 2 |
Layer 4: Round Robin, Least Connections, Fastest Response Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash |
Source Address, Source Address Hash |
|
DNS |
Used with DNS servers |
Layer 7 |
Round Robbin, Least Connections | Not supported. |
|
IP |
Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 virtual servers, the traffic always tries to match none protocol 0 virtual servers first. |
Layer 2 |
Round Robbin only | Source Address, Source Address Hash |
|
DIAMETER |
Used with Diameter server. |
Layer 7 |
Round Robbin only | Source Address |
| MySQL | Used with MySQL service to load- balance MySQL requests among the MySQL servers. It has two working modes: one is "single-primary" and the other is "sharding-data". Creating an MySQL profile also adds the MySQL-type health-check. | Layer 7 | Round Robbin, Least Connections | Not supported |
| RTMP | Used to configure RTSP profiles. | Layer 7 | Round Robbin, Least Connections | Source Address, Source Address Hash |
| RTSP | Used to configure RTMP profiles. | Layer 7 | Round Robbin, Least Connections | Source Address, Source Address Hash |
| SMTP | Used with SMTP servers. | Layer 7 | Round Robbin, Least Connections | Source Address, Source Address Hash |
|
EXPLICIT_HTTP |
A simple explicit/forward HTTP proxy mode. In this mode, you don’t need to add backend real server pool. The destination IP address of the downstream is specified by the URL or Host field of the client request. |
Layer 7 |
N/A |
N/A |
|
L7 TCP |
Use for other TCP protocols. |
Layer 7 |
Layer 7: Round Robin, Least Connections |
Source Address, Source Address Hash |
|
L7 UDP |
Use with UDP servers. |
Layer 7 |
Layer 7: Round Robin, Least Connections |
Source Address, Source Address Hash |
Table 11 provides a summary of the predefined profiles. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.
| Profile | Defaults |
|---|---|
|
LB_PROF_TCP |
Session Timeout —100 seconds Session Timeout after FIN —100 seconds IP Reputation—disabled Geo IP block list—none |
|
LB_PROF_UDP |
Session Timeout —100 seconds IP Reputation—disabled Geo IP block list—none |
|
LB_PROF_HTTP |
Client Timeout—50 seconds Server Timeout—50 seconds Connect Timeout—5 seconds Queue Timeout—5 seconds HTTP Request Timeout—50 seconds HTTP Keepalive Timeout—50 seconds Buffer Pool—enabled Source Address—disabled X-Forwarded-For—disabled HTTP Mode—ServerClose Compression—none Caching—none IP Reputation—disabled Geo IP block list—none |
|
LB_PROF_TURBOHTTP |
Session Timeout—100 seconds Session Timeout after FIN—100 seconds IP Reputation—disabled |
|
LB_PROF_FTP |
Session Timeout—100 seconds Session Timeout after FIN—100 seconds IP Reputation—disabled Geo IP block list—none Source Address—disabled |
|
LB_PROF_RADIUS |
Session Timeout—300 seconds Dynamic Auth—disabled |
|
LB_PROF_RDP |
Client Timeout—50 seconds Server Timeout—50 seconds Connect Timeout—5 seconds Queue Timeout—5 seconds Buffer Pool—enabled Source Address—disabled IP Reputation—disabled Geo IP block list—none |
|
LB_PROF_SIP |
SIP Max Size—65535 bytes Server Keepalive—enabled Server Keepalive Timeout—30 seconds Client Keepalive—disabled Client Protocol—UDP Server Protocol—unset Failed Client Type—Drop Failed Server Type—Drop Insert Client IP—disabled Source Address—disabled Media Address—0.0.0.0 |
|
LB_PROF_TCPS |
Client Timeout—50 seconds Server Timeout—50 seconds Connect Timeout—5 seconds Queue Timeout—5 seconds Buffer Pool—enabled Source Address—disabled IP Reputation—disabled Geo IP block list—none SSL Ciphers—none Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 Client SNI Required—disabled Certificate Group—LOCAL_CERT_GROUP |
|
LB_PROF_HTTPS |
Client Timeout—50 seconds Server Timeout—50 seconds Connect Timeout—5 seconds Queue Timeout—5 seconds HTTP Request Timeout—50 seconds HTTP Keepalive Timeout—50 seconds Buffer Pool—enabled Source Address—disabled X-Forwarded-For—disabled HTTP Mode—ServerClose Compression—none Caching—none IP Reputation—disabled Geo IP block list—none SSL Ciphers—none Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 Client SNI Required—disabled Certificate Group—LOCAL_CERT_GROUP |
|
LB_PROF_DNS |
DNS Cache Flag—Enabled DNS Cache Ageout Time—3600 DNS Cache Size—10 DNS Cache Entry Size—512 DNS Cache Response Type—All Records DNS Malform Query Action—Drop DNA Max Query Length—512 DNS Authentication Flag—Disabled |
