config load-balance profile
Use this command to configure virtual server profiles. A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols. Virtual server profiles determine settings used in network communication on the client-FortiADC segment, in contrast to real server profiles, which determine the settings used in network communication on the FortiADC-real server segment.
The Application Profile Usage table describes the usage by application profile type, including the compatible virtual server types, load-balancing methods, persistence methods, and content routing types.
Application Profile Usage
| Profile | Usage | VS Type | LB Methods | Persistence |
|---|---|---|---|---|
|
FTP |
Use with FTP servers. |
Layer 7, Layer 4, Layer 2 |
Layer 7: Round Robin, Least Connections Layer 4: Same as Layer 7, plus Fastest Response, Dynamic Load Layer 2: Same as Layer 7 |
Source Address, Source Address Hash |
|
HTTP |
Use for standard, unsecured web server traffic. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load Layer 2: Same as Layer 7, plus Destination IP Hash |
Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie |
|
HTTPS |
Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile. |
Layer 7, Layer 2 |
Same as HTTP |
Same as HTTP, plus SSL Session ID |
|
TURBO HTTP |
Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet. This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets. |
Layer 7 |
Round Robin, Least Connections, Fastest Response |
Source Address |
|
RADIUS |
Use with RADIUS servers. |
Layer 7 |
Round Robin |
RADIUS attribute |
|
RDP |
Use with Windows Terminal Service(remote desktop protocol). |
Layer 7 |
Round Robin, Least Connections |
Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie |
|
SIP
|
Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video. |
Layer 7 |
Round Robin, URI Hash, Full URI Hash |
Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID |
|
TCP |
Use for other TCP protocols. |
Layer 4, Layer 2 |
Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash, Dynamic Load |
Source Address, Source Address Hash |
|
TCPS |
Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections, Dynamic Load Layer 2: Round Robin, Least Connections, Destination IP Hash, Dynamic Load |
Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID |
|
UDP |
Use with UDP servers. |
Layer 4, Layer 2
|
Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load Layer 2: Same as Layer 4, plus Destination IP Hash |
Source Address, Source Address Hash
|
|
IP |
Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first. |
Layer 2
|
Round Robin, Dynamic Load
|
Source Address, Source Address Hash
|
|
DNS |
Use with DNS servers. |
Layer 7 |
Round Robin, Least Connections |
Not supported yet. |
|
SMTP |
Use with SMTP servers. |
Layer 7 |
Round Robin, Least Connections |
Source Address, Source Address Hash |
|
RTMP |
A TCP-based protocol used for streaming audio, video, and data over the Internet |
Layer 7 |
Round Robin, Least Connection |
Source Address, Source Address Hash
|
|
ISO8583 |
Use with ISO8583 servers |
Layer 7 |
Round Robin |
N/A |
|
RTSP |
A network control protocol used for establishing and controlling media sessions between end points |
Layer 7 |
Round Robin, Least Connection |
Source Address, Source Address Hash |
|
MySQL |
MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets |
Layer 7
|
Round Robin, Least Connection
|
N/A |
|
DIAMETER |
A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. | Layer 7 |
Round Robin |
Source Address. DIAMETER Session ID (default) |
|
MSSQL |
MSSQL network protocol stack, which parses and builds MSSQL protocol packets |
Layer 7 |
Least connection |
N/A |
|
EXPLICIT_HTTP |
A simple explicit/forward HTTP proxy mode. In this mode, you don’t need to add backend real server pool. The destination IP address of the downstream is specified by the URL or Host field of the client request. |
Layer 7 |
N/A |
N/A |
|
L7 TCP |
Use for other TCP protocols. |
Layer 7 |
Layer 7: Round Robin, Least Connections |
Source Address, Source Address Hash |
|
L7 UDP |
Use with UDP servers. |
Layer 7 |
Layer 7: Round Robin, Least Connections |
Source Address, Source Address Hash |
The Predefine Profiles table lists the default values of each predefined profile. All values in the predefined profiles are view-only, and cannot be modified. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles to include configuration objects such as certificates, caching settings, compression options, and IP reputation.
