Fortinet white logo
Fortinet white logo

CLI Reference

config load-balance profile

config load-balance profile

Use this command to configure virtual server profiles. A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols. Virtual server profiles determine settings used in network communication on the client-FortiADC segment, in contrast to real server profiles, which determine the settings used in network communication on the FortiADC-real server segment.

The Application Profile Usage table describes the usage by application profile type, including the compatible virtual server types, load-balancing methods, persistence methods, and content routing types.

Application Profile Usage

Profile Usage VS Type LB Methods Persistence

FTP

Use with FTP servers.

Layer 7, Layer 4

Layer 7: Round Robin, Least Connections

Layer 4: Same as Layer 7, plus Fastest Response, Dynamic Load

Layer 7: Source Address, Source Address Hash

Layer 4: Same as Layer 7, plus Source Address-Port Hash

HTTP

Use for standard, unsecured web server traffic.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load

Layer 2: Same as Layer 7, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie

HTTPS

Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile.

Layer 7, Layer 2

Same as HTTP

Same as HTTP, plus SSL Session ID

TURBO HTTP

Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet.

This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets.

Layer 7

Round Robin, Least Connections, Fastest Response

Source Address

RADIUS

Use with RADIUS servers.

Layer 7

Round Robin

RADIUS attribute

RDP

Use with Windows Terminal Service(remote desktop protocol).

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie

SIP

Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video.

Layer 7

Round Robin, URI Hash, Full URI Hash

Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID

TCP

Use for other TCP protocols.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash, Dynamic Load

Source Address, Source Address Hash, Source Address-Port Hash

TCPS

Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, Dynamic Load

Layer 2: Round Robin, Least Connections, Destination IP Hash, Dynamic Load

Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID

UDP

Use with UDP servers.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Same as Layer 4, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash

IP

Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first.

Layer 2

Round Robin, Dynamic Load

Source Address, Source Address Hash, Source Address-Port Hash

DNS

Use with DNS servers.

Layer 7

Round Robin, Least Connections

Not supported yet.

SMTP

Use with SMTP servers.

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash

RTMP

A TCP-based protocol used for streaming audio, video, and data over the Internet

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

ISO8583

Use with ISO8583 servers

Layer 7

Round Robin

N/A

RTSP

A network control protocol used for establishing and controlling media sessions between end points

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

MySQL

MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets

Layer 7

Round Robin, Least Connection

N/A

DIAMETER

A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. Layer 7

Round Robin

Source Address.

DIAMETER Session ID (default)

MSSQL

MSSQL network protocol stack, which parses and builds MSSQL protocol packets

Layer 7

Least connection

N/A

EXPLICIT_HTTP

A simple explicit/forward HTTP proxy mode.

In this mode, you don’t need to add backend real server pool. The destination IP address of the downstream is specified by the URL or Host field of the client request.

Layer 7

N/A

N/A

L7 TCP

Use for other TCP protocols.

Layer 7

Layer 7: Round Robin, Least Connections

Source Address, Source Address Hash

L7 UDP

Use with UDP servers.

Layer 7

Layer 7: Round Robin, Least Connections

Source Address, Source Address Hash

The Predefined Profiles table lists the default values of each predefined profile. All values in the predefined profiles are view-only, and cannot be modified. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles to include configuration objects such as certificates, caching settings, compression options, and IP reputation.

Predefined Profiles

Profile Defaults

LB_PROF_DIAMETER

Origin Host—Blank

Origin Realm—Blank

Vendor ID—0

Product Name—Blank

Idle Timeout—300 (seconds) (Note: This refers to the built-in session ID persistence timeout.)

Server Close Propagation—OFF (Note: This means that the connection on the client side stays open when the server closes any connection on its side.)

Client SSL—Off

LB_PROF_TCP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Geo IP block list—None

Geo IP Allowlist—None

LB_PROF_UDP

Timeout UDP Session—100

IP Reputation—Disabled

Stateless—Disabled

Geo IP block list—None

Geo IP Allowlist—None

LB_PROF_HTTP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—Blank

IP Reputation—Disabled

HTTP Mode—Keep Alive

Compression—None.

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—5

HTTP2—None

LB_PROF_HTTP_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

Customized SSL Ciphers Flag—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—0

HTTP2—None

LB_PROF_TURBOHTTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_FTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Client Address—Off

Security Mode—None

LB_PROF_RADIUS

Client Address—Off

Source Port—Off

Dynamic Auth—Disable

RADIUS Session—300

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_SIP

SIP Max Size—65535

Server Keepalive Timeout—30

Server Keepalive—Enabled

Client Keepalive—Disabled

Client Protocol—UDP

Server Protocol—None

Failed Client Type—Drop

Failed Server Type—Drop

Insert Client IP—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Client Address—Off

Media Address—0.0.0.0

LB_PROF_RDP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Source Address—Disabled

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_IP

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Timeout IP Session—100

LB_PROF_DNS

Client Address—Off

DNS Cache Flag—Enabled

DNS Cache Ageout Time—3600

DNS Cache Size—10

DNS Cache Entry Size—512

DNS Cache Response Type—All Records

DNS Malform Query Action—Drop

DNA Max Query Length—512

DNS Authentication Flag—Disabled

LB_PROF_TCPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Client Address—Disabled

IP Reputation—Disabled

Geo IP block list—None

LB_PROF_HTTPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Keep Alive

SSL Proxy Mode—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—0

HTTP2—None

LB_PROF_HTTPS_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—0

HTTP2—None

LB_PROF_SMTP

Starttls Active Mode—require

Forbidden Command—expn, turn, vrfy

Local Certificate Group—LOCAL_CERT_GROUP

Client Address—Disable

Forbidden Command Status—Enable

Domain Name—default.com

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_RTSP

Max Header Size—Default is 4096. Valid values range from 2048 to 65536.

Client Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

LB_PROF_RTMP

Client Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

LB_PROF_HTTP2_H2

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Send Timeout—0

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

IP Reputation—Disabled

HTTP Mode—Keep Alive

Compression—None

Decompression—None

HTTP2—LB_HTTP2_PROFILE_DEFAULT

Caching—None

Geo IP Block List—None

Geo IP Allow list—None

Geo IP Redirect URL—http://

Tune Buffer Size—17418

Max HTTP Headers—200

Response Half Closed Connection—Disabled

LB_PROF_HTTP2_H2C

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Send Timeout—0

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

IP Reputation—Disabled

HTTP Mode—Keep Alive

Compression—None

Decompression—None

HTTP2—LB_HTTP2_PROFILE_DEFAULT

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

Tune Buffer Size—17418

Max HTTP Headers—200

Response Half Closed Connection—Disabled

LB_PROF_HTTP3

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

X-Forwarded-For—Disabled

HTTP Mode—Keep Alive

HTTP3—LB_HTTP3_PROFILE_DEFAULT

Tune Buffer Size—32768

Max HTTP Headers—200

LB_PROF_ISO8583

Timeout TCP Session—100

Message Encode Type—ASCII

Length Indicator Type—binary

Length Indicator Shift—0

Length Indicator Size—2

Optional Header Length—2

Optional Trailer Hex—None

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_EXPLICIT_HTTP

Client Timeout—50

Server Timeout—50

Connect Timeout—50

Queue Timeout—50

HTTP Send Timeout—0

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Keep Alive

Decompression—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

Tune Buffer Size—8030

Max HTTP Headers—100

Response Half Closed Connection—Disabled

LB_PROF_L7_TCP

Timeout TCP Session—100

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Before you begin:
  • You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
  • You must have read-write permission for load balance settings.