|
LB_PROF_IP |
IP Reputation—Disabled Customized SSL Ciphers Flag—Disabled Geo IP Block List—None Geo IP allowlist—None Timeout IP Session—100 |
|
LB_PROF_RTSP |
Max-header-size—4096 Client-address —Disable |
|
LB_PROF_RTMP |
Client-address —Disable |
| LB_PROF_HTTP2_H2C | HTTP/HTTP2 profile: LB_HTTP2_PROFILE_DEFAULT |
| LB_PROF_HTTP2_H2 | HTTP/HTTP2 profile: LB_HTTP2_PROFILE_DEFAULT |
|
LB_PROF_DIAMETER |
server-close-propagation—Disable Idle-timeout —300 |
|
LB_PROF_SMTP |
Starttls Active Mode—Required Customized SSL Ciphers Flag—Disabled SSL Ciphers—Shows all available SSL Ciphers, with the default ones selected Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 Forbidden Command—expn, turn, vrfy Local Certificate Group—LOCAL_CERT_GROUP |
|
LB_PROF_EXPLICIT_HTTP |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Send Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Keep Alive SSL Proxy Mode—Disabled Customized SSL Ciphers Flag—Disabled Client SNI Required—Disabled Decompression—None Geo IP Block List—None Geo IP Allowlist—None Geo IP Redirect URL—http:// Tune Buffer Size—8030 Max HTTP Headers—100 Response Half Closed Connection—Disabled |
|
LB_PROF_L7_TCP |
Timeout TCP Session—100 IP Reputation—Disabled |
|
LB_PROF_L7_UDP |
Timeout UDP Session—100 IP Reputation—Disabled |
Before you begin:
- You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
- You must have read-write permission for load balance settings.
Syntax
config load-balance profile
edit <name>
set type {ftp | http | https | radius | rdp | sip | tcp | tcps | turbohttp | udp | diameter | explicit_http | L7tcp | L7udp}
set timeout_tcp_session <integer>
set timeout_tcp_session_after_FIN <integer>
set timeout-radius-session <integer>
set timeout_udp_session <integer>
set buffer-pool {enable|disable}
set caching <datasource>
set cache-response-type {single-answer | round-robin}
set client-address {enable|disable}
set client-timeout <integer>
set compression <datasource>
set connect-timeout <integer>
set http-keepalive-timeout <integer>
set http-mode {KeepAlive|OnceOnly|ServerClose}
set http-request-timeout <integer>
set http-x-forwarded-for {enable|disable}
set http-x-forwarded-for-header <string>
set queue-timeout <integer>
set server-timeout <integer>
set tune-bufsize <integer>
set tune-maxrewrite <integer>
set ip-reputation {enable|disable}
set geoip-list <datasource>
set allowlist <datasource>
set geoip-redirect <string>
set client-keepalive {enable|disable}
set client-protocol {tcp|udp}
set failed-client {drop|send}
set failed-client-str <string>
set failed-server {drop|send}
set failed-server-str <string>
set max-size <integer>
set server-keepalive {enable|disable}
set server-keepalive-timeout <integer>
set server-protocol {tcp|udp}
set sip-insert-client-ip {enable|disable}
set media-addr <ip address>
set dynamic-auth {enable|disable}
set dynamic-auth-port <integer>
config client-request-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config client-request-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
config client-response-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config client-response-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
config server-request-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config server-request-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
config server-response-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config server-response-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
next
end
The following commands are used to invoke the "LB_PROF_DNS" profile in Layer-7 virtual servers.
config load-balance profile
edit "dns"
set caching {enable|disable}
set malform-query-action {drop|forward}
set max-cache-age <integer>
set max-cache-entry-size <integer>
set max-cache-size <integer>
set max-query-length <integer>
set redirect-to-tcp-port {enable|disable}
next
end
config load-balance virtual-server
edit "vs1"
set load-balance-profile LB_PROF_DNS
next
end
The following commands are used to invoke the "LB_PROF_IP" profile in Layer-2 virtual servers. When the profile of a Layer-2 virtual server is set to "LB_PROF_IP", you must specify the protocol numbers the virtual server can accept.