Predefined Profiles
| Profile | Defaults |
|---|---|
|
LB_PROF_DIAMETER |
Origin Host—Blank Origin Realm—Blank Vendor ID—0 Product Name—Blank Idle Timeout—300 (seconds) (Note: This refers to the built-in session ID persistence timeout.) Server Close Propagation—OFF (Note: This means that the connection on the client side stays open when the server closes any connection on its side.) Client SSL—Off |
|
LB_PROF_TCP |
Timeout TCP Session—100 Timeout TCP Session after FIN—100 IP Reputation—Disabled Geo IP block list—None Geo IP Allowlist—None |
|
LB_PROF_UDP |
Timeout UDP Session—100 IP Reputation—Disabled Stateless—Disabled Geo IP block list—None Geo IP Allowlist—None |
|
LB_PROF_HTTP |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—Blank IP Reputation—Disabled HTTP Mode—Keep Alive Compression—None. Decompression—None Caching—None Geo IP Block List—None Geo IP Allowlist—None Geo IP Redirect URL—http:// HTTP Send Timeout—5 HTTP2—None |
|
LB_PROF_HTTP_SERVERCLOSE |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Buffer Pool—Enabled Client Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Server Close Customized SSL Ciphers Flag—Disabled Compression—None Decompression—None Caching—None Geo IP Block List—None Geo IP Allowlist—None Geo IP Redirect URL—http:// HTTP Send Timeout—0 HTTP2—None |
|
LB_PROF_TURBOHTTP |
Timeout TCP Session—100 Timeout TCP Session after FIN—100 IP Reputation—Disabled Geo IP Block List—None Geo IP Allowlist—None |
|
LB_PROF_FTP |
Timeout TCP Session—100 Timeout TCP Session after FIN—100 IP Reputation—Disabled Geo IP Block List—None Geo IP Allowlist—None Client Address—Off Security Mode—None |
|
LB_PROF_RADIUS |
Client Address—Off Source Port—Off Dynamic Auth—Disable RADIUS Session—300 Geo IP Block List—None Geo IP Allowlist—None |
|
LB_PROF_SIP |
SIP Max Size—65535 Server Keepalive Timeout—30 Server Keepalive—Enabled Client Keepalive—Disabled Client Protocol—UDP Server Protocol—None Failed Client Type—Drop Failed Server Type—Drop Insert Client IP—Disabled Geo IP Block List—None Geo IP Allowlist—None Client Address—Off Media Address—0.0.0.0 |
|
LB_PROF_RDP |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 Source Address—Disabled IP Reputation—Disabled Geo IP Block List—None Geo IP Allowlist—None |
|
LB_PROF_IP |
IP Reputation—Disabled Geo IP Block List—None Geo IP Allowlist—None Timeout IP Session—100 |
|
LB_PROF_DNS |
Client Address—Off DNS Cache Flag—Enabled DNS Cache Ageout Time—3600 DNS Cache Size—10 DNS Cache Entry Size—512 DNS Cache Response Type—All Records DNS Malform Query Action—Drop DNA Max Query Length—512 DNS Authentication Flag—Disabled |
|
LB_PROF_TCPS |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 Client Address—Disabled IP Reputation—Disabled Geo IP block list—None |
|
LB_PROF_HTTPS |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Keep Alive SSL Proxy Mode—Disabled Compression—None Decompression—None Caching—None Geo IP Block List—None Geo IP Allowlist—None Geo IP Redirect URL—http:// HTTP Send Timeout—0 HTTP2—None |
|
LB_PROF_HTTPS_SERVERCLOSE |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Server Close Compression—None Decompression—None Caching—None Geo IP Block List—None Geo IP Allowlist—None Geo IP Redirect URL—http:// HTTP Send Timeout—0 HTTP2—None |
|
LB_PROF_SMTP |
Starttls Active Mode—require Forbidden Command—expn, turn, vrfy Local Certificate Group—LOCAL_CERT_GROUP Client Address—Disable Forbidden Command Status—Enable Domain Name—default.com Geo IP Block List—None Geo IP Allowlist—None |
|
LB_PROF_RTSP |
Max Header Size—Default is 4096. Valid values range from 2048 to 65536. Client Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool. |
|
LB_PROF_RTMP |
Client Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool. |
|