Syntax

config load-balance profile

edit <name>

set type {diameter | dns | explicit_http | ftp | http | turbohttp | https | ip | iso8583 | l7-tcp | l7-udp | mssql | mysql | radius | rdp | rtmp | rtsp | sip | smtp | tcp | tcps | udp}

set timeout_tcp_session <integer>

set timeout_tcp_session_after_FIN <integer>

set timeout_send_rst {enable|disable}

set timeout-radius-session <integer>

set timeout_udp_session <integer>

set buffer-pool {enable|disable}

set caching <datasource>

set cache-response-type {single-answer | round-robin}

set client-address {enable|disable}

set client-timeout <integer>

set compression <datasource>

set connect-timeout <integer>

set http-keepalive-timeout <integer>

set http-mode {KeepAlive|OnceOnly|ServerClose}

set http-request-timeout <integer>

set http-x-forwarded-for {enable|disable}

set http-x-forwarded-for-header <string>

set queue-timeout <integer>

set server-timeout <integer>

set tune-bufsize <integer>

set tune-maxrewrite <integer>

set ip-reputation {enable|disable}

set geoip-list <datasource>

set allowlist <datasource>

set security-mode {none|explicit|implicit}

set geoip-redirect <string>

set client-keepalive {enable|disable}

set client-protocol {tcp|udp}

set failed-client {drop|send}

set failed-client-str <string>

set failed-server {drop|send}

set failed-server-str <string>

set max-size <integer>

set server-keepalive {enable|disable}

set server-keepalive-timeout <integer>

set server-protocol {tcp|udp}

set sip-insert-client-ip {enable|disable}

set media-addr <ip address>

set dynamic-auth {enable|disable}

set dynamic-auth-port <integer>

config client-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config client-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

next

end

The following commands are used to invoke the "LB_PROF_DNS" profile in Layer-7 virtual servers.

config load-balance profile

edit "dns"

set type dns

set cache-response-type {all-records | round-robin}

set caching {enable|disable}

set client-address {enable|disable}

set malform-query-action {drop|forward}

set max-cache-age <integer>

set max-cache-entry-size <integer>

set max-cache-size <integer>

set max-query-length <integer>

set redirect-to-tcp-port {enable|disable}

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile LB_PROF_DNS

next

end

The following commands are used to invoke the "LB_PROF_IP" profile in Layer-2 virtual servers. When the profile of a Layer-2 virtual server is set to "LB_PROF_IP", you must specify the protocol numbers the virtual server can accept.

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session <integer>

set ip-reputation {enable|disable}

set geoip-list <string>

set allowlist <string>

next

end

config load-balance virtual-server

edit "LB_PROF_IP"

set type l2-load-balance

set load-balance-profile LB_PROF_IP

set protocol-numbers <value> protocol range "A-B" or single protocol number "A"

next

end

The following commands are used to configure MySQL load-balancing:

config load-balance profile

edit "mysql"

set type mysql

set mysql-mode {single-primary|sharding}

next

end

The following commands are used to create a new MySQL profile (basic configuration):

config load-balance profile

edit <name>

config mysql-user-password

edit <id>

set username <username>

set password <password>

next

end

next

end

The following commands are used to configure a MySQL profile in basic single-primary mode:

config load-balance profile

edit <name>

config mysql-rule

edit <rule id>

set type [primary| secondary]

set database <database name> <database name> ...

set user <user name> <user name> ...

set table <table name> <table name> ...

set client-ip <client ip> <client ip> ...

set sql <sql statement> <sql statement> ...

next

end

next

end

The following commands are used to configure a MySQL profile in data-sharding mode:

config load-balance profile

edit <name>

set mysql-mode sharding

config mysql-sharding

edit <id>

set type range

set table <table name>

set key <column name>

set group <group id>:<range> <group id>:<range> ... # such as set groups 0:0-999 1:1000-9999

next

edit <id>

set type hash

set database <database name>

set table <table name>

set key <column name>

set group <group id> <group id>

next

end

next

end

The following commands are used to configure MySQL profile-specific pool members:

config load-balance pool

edit <pool name>

config pool_member

edit 1

set mysql-group-id <group id> #for Data Sharding

set mysql-read-only enable #for secondary

next

end

next

end

The following commands are used to create an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size <size>

set client-address <enable/disable>

next

The following commands are used to configure an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address <enable/disable>

next

The following commands are used to configure a diameter proxy_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set origin-host <string>

set origin-realm <string>

set client-ssl {enable|disable}

set vendor-id <integer>

set product-name <string>

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

The following commands are used to configure a diameter relay_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

The following commands are used to configure an explicit HTTP profile:

config load-balance profile

edit <name>

set type explicit_http

set caching <string>

set client-address {enable|disable}

set client-timeout <integer>

set connect-timeout <integer>

set decompression <string>

set geoip-list <string>

set geoip-redirect <string>

set http-keepalive-timeout <integer>

set http-request-timeout <integer>

set http-send-timeout <integer>

set http-x-forwarded-for {enable|disable}

set http-x-forwarded-for-header <string>

set ip-reputation {enable|disable}

set max-http-headers {enable|disable}

set queue-timeout <integer>

set response-half-closed-request {enable|disable}

set server-timeout <integer>

set tune-bufsize <integer>

set tune-maxrewrite {enable|disable}

set allowlist <string>

next

end

type

Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

set type tcp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_send_rst

Enable to send TCP RST to the client and real server when the TCP session expires. This is disabled by default.

Note: This function is supported for both IPv4 and IPv6 in L4 and L2 virtual servers. For L4 virtual servers, timeout_send_rst is supported for DNAT/FullNAT/NAT46/NAT64 packet forwarding methods.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type ip

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

timeout-ip-session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

set type dns

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

caching

Enable/disable the cache for the DNS virtual server.

max-cache-age

Specify the cache age-out time (in seconds). The default is 3,600. The valid range is 0 to 65,535.

max-cache-size

Specify the maximum cache size (in Megabytes). The default is 10. The valid range is 1 to 100.

max-cache-entry-size

Specify the maximum cache entry size. The default is 512. The valid range is 256 to 4,096.

cache-response-type

Select either of the following cache response types:

  • single

  • round-robin

malform-query-action

Select either of the following reactions for the malformed requests:

  • drop

  • forward

max-query-length

Specify the maximum query length. The default is 512. The valid range is 256 to 4,096.

redirect-to-tcp-port

Enable/disable to authenticate client by redirecting UDP query to TCP.

set type udp

stateless

Enable to apply the UDP stateless function.

timeout_udp_session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type rtsp

max-header-size

Specify the maximum size of RTSP packets, which can range from 16 to 65, 536.