config load-balance profile
edit "ip"
set type ip
set timeout-ip-session <integer>
set ip-reputation {enable|disable}
set geoip-list <string>
set allowlist <string>
next
end
config load-balance virtual-server
edit "LB_PROF_IP"
set type l2-load-balance
set load-balance-profile LB_PROF_IP
set protocol-numbers <value> protocol range "A-B" or single protocol number "A"
next
end
The following commands are used to configure MySQL load-balancing:
config system health-check
edit <health-check name>
set type mysql
set user <user name>
set password <password>
set dest-addr <ip addr>
set port <port>
next
end
The following commands are used to create a new MySQL profile (basic configuration):
config load-balance profile
edit <name>
config mysql-user-password
edit <id>
set username <username>
set password <password>
next
end
next
end
The following commands are used to configure a MySQL profile in basic single-primary mode:
config load-balance profile
edit <name>
config mysql-rule
edit <rule id>
set type [primary| secondary]
set database <database name> <database name> ...
set user <user name> <user name> ...
set table <table name> <table name> ...
set client-ip <client ip> <client ip> ...
set sql <sql statement> <sql statement> ...
next
end
next
end
The following commands are used to configure a MySQL profile in data-sharding mode:
config load-balance profile
edit <name>
set mysql-mode sharding
config mysql-sharding
edit <id>
set type range
set table <table name>
set key <column name>
set group <group id>:<range> <group id>:<range> ... # such as set groups 0:0-999 1:1000-9999
next
edit <id>
set type hash
set database <database name>
set table <table name>
set key <column name>
set group <group id> <group id>
next
end
next
end
The following commands are used to configure MySQL profile-specific pool members:
config load-balance pool
edit <pool name>
config pool_member
edit 1
set mysql-group-id <group id> #for Data Sharding
set mysql-read-only enable #for secondary
next
end
next
end
The following commands are used to create an RTSP profile:
config load-balance profile
edit "RTSP"
set type rtsp
set max-header-size <size>
set client-address <enable/disable>
next
The following commands are used to configure an RTMP profile:
config load-balance profile
edit "RTMP"
set type rtmp
set client-address <enable/disable>
next
The following commands are used to configure a diameter proxy_mode profile:
config load-balance profile
edit "diameter_proxy"
set type diameter
set identity <string>
set realm <string>
set vendor-id <integer>
set product-name <string>
set idle-timeout <integer>
set server-close-propagation <enable/disable>
next
end
The following commands are used to configure a diameter relay_mode profile:
config load-balance profile
edit "diameter_proxy"
set type diameter
set idle-timeout <integer>
set server-close-propagation <enable/disable>
next
end
The following commands are used to configure an explicit HTTP profile:
config load-balance profile
edit <name>
set type explicit_http
set buffer-pool {enable|disable}
set caching <string>
set client-address {enable|disable}
set client-timeout <integer>
set connect-timeout <integer>
set decompression <string>
set geoip-list <string>
set geoip-redirect <string>
set http-keepalive-timeout <integer>
set http-request-timeout <integer>
set http-send-timeout <integer>
set http-x-forwarded-for {enable|disable}
set http-x-forwarded-for-header <string>
set ip-reputation {enable|disable}
set max-http-headers {enable|disable}
set queue-timeout <integer>
set response-half-closed-request {enable|disable}
set server-timeout <integer>
set tune-bufsize <integer>
set tune-maxrewrite {enable|disable}
set allowlist <string>
next
end
|
type |
Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table. |
|
IP |
|
|
geoip-list |
Specify the Geo IP block list. |
|
ip-reputation |
Specify the IP Reputation. |
|
timeout-ip-session |
Specify the timeout of the IP session. |
|
allowlist |
Specify the Geo IP allowlist. |
| RTSP | |
|
max-header-sizet |
Specify the maximum size of RTSP packets, which can range from 16 to 65, 536. |
|
client-address |
Enable/disable the use of a client IP as the source IP to connect to the real server. |
| RTMP | |
|
client-address |
Enable/disable the use of a client IP as the source IP to connect to the real server. |
|
DNS |
|
|
caching |
Enable or disable the cache for the DNS virtual server. |
|
malform-query-action |
Specify the reaction for the malformed requests. |
|
max-cache-age |
Specify the cache age-out time (in seconds). |
|
max-cache-entry-size |
Specify the maximum cache entry size. |
|
max-cache-size |
Specify the maximum cache size (in Megabytes). |
|
max-query-length |
Specify the maximum query length. |
|
redirect-to-tcp-port |
Enable or disable TCP authentication. |
|
FTP |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
|
timeout_tcp_session_after_FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