LB_PROF_HTTP2_H2 |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Send Timeout—0 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled IP Reputation—Disabled HTTP Mode—Keep Alive Compression—None Decompression—None HTTP2—LB_HTTP2_PROFILE_DEFAULT Caching—None Geo IP Block List—None Geo IP Allow list—None Geo IP Redirect URL—http:// Tune Buffer Size—17418 Max HTTP Headers—200 Response Half Closed Connection—Disabled |
|
LB_PROF_HTTP2_H2C |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Send Timeout—0 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled IP Reputation—Disabled HTTP Mode—Keep Alive Compression—None Decompression—None HTTP2—LB_HTTP2_PROFILE_DEFAULT Caching—None Geo IP Block List—None Geo IP Allowlist—None Geo IP Redirect URL—http:// Tune Buffer Size—17418 Max HTTP Headers—200 Response Half Closed Connection--Disabled |
|
LB_PROF_ISO8583 |
Timeout TCP Session—100 Message Encode Type—ASCII Length Indicator Type—binary Length Indicator Shift—0 Length Indicator Size—2 Optional Header Length—2 Optional Trailer Hex—None Geo IP Block List—None Geo IP Allowlist—None |
|
LB_PROF_EXPLICIT_HTTP |
Client Timeout—50 Server Timeout—50 Connect Timeout—50 Queue Timeout—50 HTTP Send Timeout—0 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Keep Alive Decompression—None Geo IP Block List—None Geo IP Allowlist—None Geo IP Redirect URL—http:// Tune Buffer Size—8030 Max HTTP Headers—100 Response Half Closed Connection—Disabled |
|
LB_PROF_L7_TCP |
Timeout TCP Session—100 IP Reputation—Disabled Geo IP Block List—None Geo IP Allowlist—None |
|
LB_PROF_L7_UDP |
Timeout UDP Session—100 IP Reputation—Disabled Geo IP Block List—None Geo IP Allowlist—None |
Before you begin:
- You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
- You must have read-write permission for load balance settings.
Syntax
config load-balance profile
edit <name>
set type {diameter | dns | explicit_http | ftp | http | turbohttp | https | ip | iso8583 | l7-tcp | l7-udp | mssql | mysql | radius | rdp | rtmp | rtsp | sip | smtp | tcp | tcps | udp}
set timeout_tcp_session <integer>
set timeout_tcp_session_after_FIN <integer>
set timeout-radius-session <integer>
set timeout_udp_session <integer>
set buffer-pool {enable|disable}
set caching <datasource>
set cache-response-type {single-answer | round-robin}
set client-address {enable|disable}
set client-timeout <integer>
set compression <datasource>
set connect-timeout <integer>
set http-keepalive-timeout <integer>
set http-mode {KeepAlive|OnceOnly|ServerClose}
set http-request-timeout <integer>
set http-x-forwarded-for {enable|disable}
set http-x-forwarded-for-header <string>
set queue-timeout <integer>
set server-timeout <integer>
set tune-bufsize <integer>
set tune-maxrewrite <integer>
set ip-reputation {enable|disable}
set geoip-list <datasource>
set allowlist <datasource>
set security-mode {none|explicit|implicit}
set geoip-redirect <string>
set client-keepalive {enable|disable}
set client-protocol {tcp|udp}
set failed-client {drop|send}
set failed-client-str <string>
set failed-server {drop|send}
set failed-server-str <string>
set max-size <integer>
set server-keepalive {enable|disable}
set server-keepalive-timeout <integer>
set server-protocol {tcp|udp}
set sip-insert-client-ip {enable|disable}
set media-addr <ip address>
set dynamic-auth {enable|disable}
set dynamic-auth-port <integer>
config client-request-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config client-request-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
config client-response-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config client-response-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
config server-request-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config server-request-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
config server-response-header-erase
edit <No.>
set type {all|first}
set string <string>
next
end
config server-response-header-insert
edit <No.>
set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}
set string <string>
next
end
next
end
The following commands are used to invoke the "LB_PROF_DNS" profile in Layer-7 virtual servers.