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

set type rtmp

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

set type ftp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

security-mode

Select either of the following:

  • none

  • explicit

  • implicit

set type http and set type https

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

caching

Specify the name of the caching configuration object.

client-address

Use the original client IP address as the source address in the connection to the real server.

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is from 1 to 3,600.

compression

Specify a compression configuration object.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

http-keepalive-timeout

The default is 50 seconds. The valid range is 1 to 3,600.

http-mode

  • KeepAlive. Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.
  • OnceOnly. An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
  • ServerClose. Close the connection to the real server after each HTTP transaction.

http-request-timeout

Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600.

http-x-forwarded-for

Enable this option to append the client IP address found in IP layer packets to the HTTP header, for example, X-forwarded-for: 192.168.161.100.

The default header name is X-forwarded-for. If you prefer a different name, use http-x-forwarded-for-header to define a custom name.

http-x-forwarded-for-header

Specify a custom name for the HTTP header which carries the client IP address. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

tune-maxrewrite

Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

geoip-redirect

For HTTP/HTTPS, if you have configured a Geo IP redirect action, specify a redirect URL.

allowlist

Specify a Geo IP allowlist configuration object.

http2-profile

Specify an HTTP2 profile configuration object.

http3-profile

The http3-profile option is only available if type is https.

Specify an HTTP3 Profile configuration object. See config load-balance http3-profile.

set type radius

timeout-radius-session

The default is 300 seconds. The valid range is 1 to 3,600.

dynamic-auth

Enable/disable RADIUS dynamic authorization (CoA, Disconnect messages).

dynamic-auth-port

Dynamic auth port.

client-address

Enable/disable the use of a client IP as the source IP to connect to the real server.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type rdp

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

client-address

Use the original client IP address as the source address in the connection to the real server.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type tcps

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

client-address

Use the original client IP address as the source address in the connection to the real server.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type turbohttp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type sip

client-keepalive

Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default.
client-address Use the original client IP address as the source address in the connection to the real server.
media-addr Change the media address of SIP payload to specified address. 0.0.0.0 is default.

client-protocol

Client-side transport protocol:

  • tcp
  • udp (default)

failed-client

Action when the SIP client cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-client-str

Message string. Use double-quotation marks for strings with spaces.

failed-server

Action when the SIP server cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-server-str

Message string. Use double-quotation marks for strings with spaces. For example:

"404 Not Found"

max-size

Maximum message size. The default is 65535 bytes. The valid range is 1-65535.

server-keepalive

Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default.

server-keepalive-timeout

Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300.

server-protocol

Server-side transport protocol.

  • tcp
  • udp

Default is "unset", so the client-side protocol determines the server-side protocol.

sip-insert-client-ip

Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request.

set type explicit_http

caching

Caching name.

client-address

Use client address to connect to pool.

client-timeout

The maximum inactivity time on the client side.

connect-timeout

The maximum time to wait for a connection attempt to a server to succeed.

decompression

The decompression name.

geoip-list

The geography IP block list.

geoip-redirect

Redirect URL for IP geography.

http-keepalive-timeout

The maximum allowed time to wait for a new HTTP request to appear.

http-request-timeout

The maximum allowed time to wait for a complete HTTP request.

http-send-timeout

The timeout (in seconds) of HTTP send out all the buffered data.

http-x-forwarded-for

Insert X-Forwarded-For header to request.

http-x-forwarded-for-header

Change X-Forwarded-For header name.

ip-reputation

Use IP Reputation

max-http-headers

Max HTTP headers limit.

Note: If enlarge this limit, you may meet parse failure because the buffer size limit.

queue-timeout

The maximum time to wait in the queue for a connection slot to be free.

response-half-closed-request

If enabled, FortiADC will continue serving the request in half closed connection until the response completes.

server-timeout

The maximum inactivity time on the server side.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

tune-maxrewrite

Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

allowlist

The geography IP allowlist.

config client-request-header-erase Configuration to erase headers from client requests. Table setting. Maximum 4 members.

type

  • all—Parse all headers for a match.
  • first—Parse the first header for a match.

string

Header to be erased.
config client-request-header-insert Configuration to insert headers into client requests. Table setting. Maximum 4 members.

type

  • append-always—Append after the last header.
  • append-if-not-exist—Append only if the header is not present.
  • insert-always—Insert before the first header even if the header is already present.
  • insert-if-not-exist—Insert before the first header only if the header is not already present.

string

The header:value pair to be inserted.
config client-response-header-erase Configuration to erase headers from client responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config client-response-header-insert Configuration to insert headers into client responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
config server-request-header-erase Configuration to erase headers from server requests. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config server-request-header-insert Configuration to insert headers into server requests. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
server-response-header-erase Configuration to erase headers from server responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
server-response-header-insert Configuration to insert headers into server responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
set type diameter

origin-host

Sets the value of Diameter AVP 264. This AVP can be a character string and specifies the identity of the originating host for Diameter messages.

ADC will modify the origin-host avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-host avp on server response with the setting value, then transfer it to the client.

Specify the identity in the following format: vs.realm

The host is a string unique to the client. The realm is the Diameter realm, specified by the Realm option (described below).

If origin-host is set with an empty value (nothing), ADC will not change the value of the origin-host in the client or server when it transfers them.

The default is empty value.

origin-realm

Sets the value of Diameter AVP 296. This AVP can be a character string and specifies the Diameter realm from which Diameter messages, including requests, are originated.

ADC will modify the origin-realm avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-realm avp on server response with the setting value, then transfer it to the client.

If origin-realm is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

product-name

Sets the value of Diameter AVP 269. This AVP can be a character string and specifies the product; for example, “fortiadc”.

ADC will modify the Product-Name avp on client request with the setting value, then transfer it to RS.

ADC will modify the Product-Name avp on server response with the setting value, then transfer it to the client.

If product-name is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

Vendor-id

Sets the value of Diameter AVP 266. This AVP can be a character string and specifies the vendor; for example, “156”.

ADC will modify the vendor-id avp on client request with the setting value, then transfer it to RS.

ADC will modify the vendor-id avp on server response with the setting value, then transfer it to the client.

If vendor-ide is set to 0, ADC will not change the value of vendor-id in the client or server when it transfers them.

The default is 0. The valid range is 0-4294967295.

Idle-timeout

Default, for different requests with the same session_id avp, if their interval is less than idle-timeout, ADC will dispatch them to the same RS.

The default is 300 seconds. The valid range is 1-86400.

When this parameter is set, ADC will act in proxy mode.

server-close-propagation

When transferring diameter traffic with server-close-propagation enabled, if one of the servers resets or sends DPR to ADC, ADC will close connection with the client and other servers at the same time.

When transferring diameter traffic with server-close-propagation disabled, if one of the servers resets or sends DPR to ADC, ADC will transfer the requests from the client to the other servers.