client-address
|
Use the original IP address as the source address in the connection to the real server. |
|
HTTP |
|
|
buffer-pool |
Enable to use buffering. |
|
tune-bufsize |
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
caching |
Specify the name of the caching configuration object. |
|
client-address |
Use the original client IP address as the source address in the connection to the real server. |
|
client-timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is from 1 to 3,600. |
|
compression |
Specify a compression configuration object. |
|
connect-timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
|
http-keepalive-timeout |
The default is 50 seconds. The valid range is 1 to 3,600. |
|
http-mode |
|
|
http-request-timeout |
Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
http-x-forwarded-for |
Enable this option to append the client IP address found in IP layer packets to the HTTP header, for example, The default header name is |
|
http-x-forwarded-for-header |
Specify a custom name for the HTTP header which carries the client IP address. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP. |
|
queue-timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
|
server-timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
tune-maxrewrite |
Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
geoip-redirect |
For HTTP/HTTPS, if you have configured a Geo IP redirect action, specify a redirect URL. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
|
http2-profile |
Specify an HTTP2 profile configuration object. |
|
HTTPS - same as HTTP plus the following |
|
|
allow-ssl-versions |
You have the following options:
We recommend retaining the default list. If necessary, you can specify a space-separated list of SSL versions you want to support for this profile. |
|
cert-verify verify |
Specify a certificate validation policy. |
|
client-sni-required |
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
|
local-cert-group |
A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate. |
|
forward-client-certificate |
Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header. |
|
forward-client-certificate-header |
The default is X-Client-Cert, but you can customize it using this command. |
|
ssl-ciphers |
Ciphers are listed from strongest to weakest: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL We recommend retaining the default list. If necessary, you can specify a different space-separated list of supported ciphers. |
|
ssl-customize-ciphers-flag |
Enable/disable use of user-specified cipher suites. |
|
ssl-customized-ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. |
|
ssl-proxy |
Enable/disable SSL forward proxy. |
|
RADIUS |
|
|
timeout-radius-session |
The default is 300 seconds. The valid range is 1 to 3,600. |
|
dynamic-auth |
Enable/disable RADIUS dynamic authorization (CoA, Disconnect messages). |
|
dynamic-auth-port |
Dynamic auth port. |
| RDP | |
|
buffer-pool |
Enable to use buffering. |
|
tune-bufsize |
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647. |
|
client-address |
Use the original client IP address as the source address in the connection to the real server. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
|
TCP |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
|
timeout_tcp_session_after_FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
|
TCPS |
|
|
buffer-pool |
Enable to use buffering. |
|
tune-bufsize |
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647. |
|
client-timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
server-timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
connect-timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
|
TurboHTTP |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
|
timeout_tcp_session_after_FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
UDP |
|
|
timeout_udp_session |
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
| SIP | |
|
client-keepalive |
Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default. |
client-address
|
Use the original client IP address as the source address in the connection to the real server. |
media-addr
|
Change the media address of SIP payload to specified address. 0.0.0.0 is default. |
|
client-protocol |
Client-side transport protocol:
|
|
failed-client |
Action when the SIP client cannot be reached:
|
|
fail-client-str |
Message string. Use double-quotation marks for strings with spaces. |
|
failed-server |
Action when the SIP server cannot be reached:
|
|
fail-server-str |
Message string. Use double-quotation marks for strings with spaces. For example:
|
|
max-size |
Maximum message size. The default is 65535 bytes. The valid range is 1-65535. |
|
server-keepalive |
Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default. |
|
server-keepalive-timeout |
Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300. |
|
server-protocol |
Server-side transport protocol.