config load-balance profile
edit "dns"
set type dns
set cache-response-type {all-records | round-robin}
set caching {enable|disable}
set client-address {enable|disable}
set malform-query-action {drop|forward}
set max-cache-age <integer>
set max-cache-entry-size <integer>
set max-cache-size <integer>
set max-query-length <integer>
set redirect-to-tcp-port {enable|disable}
next
end
config load-balance virtual-server
edit "vs1"
set load-balance-profile LB_PROF_DNS
next
end
The following commands are used to invoke the "LB_PROF_IP" profile in Layer-2 virtual servers. When the profile of a Layer-2 virtual server is set to "LB_PROF_IP", you must specify the protocol numbers the virtual server can accept.
config load-balance profile
edit "ip"
set type ip
set timeout-ip-session <integer>
set ip-reputation {enable|disable}
set geoip-list <string>
set allowlist <string>
next
end
config load-balance virtual-server
edit "LB_PROF_IP"
set type l2-load-balance
set load-balance-profile LB_PROF_IP
set protocol-numbers <value> protocol range "A-B" or single protocol number "A"
next
end
The following commands are used to configure MySQL load-balancing:
config load-balance profile
edit "mysql"
set type mysql
set mysql-mode {single-primary|sharding}
next
end
The following commands are used to create a new MySQL profile (basic configuration):
config load-balance profile
edit <name>
config mysql-user-password
edit <id>
set username <username>
set password <password>
next
end
next
end
The following commands are used to configure a MySQL profile in basic single-primary mode:
config load-balance profile
edit <name>
config mysql-rule
edit <rule id>
set type [primary| secondary]
set database <database name> <database name> ...
set user <user name> <user name> ...
set table <table name> <table name> ...
set client-ip <client ip> <client ip> ...
set sql <sql statement> <sql statement> ...
next
end
next
end
The following commands are used to configure a MySQL profile in data-sharding mode:
config load-balance profile
edit <name>
set mysql-mode sharding
config mysql-sharding
edit <id>
set type range
set table <table name>
set key <column name>
set group <group id>:<range> <group id>:<range> ... # such as set groups 0:0-999 1:1000-9999
next
edit <id>
set type hash
set database <database name>
set table <table name>
set key <column name>
set group <group id> <group id>
next
end
next
end
The following commands are used to configure MySQL profile-specific pool members:
config load-balance pool
edit <pool name>
config pool_member
edit 1
set mysql-group-id <group id> #for Data Sharding
set mysql-read-only enable #for secondary
next
end
next
end
The following commands are used to create an RTSP profile:
config load-balance profile
edit "RTSP"
set type rtsp
set max-header-size <size>
set client-address <enable/disable>
next
The following commands are used to configure an RTMP profile:
config load-balance profile
edit "RTMP"
set type rtmp
set client-address <enable/disable>
next
The following commands are used to configure a diameter proxy_mode profile:
config load-balance profile
edit "diameter_proxy"
set type diameter
set origin-host <string>
set origin-realm <string>
set client-ssl {enable|disable}
set vendor-id <integer>
set product-name <string>
set idle-timeout <integer>
set server-close-propagation <enable/disable>
next
end
The following commands are used to configure a diameter relay_mode profile:
config load-balance profile
edit "diameter_proxy"
set type diameter
set idle-timeout <integer>
set server-close-propagation <enable/disable>
next
end
The following commands are used to configure an explicit HTTP profile:
config load-balance profile
edit <name>
set type explicit_http
set caching <string>
set client-address {enable|disable}
set client-timeout <integer>
set connect-timeout <integer>
set decompression <string>
set geoip-list <string>
set geoip-redirect <string>
set http-keepalive-timeout <integer>
set http-request-timeout <integer>
set http-send-timeout <integer>
set http-x-forwarded-for {enable|disable}
set http-x-forwarded-for-header <string>
set ip-reputation {enable|disable}
set max-http-headers {enable|disable}
set queue-timeout <integer>
set response-half-closed-request {enable|disable}
set server-timeout <integer>
set tune-bufsize <integer>
set tune-maxrewrite {enable|disable}
set allowlist <string>
next
end
|
type |
Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table. |
|
set type tcp |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
|
timeout_tcp_session_after_FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
|
set type ip |
|
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
|
timeout-ip-session |
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
set type dns |
|
|
client-address |
Enable/disable to use the original client IP address as the source address when connecting to the real server. |
|
caching |
Enable/disable the cache for the DNS virtual server. |
|
max-cache-age |
Specify the cache age-out time (in seconds). The default is 3,600. The valid range is 0 to 65,535. |
|
max-cache-size |
Specify the maximum cache size (in Megabytes). The default is 10. The valid range is 1 to 100. |
|
max-cache-entry-size |