Disabled by default.

set type iso8583

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400 seconds.

msg-encode-type

Specify the encode type for protocol message, default ASCII.

length-indicator-type

Specify the encode type of length indicator, default binary.

length-indicator-shift

Specify bytes to shift from the beginning of payload to read length value, range 0-32.

length-indicator-size

Specify total bytes reading to calculate length, range 0-8.

opt-header-length

Specify length of optional header before MTI, including the length-indicator, range 0-32.

opt-trailer-hex

Specify hex string of optional trailer, maximum length 16, i.e. 8 bytes in binary.

geo-ip

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type mssql

client-timeout

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. The default is 50 seconds. The valid range is 1 to 86,400 seconds.

server-age

Specify the maximum inactivity time for MS SQL server on the server side. The default is 600 seconds. The valid range is 1 to 86,400 seconds.

server-max-size

Specify the maximum connections that can connect to the MS SQL server on the server side. The default is 10,000. The valid range is 1 to 30,000.

geo-ip

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type smtp

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

Note: When using the NAT Source Pool for SMTP VS, ensure the SMTP application profile is disabled for Client Address. When the SMTP is enabled for Client Address, it will use the original client IP address as the source address when connecting to the real server, which cannot be done when the NAT source pool is used at the same time.

starttls-active-mode

Select one of the following:

  • allow—The client can either use or not use the STARTTLS command.

  • require—The STARTTLS command must be used to encrypt the connection first.

  • none—The STARTTLS command is NOT supported.

disable-command-status

Enable/disable to forbid the command(s) selected in forbidden-command.

disable-command

Select any, all, or none of the commands (i.e., expn, turn, vrfy). If selected, the command or commands will be rejected by FortiADC; otherwise, the command or commands will be accepted and forwarded to the back end.

geo-ip

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

domain-name

Specify the domain name.

set type mysql

Note: The system does not provide default MyQSL profiles as it does with the other protocols.

mysql-mode

Select either of the following MySQL modes:

  • single-primary — The profile will use the single-primary mode. You will then need to specify and configure the primary server and secondary servers.

  • sharding— The profile will use the sharding mode to load-balance MySQL traffic.

set type l7-tcp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type l7-udp

timeout_udp_session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

Example

The following example shows the list of predefined profiles:

FortiADC-VM # get load-balance profile

== [ LB_PROF_TCP ]

== [ LB_PROF_UDP ]

== [ LB_PROF_HTTP ]

== [ LB_PROF_TURBOHTTP ]

== [ LB_PROF_FTP ]

== [ LB_PROF_RADIUS ]

== [ LB_PROF_SIP ]

== [ LB_PROF_TCPS ]

== [ LB_PROF_HTTPS ]

== [ LB_PROF_HTTP2_H2C]

== [ LB_PROF_HTTP2_H2 ]

== [ LB_PROF_SMTP ]

== [ LB_PROF_RTSP ]

== [ LB_PROF_RTMP ]

== [ LB_PROF_DIAMETER ]

== [ LB_PROF_IP ]

== [ LB_PROF_RDP ]

== [ LB_PROF_HTTP_SERVERCLOSE ]

== [ LB_PROF_HTTPS-SERVERCLOSE ]

== [ LB_PROF_DNS ]

The following example shows the details of the predefined HTTPS profile:

FortiADC-VM (profile) # get load-balance profile LB_PROF_HTTPS

type : https

tune-bufsize : 8030

tune-maxrewrite : 1024

client-timeout : 50

server-timeout : 50

connect-timeout : 5

queue-timeout : 5

http-request-timeout : 50

http-keepalive-timeout : 50

buffer-pool : enable

client-address : disable

http-x-forwarded-for : disable

http-x-forwarded-for-header :

http-mode : ServerClose

compression :

caching :

ip-reputation : disable

geoip-list :

allowlist :

geoip-redirect : http://

The following example creates a user-defined SIP profile:

FortiADC-VM # config load-balance profile

FortiADC-VM (profile) # edit sip-profile

Add new entry 'sip-profile' for node 1643

FortiADC-VM (sip-profile) # set type sip

FortiADC-VM (sip-profile) # get

type : sip

max-size : 65535

server-keepalive-timeout : 30

server-keepalive : enable

client-keepalive : disable

client-protocol : udp

server-protocol :

sip-insert-client-ip : disable

failed-client : drop

failed-server : drop

FortiADC-VM (sip-profile) # set timeout 120

FortiADC-VM (sip-profile) # set max-size 2048

FortiADC-VM (sip-profile) # set server-keepalive-timeout 180

FortiADC-VM (sip-profile) # set failed-server send

FortiADC-VM (sip-profile) # set fail-server-str "404 Not Found"

FortiADC-VM (sip-profile) # config ?

client-request-header-erase erase header from client request

client-request-header-insert insert header into client request

client-response-header-erase erase header from client response

client-response-header-insert insert header into client response

server-request-header-erase erase header from server request

server-request-header-insert insert header into server request

server-response-header-erase erase header from server response

server-response-header-insert insert header into server response

FortiADC-VM (sip-profile) # config client-request-header-insert

FortiADC-VM (client-request~h) # edit 1

Add new entry '1' for node 4554

FortiADC-VM (1) # set type insert-if-not-exist

FortiADC-VM (1) # set string "Via: SIP/2.0/UDP 1.1.1.100:5060"

FortiADC-VM (1) # end

FortiADC-VM (sip-profile) # end

FortiADC-VM #

The following example creates a DNS profile:

config load-balance profile

edit "dns"

set type dns

set malform-query-action drop

set redirect-to-tcp-port disable

set caching enable

set max-query-length 512

set max-cache-age 3600

set max-cache-entry-size 512

set max-cache-size 10

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile dns

next

end

The following example creates an IP profile:

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session 100

next

end

config load-balance virtual-server

edit "vs2"

set type l2-load-balance

set protocol-numbers 0 1

set load-balance-profile ip

next

end

The following example creates a MySQL profile:

config system health-check

edit mysql

set type mysql

set user root

set password fortinet

set port 3306

next

end

config load-balance real-server

edit "rs1"

set ip 192.168.1.1

next

end

config load-balance pool

edit "pool_mysql"

set health-check-ctrl enable

set health-check-list icmp

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server rs1

next

end

next

end

config load-balance virtual-server

edit "mysql"

set type l7-load-balance

set interface port2

set ip 10.1.1.1

set port 3306

set load-balance-profile mysql

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool pool_mysql

next

end

The following example creates an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size 2048

set client-address enable

next

The following example creates an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address enable

next

config load-balance profile

config load-balance profile

Use this command to configure virtual server profiles. A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols. Virtual server profiles determine settings used in network communication on the client-FortiADC segment, in contrast to real server profiles, which determine the settings used in network communication on the FortiADC-real server segment.

The Application Profile Usage table describes the usage by application profile type, including the compatible virtual server types, load-balancing methods, persistence methods, and content routing types.

Application Profile Usage

Profile Usage VS Type LB Methods Persistence

FTP

Use with FTP servers.