Default is "unset", so the client-side protocol determines the server-side protocol. |
|
sip-insert-client-ip |
Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request. |
|
Explicit HTTP |
|
|
buffer-pool |
Use buffer pool to accelerate. |
|
caching |
Caching name. |
|
client-address |
Use client address to connect to pool. |
|
client-timeout |
The maximum inactivity time on the client side. |
|
connect-timeout |
The maximum time to wait for a connection attempt to a server to succeed. |
|
decompression |
The decompression name. |
|
geoip-list |
The geography IP block list. |
|
geoip-redirect |
Redirect URL for IP geography. |
|
http-keepalive-timeout |
The maximum allowed time to wait for a new HTTP request to appear. |
|
http-request-timeout |
The maximum allowed time to wait for a complete HTTP request. |
|
http-send-timeout |
The timeout (in seconds) of HTTP send out all the buffered data. |
|
http-x-forwarded-for |
Insert X-Forwarded-For header to request. |
|
http-x-forwarded-for-header |
Change X-Forwarded-For header name. |
|
ip-reputation |
Use IP Reputation |
|
max-http-headers |
Max HTTP headers limit. Note: If enlarge this limit, you may meet parse failure because the buffer size limit. |
|
queue-timeout |
The maximum time to wait in the queue for a connection slot to be free. |
|
response-half-closed-request |
If enabled, FortiADC will continue serving the request in half closed connection until the response completes. |
|
server-timeout |
The maximum inactivity time on the server side. |
|
tune-bufsize |
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
tune-maxrewrite |
Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
allowlist |
The geography IP allowlist. |
| config client-request-header-erase | Configuration to erase headers from client requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| config client-request-header-insert | Configuration to insert headers into client requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| config client-response-header-erase | Configuration to erase headers from client responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| config client-response-header-insert | Configuration to insert headers into client responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| config server-request-header-erase | Configuration to erase headers from server requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| config server-request-header-insert | Configuration to insert headers into server requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| server-response-header-erase | Configuration to erase headers from server responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| server-response-header-insert | Configuration to insert headers into server responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| Diameter | |
|
Identity |
Sets the value of Diameter AVP 264. This AVP can be a character string and specifies the identity of the originating host for Diameter messages. ADC will modify the origin-host avp on client request with the setting value, then transfer it to RS. ADC will modify the origin-host avp on server response with the setting value, then transfer it to the client. Specify the identity in the following format: vs.realm The host is a string unique to the client. The realm is the Diameter realm, specified by the Realm option (described below). If Identity is set with an empty value (nothing), ADC will not change the value of the origin-host in the client or server when it transfer thems The default is empty value. |
|
Realm |
Sets the value of Diameter AVP 296. This AVP can be a character string and specifies the Diameter realm from which Diameter messages, including requests, are originated. ADC will modify the origin-realm avp on client request with the setting value, then transfer it to RS. ADC will modify the origin-realm avp on server response with the setting value, then transfer it to the client. If Realm is set with an empty value(nothing),ADC will not change the value of the origin-realm in the client or server when it transfers them. The default is empty value. |
|
product-name |
Sets the value of Diameter AVP 269. This AVP can be a character string and specifies the product; for example, “fortiadc”. ADC will modify the Product-Name avp on client request with the setting value, then transfer it to RS. ADC will modify the Product-Name avp on server response with the setting value, then transfer it to the client. If product-name is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them. The default is empty value. |
|
Vendor-id |
Sets the value of Diameter AVP 266. This AVP can be a character string and specifies the vendor; for example, “156”. ADC will modify the vendor-id avp on client request with the setting value, then transfer it to RS. ADC will modify the vendor-id avp on server response with the setting value, then transfer it to the client. If vendor-ide is set to 0, ADC will not change the value of vendor-id in the client or server when it transfers them. The default is 0.The valid range is 0-4294967295. |