Specify the maximum cache entry size. The default is 512. The valid range is 256 to 4,096. |
|
cache-response-type |
Select either of the following cache response types:
|
|
malform-query-action |
Select either of the following reactions for the malformed requests:
|
|
max-query-length |
Specify the maximum query length. The default is 512. The valid range is 256 to 4,096. |
|
redirect-to-tcp-port |
Enable/disable to authenticate client by redirecting UDP query to TCP. |
|
set type udp |
|
|
stateless |
Enable to apply the UDP stateless function. |
|
timeout_udp_session |
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
|
set type rtsp |
|
|
max-header-size |
Specify the maximum size of RTSP packets, which can range from 16 to 65, 536. |
|
client-address |
Enable/disable to use the original client IP address as the source address when connecting to the real server. |
|
set type rtmp |
|
|
client-address |
Enable/disable to use the original client IP address as the source address when connecting to the real server. |
|
set type ftp |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
|
timeout_tcp_session_after_FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
|
security-mode |
Select either of the following:
|
|
set type http and set type https |
|
|
tune-bufsize |
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
caching |
Specify the name of the caching configuration object. |
|
client-address |
Use the original client IP address as the source address in the connection to the real server. |
|
client-timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is from 1 to 3,600. |
|
compression |
Specify a compression configuration object. |
|
connect-timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
|
http-keepalive-timeout |
The default is 50 seconds. The valid range is 1 to 3,600. |
|
http-mode |
|
|
http-request-timeout |
Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
http-x-forwarded-for |
Enable this option to append the client IP address found in IP layer packets to the HTTP header, for example, The default header name is |
|
http-x-forwarded-for-header |
Specify a custom name for the HTTP header which carries the client IP address. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP. |
|
queue-timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
|
server-timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
tune-maxrewrite |
Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
geoip-redirect |
For HTTP/HTTPS, if you have configured a Geo IP redirect action, specify a redirect URL. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
|
http2-profile |
Specify an HTTP2 profile configuration object. |
|
set type radius |
|
|
timeout-radius-session |
The default is 300 seconds. The valid range is 1 to 3,600. |
|
dynamic-auth |
Enable/disable RADIUS dynamic authorization (CoA, Disconnect messages). |
|
dynamic-auth-port |
Dynamic auth port. |
|
client-address |
Enable/disable the use of a client IP as the source IP to connect to the real server. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
| set type rdp | |
|
client-timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
server-timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
connect-timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
|
queue-timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
|
client-address |
Use the original client IP address as the source address in the connection to the real server. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
|
set type tcps |
|
|
client-timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
server-timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
|
connect-timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
|
queue-timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
|
client-address |
Use the original client IP address as the source address in the connection to the real server. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
|
set type turbohttp |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
|
timeout_tcp_session_after_FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Specify a Geo IP block list configuration object. |
|
allowlist |
Specify a Geo IP allowlist configuration object. |
| set type sip | |
|
client-keepalive |
Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default. |
client-address
|
Use the original client IP address as the source address in the connection to the real server. |
media-addr
|
Change the media address of SIP payload to specified address. 0.0.0.0 is default. |
|
client-protocol |
Client-side transport protocol:
|
|
failed-client |
Action when the SIP client cannot be reached:
|
|
fail-client-str |
Message string. Use double-quotation marks for strings with spaces. |
|
failed-server |
Action when the SIP server cannot be reached:
|
|
fail-server-str |
Message string. Use double-quotation marks for strings with spaces. For example:
|
|
max-size |
Maximum message size. The default is 65535 bytes. The valid range is 1-65535. |
|
server-keepalive |
Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default. |
|
server-keepalive-timeout |
Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300. |
|
server-protocol |
Server-side transport protocol.