Layer 7, Layer 4

Layer 7: Round Robin, Least Connections

Layer 4: Same as Layer 7, plus Fastest Response, Dynamic Load

Layer 7: Source Address, Source Address Hash

Layer 4: Same as Layer 7, plus Source Address-Port Hash

HTTP

Use for standard, unsecured web server traffic.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load

Layer 2: Same as Layer 7, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie

HTTPS

Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile.

Layer 7, Layer 2

Same as HTTP

Same as HTTP, plus SSL Session ID

TURBO HTTP

Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet.

This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets.

Layer 7

Round Robin, Least Connections, Fastest Response

Source Address

RADIUS

Use with RADIUS servers.

Layer 7

Round Robin

RADIUS attribute

RDP

Use with Windows Terminal Service(remote desktop protocol).

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie

SIP

Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video.

Layer 7

Round Robin, URI Hash, Full URI Hash

Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID

TCP

Use for other TCP protocols.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash, Dynamic Load

Source Address, Source Address Hash, Source Address-Port Hash

TCPS

Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, Dynamic Load

Layer 2: Round Robin, Least Connections, Destination IP Hash, Dynamic Load

Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID

UDP

Use with UDP servers.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Same as Layer 4, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash

IP

Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first.

Layer 2

Round Robin, Dynamic Load

Source Address, Source Address Hash, Source Address-Port Hash

DNS

Use with DNS servers.

Layer 7

Round Robin, Least Connections

Not supported yet.

SMTP

Use with SMTP servers.

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash

RTMP

A TCP-based protocol used for streaming audio, video, and data over the Internet

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

ISO8583

Use with ISO8583 servers

Layer 7

Round Robin

N/A

RTSP

A network control protocol used for establishing and controlling media sessions between end points

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

MySQL

MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets

Layer 7

Round Robin, Least Connection

N/A

DIAMETER

A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. Layer 7

Round Robin

Source Address.

DIAMETER Session ID (default)

MSSQL

MSSQL network protocol stack, which parses and builds MSSQL protocol packets

Layer 7

Least connection

N/A

EXPLICIT_HTTP

A simple explicit/forward HTTP proxy mode.

In this mode, you don’t need to add backend real server pool. The destination IP address of the downstream is specified by the URL or Host field of the client request.

Layer 7

N/A

N/A

L7 TCP

Use for other TCP protocols.

Layer 7

Layer 7: Round Robin, Least Connections

Source Address, Source Address Hash

L7 UDP

Use with UDP servers.

Layer 7

Layer 7: Round Robin, Least Connections

Source Address, Source Address Hash

The Predefined Profiles table lists the default values of each predefined profile. All values in the predefined profiles are view-only, and cannot be modified. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles to include configuration objects such as certificates, caching settings, compression options, and IP reputation.

Predefined Profiles

Profile Defaults

LB_PROF_DIAMETER

Origin Host—Blank

Origin Realm—Blank

Vendor ID—0

Product Name—Blank

Idle Timeout—300 (seconds) (Note: This refers to the built-in session ID persistence timeout.)

Server Close Propagation—OFF (Note: This means that the connection on the client side stays open when the server closes any connection on its side.)

Client SSL—Off

LB_PROF_TCP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Geo IP block list—None

Geo IP Allowlist—None

LB_PROF_UDP

Timeout UDP Session—100

IP Reputation—Disabled

Stateless—Disabled

Geo IP block list—None

Geo IP Allowlist—None

LB_PROF_HTTP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—Blank

IP Reputation—Disabled

HTTP Mode—Keep Alive

Compression—None.

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—5

HTTP2—None

LB_PROF_HTTP_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Buffer Pool—Enabled

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

Customized SSL Ciphers Flag—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—0

HTTP2—None

LB_PROF_TURBOHTTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_FTP

Timeout TCP Session—100

Timeout TCP Session after FIN—100

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Client Address—Off

Security Mode—None

LB_PROF_RADIUS

Client Address—Off

Source Port—Off

Dynamic Auth—Disable

RADIUS Session—300

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_SIP

SIP Max Size—65535

Server Keepalive Timeout—30

Server Keepalive—Enabled

Client Keepalive—Disabled

Client Protocol—UDP

Server Protocol—None

Failed Client Type—Drop

Failed Server Type—Drop

Insert Client IP—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Client Address—Off

Media Address—0.0.0.0

LB_PROF_RDP

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Source Address—Disabled

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_IP

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Timeout IP Session—100

LB_PROF_DNS

Client Address—Off

DNS Cache Flag—Enabled

DNS Cache Ageout Time—3600

DNS Cache Size—10

DNS Cache Entry Size—512

DNS Cache Response Type—All Records

DNS Malform Query Action—Drop

DNA Max Query Length—512

DNS Authentication Flag—Disabled

LB_PROF_TCPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

Client Address—Disabled

IP Reputation—Disabled

Geo IP block list—None

LB_PROF_HTTPS

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Keep Alive

SSL Proxy Mode—Disabled

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—0

HTTP2—None

LB_PROF_HTTPS_SERVERCLOSE

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Server Close

Compression—None

Decompression—None

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

HTTP Send Timeout—0

HTTP2—None

LB_PROF_SMTP

Starttls Active Mode—require

Forbidden Command—expn, turn, vrfy

Local Certificate Group—LOCAL_CERT_GROUP

Client Address—Disable

Forbidden Command Status—Enable

Domain Name—default.com

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_RTSP

Max Header Size—Default is 4096. Valid values range from 2048 to 65536.

Client Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

LB_PROF_RTMP

Client Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

LB_PROF_HTTP2_H2

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Send Timeout—0

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

IP Reputation—Disabled

HTTP Mode—Keep Alive

Compression—None

Decompression—None

HTTP2—LB_HTTP2_PROFILE_DEFAULT

Caching—None

Geo IP Block List—None

Geo IP Allow list—None

Geo IP Redirect URL—http://

Tune Buffer Size—17418

Max HTTP Headers—200

Response Half Closed Connection—Disabled

LB_PROF_HTTP2_H2C

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Send Timeout—0

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

IP Reputation—Disabled

HTTP Mode—Keep Alive

Compression—None

Decompression—None

HTTP2—LB_HTTP2_PROFILE_DEFAULT

Caching—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

Tune Buffer Size—17418

Max HTTP Headers—200

Response Half Closed Connection—Disabled

LB_PROF_HTTP3

Client Timeout—50

Server Timeout—50

Connect Timeout—5

Queue Timeout—5

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

X-Forwarded-For—Disabled

HTTP Mode—Keep Alive

HTTP3—LB_HTTP3_PROFILE_DEFAULT

Tune Buffer Size—32768

Max HTTP Headers—200

LB_PROF_ISO8583

Timeout TCP Session—100

Message Encode Type—ASCII

Length Indicator Type—binary

Length Indicator Shift—0

Length Indicator Size—2

Optional Header Length—2

Optional Trailer Hex—None

Geo IP Block List—None

Geo IP Allowlist—None

LB_PROF_EXPLICIT_HTTP

Client Timeout—50

Server Timeout—50

Connect Timeout—50

Queue Timeout—50

HTTP Send Timeout—0

HTTP Request Timeout—50

HTTP Keepalive Timeout—50

Client Address—Disabled

X-Forwarded-For—Disabled

X-Forwarded-For Header—None

IP Reputation—Disabled

HTTP Mode—Keep Alive

Decompression—None

Geo IP Block List—None

Geo IP Allowlist—None

Geo IP Redirect URL—http://

Tune Buffer Size—8030

Max HTTP Headers—100

Response Half Closed Connection—Disabled

LB_PROF_L7_TCP

Timeout TCP Session—100

IP Reputation—Disabled

Geo IP Block List—None

Geo IP Allowlist—None

Before you begin:
  • You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
  • You must have read-write permission for load balance settings.