|
Idle-timeout |
Default, for different requests with the same session_id avp, if their interval is less than idle-timeout, ADC will dispatch them to the same RS. The default is 300 seconds. The valid range is 1-86400. When this parameter is set, ADC will act in proxy mode. |
|
server-close-propagation |
When transfering diameter traffic with server-close-propagation enabled, if one of the servers resets or sends DPR to ADC, ADC will close connection with the client and other servers at the same time. When transfering diameter traffic with server-close-propagation disabled, if one of the servers resets or sends DPR to ADC, ADC will transfer the requests from the client to the other servers. Disabled by default. |
Example
The following example shows the list of predefined profiles:
FortiADC-VM # get load-balance profile
== [ LB_PROF_TCP ]
== [ LB_PROF_UDP ]
== [ LB_PROF_HTTP ]
== [ LB_PROF_TURBOHTTP ]
== [ LB_PROF_FTP ]
== [ LB_PROF_RADIUS ]
== [ LB_PROF_SIP ]
== [ LB_PROF_TCPS ]
== [ LB_PROF_HTTPS ]
== [ LB_PROF_HTTP2_H2C]
== [ LB_PROF_HTTP2_H2 ]
== [ LB_PROF_SMTP ]
== [ LB_PROF_RTSP ]
== [ LB_PROF_RTMP ]
== [ LB_PROF_DIAMETER ]
== [ LB_PROF_IP ]
== [ LB_PROF_RDP ]
== [ LB_PROF_HTTP_SERVERCLOSE ]
== [ LB_PROF_HTTPS-SERVERCLOSE ]
== [ LB_PROF_DNS ]
The following example shows the details of the predefined HTTPS profile:
FortiADC-VM (profile) # get load-balance profile LB_PROF_HTTPS
type : https
tune-bufsize : 8030
tune-maxrewrite : 1024
client-timeout : 50
server-timeout : 50
connect-timeout : 5
queue-timeout : 5
http-request-timeout : 50
http-keepalive-timeout : 50
buffer-pool : enable
client-address : disable
http-x-forwarded-for : disable
http-x-forwarded-for-header :
http-mode : ServerClose
compression :
caching :
ip-reputation : disable
geoip-list :
allowlist :
geoip-redirect : http://
The following example creates a user-defined SIP profile:
FortiADC-VM # config load-balance profile
FortiADC-VM (profile) # edit sip-profile
Add new entry 'sip-profile' for node 1643
FortiADC-VM (sip-profile) # set type sip
FortiADC-VM (sip-profile) # get
type : sip
max-size : 65535
server-keepalive-timeout : 30
server-keepalive : enable
client-keepalive : disable
client-protocol : udp
server-protocol :
sip-insert-client-ip : disable
failed-client : drop
failed-server : drop
FortiADC-VM (sip-profile) # set timeout 120
FortiADC-VM (sip-profile) # set max-size 2048
FortiADC-VM (sip-profile) # set server-keepalive-timeout 180
FortiADC-VM (sip-profile) # set failed-server send
FortiADC-VM (sip-profile) # set fail-server-str "404 Not Found"
FortiADC-VM (sip-profile) # config ?
client-request-header-erase erase header from client request
client-request-header-insert insert header into client request
client-response-header-erase erase header from client response
client-response-header-insert insert header into client response
server-request-header-erase erase header from server request
server-request-header-insert insert header into server request
server-response-header-erase erase header from server response
server-response-header-insert insert header into server response
FortiADC-VM (sip-profile) # config client-request-header-insert
FortiADC-VM (client-request~h) # edit 1
Add new entry '1' for node 4554
FortiADC-VM (1) # set type insert-if-not-exist
FortiADC-VM (1) # set string "Via: SIP/2.0/UDP 1.1.1.100:5060"
FortiADC-VM (1) # end
FortiADC-VM (sip-profile) # end
FortiADC-VM #
The following example creates a DNS profile:
config load-balance profile
edit "dns"
set type dns
set malform-query-action drop
set redirect-to-tcp-port disable
set caching enable
set max-query-length 512
set max-cache-age 3600
set max-cache-entry-size 512
set max-cache-size 10
next
end
config load-balance virtual-server
edit "vs1"
set load-balance-profile dns
next
end
The following example creates an IP profile:
config load-balance profile
edit "ip"
set type ip
set timeout-ip-session 100
next
end
config load-balance virtual-server
edit "vs2"
set type l2-load-balance
set protocol-numbers 0 1
set load-balance-profile ip
next
end
The following example creates a MySQL profile:
config system health-check
edit mysql
set type mysql
set user root
set password fortinet
set port 3306
next
end
config load-balance real-server
edit "rs1"
set ip 192.168.1.1
next
end
config load-balance pool
edit "pool_mysql"
set health-check-ctrl enable
set health-check-list icmp
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_cookie rs1
set real-server rs1
next
end
next
end
config load-balance virtual-server
edit "mysql"
set type l7-load-balance
set interface port2
set ip 10.1.1.1
set port 3306
set load-balance-profile mysql
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool pool_mysql
next
end
The following example creates an RTSP profile:
config load-balance profile
edit "RTSP"
set type rtsp
set max-header-size 2048
set client-address enable
next
The following example creates an RTMP profile:
config load-balance profile
edit "RTMP"
set type rtmp
set client-address enable
next