Default is "unset", so the client-side protocol determines the server-side protocol. |
|
sip-insert-client-ip |
Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request. |
|
set type explicit_http |
|
|
caching |
Caching name. |
|
client-address |
Use client address to connect to pool. |
|
client-timeout |
The maximum inactivity time on the client side. |
|
connect-timeout |
The maximum time to wait for a connection attempt to a server to succeed. |
|
decompression |
The decompression name. |
|
geoip-list |
The geography IP block list. |
|
geoip-redirect |
Redirect URL for IP geography. |
|
http-keepalive-timeout |
The maximum allowed time to wait for a new HTTP request to appear. |
|
http-request-timeout |
The maximum allowed time to wait for a complete HTTP request. |
|
http-send-timeout |
The timeout (in seconds) of HTTP send out all the buffered data. |
|
http-x-forwarded-for |
Insert X-Forwarded-For header to request. |
|
http-x-forwarded-for-header |
Change X-Forwarded-For header name. |
|
ip-reputation |
Use IP Reputation |
|
max-http-headers |
Max HTTP headers limit. Note: If enlarge this limit, you may meet parse failure because the buffer size limit. |
|
queue-timeout |
The maximum time to wait in the queue for a connection slot to be free. |
|
response-half-closed-request |
If enabled, FortiADC will continue serving the request in half closed connection until the response completes. |
|
server-timeout |
The maximum inactivity time on the server side. |
|
tune-bufsize |
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
tune-maxrewrite |
Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647. Note: The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>. For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request. |
|
allowlist |
The geography IP allowlist. |
| config client-request-header-erase | Configuration to erase headers from client requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| config client-request-header-insert | Configuration to insert headers into client requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| config client-response-header-erase | Configuration to erase headers from client responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| config client-response-header-insert | Configuration to insert headers into client responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| config server-request-header-erase | Configuration to erase headers from server requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| config server-request-header-insert | Configuration to insert headers into server requests. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| server-response-header-erase | Configuration to erase headers from server responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
Header to be erased. |
| server-response-header-insert | Configuration to insert headers into server responses. Table setting. Maximum 4 members. |
|
type |
|
|
string |
The header:value pair to be inserted. |
| set type diameter | |
|
origin-host |
Sets the value of Diameter AVP 264. This AVP can be a character string and specifies the identity of the originating host for Diameter messages. ADC will modify the origin-host avp on client request with the setting value, then transfer it to RS. ADC will modify the origin-host avp on server response with the setting value, then transfer it to the client. Specify the identity in the following format: vs.realm The host is a string unique to the client. The realm is the Diameter realm, specified by the Realm option (described below). If origin-host is set with an empty value (nothing), ADC will not change the value of the origin-host in the client or server when it transfers them. The default is empty value. |
|
origin-realm |
Sets the value of Diameter AVP 296. This AVP can be a character string and specifies the Diameter realm from which Diameter messages, including requests, are originated. ADC will modify the origin-realm avp on client request with the setting value, then transfer it to RS. ADC will modify the origin-realm avp on server response with the setting value, then transfer it to the client. If origin-realm is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them. The default is empty value. |
|
product-name |