Syntax

config load-balance profile

edit <name>

set type {diameter | dns | explicit_http | ftp | http | turbohttp | https | ip | iso8583 | l7-tcp | l7-udp | mssql | mysql | radius | rdp | rtmp | rtsp | sip | smtp | tcp | tcps | udp}

set timeout_tcp_session <integer>

set timeout_tcp_session_after_FIN <integer>

set timeout_send_rst {enable|disable}

set timeout-radius-session <integer>

set timeout_udp_session <integer>

set buffer-pool {enable|disable}

set caching <datasource>

set cache-response-type {single-answer | round-robin}

set client-address {enable|disable}

set client-timeout <integer>

set compression <datasource>

set connect-timeout <integer>

set http-keepalive-timeout <integer>

set http-mode {KeepAlive|OnceOnly|ServerClose}

set http-request-timeout <integer>

set http-x-forwarded-for {enable|disable}

set http-x-forwarded-for-header <string>

set queue-timeout <integer>

set server-timeout <integer>

set tune-bufsize <integer>

set tune-maxrewrite <integer>

set ip-reputation {enable|disable}

set geoip-list <datasource>

set allowlist <datasource>

set security-mode {none|explicit|implicit}

set geoip-redirect <string>

set client-keepalive {enable|disable}

set client-protocol {tcp|udp}

set failed-client {drop|send}

set failed-client-str <string>

set failed-server {drop|send}

set failed-server-str <string>

set max-size <integer>

set server-keepalive {enable|disable}

set server-keepalive-timeout <integer>

set server-protocol {tcp|udp}

set sip-insert-client-ip {enable|disable}

set media-addr <ip address>

set dynamic-auth {enable|disable}

set dynamic-auth-port <integer>

config client-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config client-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

next

end

The following commands are used to invoke the "LB_PROF_DNS" profile in Layer-7 virtual servers.

config load-balance profile

edit "dns"

set type dns

set cache-response-type {all-records | round-robin}

set caching {enable|disable}

set client-address {enable|disable}

set malform-query-action {drop|forward}

set max-cache-age <integer>

set max-cache-entry-size <integer>

set max-cache-size <integer>

set max-query-length <integer>

set redirect-to-tcp-port {enable|disable}

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile LB_PROF_DNS

next

end

The following commands are used to invoke the "LB_PROF_IP" profile in Layer-2 virtual servers. When the profile of a Layer-2 virtual server is set to "LB_PROF_IP", you must specify the protocol numbers the virtual server can accept.

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session <integer>

set ip-reputation {enable|disable}

set geoip-list <string>

set allowlist <string>

next

end

config load-balance virtual-server

edit "LB_PROF_IP"

set type l2-load-balance

set load-balance-profile LB_PROF_IP

set protocol-numbers <value> protocol range "A-B" or single protocol number "A"

next

end

The following commands are used to configure MySQL load-balancing:

config load-balance profile

edit "mysql"

set type mysql

set mysql-mode {single-primary|sharding}

next

end

The following commands are used to create a new MySQL profile (basic configuration):

config load-balance profile

edit <name>

config mysql-user-password

edit <id>

set username <username>

set password <password>

next

end

next

end

The following commands are used to configure a MySQL profile in basic single-primary mode:

config load-balance profile

edit <name>

config mysql-rule

edit <rule id>

set type [primary| secondary]

set database <database name> <database name> ...

set user <user name> <user name> ...

set table <table name> <table name> ...

set client-ip <client ip> <client ip> ...

set sql <sql statement> <sql statement> ...

next

end

next

end

The following commands are used to configure a MySQL profile in data-sharding mode:

config load-balance profile

edit <name>

set mysql-mode sharding

config mysql-sharding

edit <id>

set type range

set table <table name>

set key <column name>

set group <group id>:<range> <group id>:<range> ... # such as set groups 0:0-999 1:1000-9999

next

edit <id>

set type hash

set database <database name>

set table <table name>

set key <column name>

set group <group id> <group id>

next

end

next

end

The following commands are used to configure MySQL profile-specific pool members:

config load-balance pool

edit <pool name>

config pool_member

edit 1

set mysql-group-id <group id> #for Data Sharding

set mysql-read-only enable #for secondary

next

end

next

end

The following commands are used to create an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size <size>

set client-address <enable/disable>

next

The following commands are used to configure an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address <enable/disable>

next

The following commands are used to configure a diameter proxy_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set origin-host <string>

set origin-realm <string>

set client-ssl {enable|disable}

set vendor-id <integer>

set product-name <string>

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

The following commands are used to configure a diameter relay_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

The following commands are used to configure an explicit HTTP profile:

config load-balance profile

edit <name>

set type explicit_http

set caching <string>

set client-address {enable|disable}

set client-timeout <integer>

set connect-timeout <integer>

set decompression <string>

set geoip-list <string>

set geoip-redirect <string>

set http-keepalive-timeout <integer>

set http-request-timeout <integer>

set http-send-timeout <integer>

set http-x-forwarded-for {enable|disable}

set http-x-forwarded-for-header <string>

set ip-reputation {enable|disable}

set max-http-headers {enable|disable}

set queue-timeout <integer>

set response-half-closed-request {enable|disable}

set server-timeout <integer>

set tune-bufsize <integer>

set tune-maxrewrite {enable|disable}

set allowlist <string>

next

end

type

Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

set type tcp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_send_rst

Enable to send TCP RST to the client and real server when the TCP session expires. This is disabled by default.

Note: This function is supported for both IPv4 and IPv6 in L4 and L2 virtual servers. For L4 virtual servers, timeout_send_rst is supported for DNAT/FullNAT/NAT46/NAT64 packet forwarding methods.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type ip

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

timeout-ip-session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

set type dns

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

caching

Enable/disable the cache for the DNS virtual server.

max-cache-age

Specify the cache age-out time (in seconds). The default is 3,600. The valid range is 0 to 65,535.

max-cache-size

Specify the maximum cache size (in Megabytes). The default is 10. The valid range is 1 to 100.

max-cache-entry-size

Specify the maximum cache entry size. The default is 512. The valid range is 256 to 4,096.

cache-response-type

Select either of the following cache response types:

  • single

  • round-robin

malform-query-action

Select either of the following reactions for the malformed requests:

  • drop

  • forward

max-query-length

Specify the maximum query length. The default is 512. The valid range is 256 to 4,096.

redirect-to-tcp-port

Enable/disable to authenticate client by redirecting UDP query to TCP.

set type udp

stateless

Enable to apply the UDP stateless function.

timeout_udp_session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type rtsp

max-header-size

Specify the maximum size of RTSP packets, which can range from 16 to 65, 536.