Sets the value of Diameter AVP 269. This AVP can be a character string and specifies the product; for example, “fortiadc”. ADC will modify the Product-Name avp on client request with the setting value, then transfer it to RS. ADC will modify the Product-Name avp on server response with the setting value, then transfer it to the client. If product-name is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them. The default is empty value. |
|
Vendor-id |
Sets the value of Diameter AVP 266. This AVP can be a character string and specifies the vendor; for example, “156”. ADC will modify the vendor-id avp on client request with the setting value, then transfer it to RS. ADC will modify the vendor-id avp on server response with the setting value, then transfer it to the client. If vendor-ide is set to 0, ADC will not change the value of vendor-id in the client or server when it transfers them. The default is 0. The valid range is 0-4294967295. |
|
Idle-timeout |
Default, for different requests with the same session_id avp, if their interval is less than idle-timeout, ADC will dispatch them to the same RS. The default is 300 seconds. The valid range is 1-86400. When this parameter is set, ADC will act in proxy mode. |
|
server-close-propagation |
When transferring diameter traffic with server-close-propagation enabled, if one of the servers resets or sends DPR to ADC, ADC will close connection with the client and other servers at the same time. When transferring diameter traffic with server-close-propagation disabled, if one of the servers resets or sends DPR to ADC, ADC will transfer the requests from the client to the other servers. Disabled by default. |
|
set type iso8583 |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400 seconds. |
|
msg-encode-type |
Specify the encode type for protocol message, default ASCII. |
|
length-indicator-type |
Specify the encode type of length indicator, default binary. |
|
length-indicator-shift |
Specify bytes to shift from the beginning of payload to read length value, range 0-32. |
|
length-indicator-size |
Specify total bytes reading to calculate length, range 0-8. |
|
opt-header-length |
Specify length of optional header before MTI, including the length-indicator, range 0-32. |
|
opt-trailer-hex |
Specify hex string of optional trailer, maximum length 16, i.e. 8 bytes in binary. |
|
geo-ip |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
|
set type mssql |
|
|
client-timeout |
This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. The default is 50 seconds. The valid range is 1 to 86,400 seconds. |
|
server-age |
Specify the maximum inactivity time for MS SQL server on the server side. The default is 600 seconds. The valid range is 1 to 86,400 seconds. |
|
server-max-size |
Specify the maximum connections that can connect to the MS SQL server on the server side. The default is 10,000. The valid range is 1 to 30,000. |
|
geo-ip |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
|
set type smtp |
|
|
client-address |
Enable/disable to use the original client IP address as the source address when connecting to the real server. Note: When using the NAT Source Pool for SMTP VS, ensure the SMTP application profile is disabled for Client Address. When the SMTP is enabled for Client Address, it will use the original client IP address as the source address when connecting to the real server, which cannot be done when the NAT source pool is used at the same time. |
|
starttls-active-mode |
Select one of the following:
|
|
disable-command-status |
Enable/disable to forbid the command(s) selected in forbidden-command. |
|
disable-command |
Select any, all, or none of the commands (i.e., expn, turn, vrfy). If selected, the command or commands will be rejected by FortiADC; otherwise, the command or commands will be accepted and forwarded to the back end. |
|
geo-ip |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
|
domain-name |
Specify the domain name. |
|
set type mysql |
Note: The system does not provide default MyQSL profiles as it does with the other protocols. |
|
mysql-mode |
Select either of the following MySQL modes:
|
|
set type l7-tcp |
|
|
timeout_tcp_session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
|
set type l7-udp |
|
|
timeout_udp_session |
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
|
ip-reputation |
Enable to apply the FortiGuard IP reputation service. |
|
geoip-list |
Select a Geo IP block list configuration object. |
|
allowlist |
Select an allowlist configuration object. |
Example
The following example shows the list of predefined profiles:
FortiADC-VM # get load-balance profile
== [ LB_PROF_TCP ]
== [ LB_PROF_UDP ]
== [ LB_PROF_HTTP ]
== [ LB_PROF_TURBOHTTP ]
== [ LB_PROF_FTP ]
== [ LB_PROF_RADIUS ]
== [ LB_PROF_SIP ]
== [ LB_PROF_TCPS ]
== [ LB_PROF_HTTPS ]
== [ LB_PROF_HTTP2_H2C]
== [ LB_PROF_HTTP2_H2 ]
== [ LB_PROF_SMTP ]
== [ LB_PROF_RTSP ]
== [ LB_PROF_RTMP ]
== [ LB_PROF_DIAMETER ]
== [ LB_PROF_IP ]
== [ LB_PROF_RDP ]
== [ LB_PROF_HTTP_SERVERCLOSE ]
== [ LB_PROF_HTTPS-SERVERCLOSE ]
== [ LB_PROF_DNS ]
The following example shows the details of the predefined HTTPS profile:
FortiADC-VM (profile) # get load-balance profile LB_PROF_HTTPS
type : https
tune-bufsize : 8030
tune-maxrewrite : 1024
client-timeout : 50
server-timeout : 50
connect-timeout : 5
queue-timeout : 5
http-request-timeout : 50
http-keepalive-timeout : 50
buffer-pool : enable
client-address : disable
http-x-forwarded-for : disable
http-x-forwarded-for-header :
http-mode : ServerClose
compression :
caching :
ip-reputation : disable
geoip-list :
allowlist :
geoip-redirect : http://
The following example creates a user-defined SIP profile:
FortiADC-VM # config load-balance profile
FortiADC-VM (profile) # edit sip-profile
Add new entry 'sip-profile' for node 1643
FortiADC-VM (sip-profile) # set type sip
FortiADC-VM (sip-profile) # get
type : sip
max-size : 65535
server-keepalive-timeout : 30
server-keepalive : enable
client-keepalive : disable
client-protocol : udp
server-protocol :
sip-insert-client-ip : disable
failed-client : drop
failed-server : drop
FortiADC-VM (sip-profile) # set timeout 120
FortiADC-VM (sip-profile) # set max-size 2048
FortiADC-VM (sip-profile) # set server-keepalive-timeout 180
FortiADC-VM (sip-profile) # set failed-server send
FortiADC-VM (sip-profile) # set fail-server-str "404 Not Found"
FortiADC-VM (sip-profile) # config ?
client-request-header-erase erase header from client request
client-request-header-insert insert header into client request
client-response-header-erase erase header from client response
client-response-header-insert insert header into client response
server-request-header-erase erase header from server request
server-request-header-insert insert header into server request
server-response-header-erase erase header from server response
server-response-header-insert insert header into server response
FortiADC-VM (sip-profile) # config client-request-header-insert
FortiADC-VM (client-request~h) # edit 1
Add new entry '1' for node 4554
FortiADC-VM (1) # set type insert-if-not-exist
FortiADC-VM (1) # set string "Via: SIP/2.0/UDP 1.1.1.100:5060"
FortiADC-VM (1) # end
FortiADC-VM (sip-profile) # end
FortiADC-VM #
The following example creates a DNS profile:
config load-balance profile
edit "dns"
set type dns
set malform-query-action drop
set redirect-to-tcp-port disable
set caching enable
set max-query-length 512
set max-cache-age 3600
set max-cache-entry-size 512
set max-cache-size 10
next
end
config load-balance virtual-server
edit "vs1"
set load-balance-profile dns
next
end
The following example creates an IP profile:
config load-balance profile
edit "ip"
set type ip
set timeout-ip-session 100
next
end
config load-balance virtual-server
edit "vs2"
set type l2-load-balance
set protocol-numbers 0 1
set load-balance-profile ip
next
end
The following example creates a MySQL profile:
config system health-check
edit mysql
set type mysql
set user root
set password fortinet
set port 3306
next
end
config load-balance real-server
edit "rs1"
set ip 192.168.1.1
next
end
config load-balance pool
edit "pool_mysql"
set health-check-ctrl enable
set health-check-list icmp
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_cookie rs1
set real-server rs1
next
end
next
end
config load-balance virtual-server
edit "mysql"
set type l7-load-balance
set interface port2
set ip 10.1.1.1
set port 3306
set load-balance-profile mysql
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool pool_mysql
next
end
The following example creates an RTSP profile:
config load-balance profile
edit "RTSP"
set type rtsp
set max-header-size 2048
set client-address enable
next
The following example creates an RTMP profile:
config load-balance profile
edit "RTMP"
set type rtmp
set client-address enable
next