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

set type rtmp

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

set type ftp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

security-mode

Select either of the following:

  • none

  • explicit

  • implicit

set type http and set type https

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

caching

Specify the name of the caching configuration object.

client-address

Use the original client IP address as the source address in the connection to the real server.

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is from 1 to 3,600.

compression

Specify a compression configuration object.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

http-keepalive-timeout

The default is 50 seconds. The valid range is 1 to 3,600.

http-mode

  • KeepAlive. Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.
  • OnceOnly. An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
  • ServerClose. Close the connection to the real server after each HTTP transaction.

http-request-timeout

Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600.

http-x-forwarded-for

Enable this option to append the client IP address found in IP layer packets to the HTTP header, for example, X-forwarded-for: 192.168.161.100.

The default header name is X-forwarded-for. If you prefer a different name, use http-x-forwarded-for-header to define a custom name.

http-x-forwarded-for-header

Specify a custom name for the HTTP header which carries the client IP address. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

tune-maxrewrite

Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

geoip-redirect

For HTTP/HTTPS, if you have configured a Geo IP redirect action, specify a redirect URL.

allowlist

Specify a Geo IP allowlist configuration object.

http2-profile

Specify an HTTP2 profile configuration object.

http3-profile

The http3-profile option is only available if type is https.

Specify an HTTP3 Profile configuration object. See config load-balance http3-profile.

set type radius

timeout-radius-session

The default is 300 seconds. The valid range is 1 to 3,600.

dynamic-auth

Enable/disable RADIUS dynamic authorization (CoA, Disconnect messages).

dynamic-auth-port

Dynamic auth port.

client-address

Enable/disable the use of a client IP as the source IP to connect to the real server.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type rdp

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

client-address

Use the original client IP address as the source address in the connection to the real server.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type tcps

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

client-address

Use the original client IP address as the source address in the connection to the real server.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type turbohttp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allowlist configuration object.

set type sip

client-keepalive

Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default.
client-address Use the original client IP address as the source address in the connection to the real server.
media-addr Change the media address of SIP payload to specified address. 0.0.0.0 is default.

client-protocol

Client-side transport protocol:

  • tcp
  • udp (default)

failed-client

Action when the SIP client cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-client-str

Message string. Use double-quotation marks for strings with spaces.

failed-server

Action when the SIP server cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-server-str

Message string. Use double-quotation marks for strings with spaces. For example:

"404 Not Found"

max-size

Maximum message size. The default is 65535 bytes. The valid range is 1-65535.

server-keepalive

Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default.

server-keepalive-timeout

Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300.

server-protocol

Server-side transport protocol.

  • tcp
  • udp

Default is "unset", so the client-side protocol determines the server-side protocol.

sip-insert-client-ip

Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request.

set type explicit_http

caching

Caching name.

client-address

Use client address to connect to pool.

client-timeout

The maximum inactivity time on the client side.

connect-timeout

The maximum time to wait for a connection attempt to a server to succeed.

decompression

The decompression name.

geoip-list

The geography IP block list.

geoip-redirect

Redirect URL for IP geography.

http-keepalive-timeout

The maximum allowed time to wait for a new HTTP request to appear.

http-request-timeout

The maximum allowed time to wait for a complete HTTP request.

http-send-timeout

The timeout (in seconds) of HTTP send out all the buffered data.

http-x-forwarded-for

Insert X-Forwarded-For header to request.

http-x-forwarded-for-header

Change X-Forwarded-For header name.

ip-reputation

Use IP Reputation

max-http-headers

Max HTTP headers limit.

Note: If enlarge this limit, you may meet parse failure because the buffer size limit.

queue-timeout

The maximum time to wait in the queue for a connection slot to be free.

response-half-closed-request

If enabled, FortiADC will continue serving the request in half closed connection until the response completes.

server-timeout

The maximum inactivity time on the server side.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-bufsize factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

tune-maxrewrite

Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647.

Note:

The tune-maxrewrite factors into the total allowable size for an HTTP request. The default maximum length of an HTTP request is calculated as tune-bufsize <integer> - tune-maxrewrite <integer>.

For example, tune-bufsize 8030 - tune-maxrewrite 1024 = 7006 bytes is the maximum for the HTTP request.

allowlist

The geography IP allowlist.

config client-request-header-erase Configuration to erase headers from client requests. Table setting. Maximum 4 members.

type

  • all—Parse all headers for a match.
  • first—Parse the first header for a match.

string

Header to be erased.
config client-request-header-insert Configuration to insert headers into client requests. Table setting. Maximum 4 members.

type

  • append-always—Append after the last header.
  • append-if-not-exist—Append only if the header is not present.
  • insert-always—Insert before the first header even if the header is already present.
  • insert-if-not-exist—Insert before the first header only if the header is not already present.

string

The header:value pair to be inserted.
config client-response-header-erase Configuration to erase headers from client responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config client-response-header-insert Configuration to insert headers into client responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
config server-request-header-erase Configuration to erase headers from server requests. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config server-request-header-insert Configuration to insert headers into server requests. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
server-response-header-erase Configuration to erase headers from server responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
server-response-header-insert Configuration to insert headers into server responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
set type diameter

origin-host

Sets the value of Diameter AVP 264. This AVP can be a character string and specifies the identity of the originating host for Diameter messages.

ADC will modify the origin-host avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-host avp on server response with the setting value, then transfer it to the client.

Specify the identity in the following format: vs.realm

The host is a string unique to the client. The realm is the Diameter realm, specified by the Realm option (described below).

If origin-host is set with an empty value (nothing), ADC will not change the value of the origin-host in the client or server when it transfers them.

The default is empty value.

origin-realm

Sets the value of Diameter AVP 296. This AVP can be a character string and specifies the Diameter realm from which Diameter messages, including requests, are originated.

ADC will modify the origin-realm avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-realm avp on server response with the setting value, then transfer it to the client.

If origin-realm is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

product-name

Sets the value of Diameter AVP 269. This AVP can be a character string and specifies the product; for example, “fortiadc”.

ADC will modify the Product-Name avp on client request with the setting value, then transfer it to RS.

ADC will modify the Product-Name avp on server response with the setting value, then transfer it to the client.

If product-name is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

Vendor-id

Sets the value of Diameter AVP 266. This AVP can be a character string and specifies the vendor; for example, “156”.

ADC will modify the vendor-id avp on client request with the setting value, then transfer it to RS.

ADC will modify the vendor-id avp on server response with the setting value, then transfer it to the client.

If vendor-ide is set to 0, ADC will not change the value of vendor-id in the client or server when it transfers them.

The default is 0. The valid range is 0-4294967295.

Idle-timeout

Default, for different requests with the same session_id avp, if their interval is less than idle-timeout, ADC will dispatch them to the same RS.

The default is 300 seconds. The valid range is 1-86400.

When this parameter is set, ADC will act in proxy mode.

server-close-propagation

When transferring diameter traffic with server-close-propagation enabled, if one of the servers resets or sends DPR to ADC, ADC will close connection with the client and other servers at the same time.

When transferring diameter traffic with server-close-propagation disabled, if one of the servers resets or sends DPR to ADC, ADC will transfer the requests from the client to the other servers.

Disabled by default.

set type iso8583

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400 seconds.

msg-encode-type

Specify the encode type for protocol message, default ASCII.

length-indicator-type

Specify the encode type of length indicator, default binary.

length-indicator-shift

Specify bytes to shift from the beginning of payload to read length value, range 0-32.

length-indicator-size

Specify total bytes reading to calculate length, range 0-8.

opt-header-length

Specify length of optional header before MTI, including the length-indicator, range 0-32.

opt-trailer-hex

Specify hex string of optional trailer, maximum length 16, i.e. 8 bytes in binary.

geo-ip

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type mssql

client-timeout

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. The default is 50 seconds. The valid range is 1 to 86,400 seconds.

server-age

Specify the maximum inactivity time for MS SQL server on the server side. The default is 600 seconds. The valid range is 1 to 86,400 seconds.

server-max-size

Specify the maximum connections that can connect to the MS SQL server on the server side. The default is 10,000. The valid range is 1 to 30,000.

geo-ip

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type smtp

client-address

Enable/disable to use the original client IP address as the source address when connecting to the real server.

Note: When using the NAT Source Pool for SMTP VS, ensure the SMTP application profile is disabled for Client Address. When the SMTP is enabled for Client Address, it will use the original client IP address as the source address when connecting to the real server, which cannot be done when the NAT source pool is used at the same time.

starttls-active-mode

Select one of the following:

  • allow—The client can either use or not use the STARTTLS command.

  • require—The STARTTLS command must be used to encrypt the connection first.

  • none—The STARTTLS command is NOT supported.

disable-command-status

Enable/disable to forbid the command(s) selected in forbidden-command.

disable-command

Select any, all, or none of the commands (i.e., expn, turn, vrfy). If selected, the command or commands will be rejected by FortiADC; otherwise, the command or commands will be accepted and forwarded to the back end.

geo-ip

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

domain-name

Specify the domain name.

set type mysql

Note: The system does not provide default MyQSL profiles as it does with the other protocols.

mysql-mode

Select either of the following MySQL modes:

  • single-primary — The profile will use the single-primary mode. You will then need to specify and configure the primary server and secondary servers.

  • sharding— The profile will use the sharding mode to load-balance MySQL traffic.

set type l7-tcp

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

set type l7-udp

timeout_udp_session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Select a Geo IP block list configuration object.

allowlist

Select an allowlist configuration object.

Example

The following example shows the list of predefined profiles:

FortiADC-VM # get load-balance profile

== [ LB_PROF_TCP ]

== [ LB_PROF_UDP ]

== [ LB_PROF_HTTP ]

== [ LB_PROF_TURBOHTTP ]

== [ LB_PROF_FTP ]

== [ LB_PROF_RADIUS ]

== [ LB_PROF_SIP ]

== [ LB_PROF_TCPS ]

== [ LB_PROF_HTTPS ]

== [ LB_PROF_HTTP2_H2C]

== [ LB_PROF_HTTP2_H2 ]

== [ LB_PROF_SMTP ]

== [ LB_PROF_RTSP ]

== [ LB_PROF_RTMP ]

== [ LB_PROF_DIAMETER ]

== [ LB_PROF_IP ]

== [ LB_PROF_RDP ]

== [ LB_PROF_HTTP_SERVERCLOSE ]

== [ LB_PROF_HTTPS-SERVERCLOSE ]

== [ LB_PROF_DNS ]

The following example shows the details of the predefined HTTPS profile:

FortiADC-VM (profile) # get load-balance profile LB_PROF_HTTPS

type : https

tune-bufsize : 8030

tune-maxrewrite : 1024

client-timeout : 50

server-timeout : 50

connect-timeout : 5

queue-timeout : 5

http-request-timeout : 50

http-keepalive-timeout : 50

buffer-pool : enable

client-address : disable

http-x-forwarded-for : disable

http-x-forwarded-for-header :

http-mode : ServerClose

compression :

caching :

ip-reputation : disable

geoip-list :

allowlist :

geoip-redirect : http://

The following example creates a user-defined SIP profile:

FortiADC-VM # config load-balance profile

FortiADC-VM (profile) # edit sip-profile

Add new entry 'sip-profile' for node 1643

FortiADC-VM (sip-profile) # set type sip

FortiADC-VM (sip-profile) # get

type : sip

max-size : 65535

server-keepalive-timeout : 30

server-keepalive : enable

client-keepalive : disable

client-protocol : udp

server-protocol :

sip-insert-client-ip : disable

failed-client : drop

failed-server : drop

FortiADC-VM (sip-profile) # set timeout 120

FortiADC-VM (sip-profile) # set max-size 2048

FortiADC-VM (sip-profile) # set server-keepalive-timeout 180

FortiADC-VM (sip-profile) # set failed-server send

FortiADC-VM (sip-profile) # set fail-server-str "404 Not Found"

FortiADC-VM (sip-profile) # config ?

client-request-header-erase erase header from client request

client-request-header-insert insert header into client request

client-response-header-erase erase header from client response

client-response-header-insert insert header into client response

server-request-header-erase erase header from server request

server-request-header-insert insert header into server request

server-response-header-erase erase header from server response

server-response-header-insert insert header into server response

FortiADC-VM (sip-profile) # config client-request-header-insert

FortiADC-VM (client-request~h) # edit 1

Add new entry '1' for node 4554

FortiADC-VM (1) # set type insert-if-not-exist

FortiADC-VM (1) # set string "Via: SIP/2.0/UDP 1.1.1.100:5060"

FortiADC-VM (1) # end

FortiADC-VM (sip-profile) # end

FortiADC-VM #

The following example creates a DNS profile:

config load-balance profile

edit "dns"

set type dns

set malform-query-action drop

set redirect-to-tcp-port disable

set caching enable

set max-query-length 512

set max-cache-age 3600

set max-cache-entry-size 512

set max-cache-size 10

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile dns

next

end

The following example creates an IP profile:

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session 100

next

end

config load-balance virtual-server

edit "vs2"

set type l2-load-balance

set protocol-numbers 0 1

set load-balance-profile ip

next

end

The following example creates a MySQL profile:

config system health-check

edit mysql

set type mysql

set user root

set password fortinet

set port 3306

next

end

config load-balance real-server

edit "rs1"

set ip 192.168.1.1

next

end

config load-balance pool

edit "pool_mysql"

set health-check-ctrl enable

set health-check-list icmp

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server rs1

next

end

next

end

config load-balance virtual-server

edit "mysql"

set type l7-load-balance

set interface port2

set ip 10.1.1.1

set port 3306

set load-balance-profile mysql

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool pool_mysql

next

end

The following example creates an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size 2048

set client-address enable

next

The following example creates an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address enable

next