Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.3 Handbook
    7.4.3
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring decompression rules

    Configuring decompression rules

    If the HTTP/HTTPS request body is compressed, FortiADC cannot pass it to the other functional modules which perform inspection or modification.

    To allow FortiADC to pass compressed HTTP/HTTPS client requests to other modules for inspection or modification before forwarding it to the back-end server, you must create a FortiADC decompression policy.

    You can configure FortiADC to temporarily decompress the body of a request based on its file type, which can be specified by the HTTP/HTTPS Content‑Type: header. The appliance can then inspect or modify the traffic. If no inspection or modification is needed, it will allow the compressed version of the request to pass to the back-end server.

    FortiADC supports HTTP/HTTPS request decompression in either gzip or deflate format. Upon receiving a compressed HTTP/HTTPS request body, FortiADC first extracts the HTTP/HTTPS request body to a temporary buffer and then sends the buffer to the other modules.

    Note that, for the current release, decompression only works for Web Application Firewall (WAF) and Scripting functions.

    FortiADC supports decompression of the following content-type files:

    • application/javascript
    • application/soap+xml
    • application/x-javascript
    • application/xml
    • text/css
    • text/html
    • text/javascript
    • text/plain
    • text/xml
    • custom
    Before you begin:
    • You must have a good understanding of HTTP decompression and knowledge of the content types served from the backend real servers.
    • You must have Read-Write permission for Load Balance settings.

    Decompression is not enabled by default. After you have configured a decompression rule, you can select it in the profile configuration. To enable decompression, select the profile when you configure the virtual server.

    To configure a decompression rule:
    1. Click Server Load Balance > Application Resources.
    2. Click the Decompression tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in Decompression configuration.
    5. Save the configuration.

    Decompression configuration
    Settings Guidelines

    Name

    Specify a unique name for the decompression rule. Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the profile configuration.

    Note: After you initially save the configuration, you cannot edit the name.

    URI List Type
    • Include— Select this option to create a decompression inclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will be decompressed by FortiADC before being passed to the client.
    • Exclude—Select this option to create a decompression exclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will not be decompressed by FortiADC before being passed to the client.

    URI List

    Click Add and specify URIs to build the list.

    Content Types

    Click Add and select from the following content types to build the list:

    • application/javascript
    • application/soap+xml
    • application/x-javascript
    • application/xml
    • text/css
    • text/html
    • text/javascript
    • text/plain
    • text/xml
    • custom

    Note: The "custom" option allows you to specify almost any content/media type, including image files in .JPG, .PNG, and .BMP formats. The default is */*, which means any content/media type.

    You can use the CLI to configure decompression rules:

    config load-balance decompression

    edit <name>

    set cpu-limit {enable | disable}

    set max-cpu-usage [1-100]

    set uri-list-type {include | exclude}

    config uri_list

    edit <ID>

    set uri <refex_pattern>

    next

    end

    config content-types

    edit <ID>

    set content-type <types>

    {

    application/javascript

    application/soap+xml

    application/x-javascript

    application/xml

    custom <plain-string>

    text/css

    text/html

    text/javascript

    text/plain

    text/xml

    }

    next

    end

    You can use the CLI to select a decompression rule in a server load balance profile (HTTP):

    config load-balance profile

    edit <name>

    ...

    set decompression <decompression name>

    ...

    next

    end

    Using decompression with script data body manipulation

    Script data body manipulation can work in tandem with compression or decompression rules in a rather transparent way. When a decompression rule is configured and used with scripting, FortiADC will decompress HTTP data first, then apply script data body manipulation, and then re-compress the data before sending it to clients.

    So, if HTTP data is compressed before being sent out from the real server, you must create a decompression rule if you want to access the original data and use it in a script. This can be done either via the GUI or the Console. The following paragraphs show you the basic steps for configuring decompression rules to work with script data body manipulation.

    From the GUI

    Step 1: Creating a decompression rule
    1. Click Server Load Balance > Application Resources > Decompression.
    2. Click Create New to open the Decompression configuration dialog.
    3. For Name, specify a unique name for the decompression rule.
    4. For URI Rule Type, select Include or Exclude.
    5. Click Save. The dialog closes and the decompression rule appears in the Decompression table.
    6. Double-click the decompression rule (or click the corresponding Edit button) to open it.
    7. In the URI Rule section, make the desired configuration. (Optional)
    8. In the Content Types sections, make the desired configuration. (Optional)
    9. Click Save.
    10. Repeat the above steps to create as many decompression rules as needed.
    Step 2: Configuring a load balance profile
    1. Click Server Load Balance > Application Resources > Application Profile.
    2. Click Create New to open the Application Profile configuration dialog.
    3. For Type, click the down arrow and select HTTP or HTTPS from the list menu.
    4. For Decompression, click the down arrow and select a decompression rule from the list menu.
    5. Complete all the other fields required for load-balancing profile configuration.
    6. Click Save.
    Step 3: Enabling scripting in virtual server configuration
    1. Click Server Load Balance > Virtual Server > Virtual Server.
    2. Click Add > Advanced Mode.
    3. For Type (under the Basic section), be sure to select Layer 7.
    4. For Profile (under the General section), be sure to select an HTTP or HTTPS profile associated with the decompression rules that you have configured.
    5. For Scripting, be sure to turn it on (enable it), and then select the desired script or scripts.
    6. Complete all the other fields required for virtual server configuration.
    7. Click Save.

    From the Console

    Use the following example commands as a reference when configuring decompression and script data body manipulation from the Console.

    Step 1: Creating a decompression rule

    config load-balance decompression

    edit "decompress"

    set uri-list-type include

    config uri_list

    edit 1

    set uri /

    next

    end

    config content_types

    edit 1

    set content-type text/html

    next

    end

    next

    end

    Step 2: Configuring a load balance profile

    config load-balance profile

    edit "http"

    set type http

    set decompression decompress

    next

    end

    Step 3: Enabling scripting in virtual server configuration

    config load-balance virtual-server

    edit "vs"

    set load-balance-profile http

    set scripting-flag enable

    set scripting-list data

    next

    end

    Previous
    Next

    Configuring decompression rules

    Configuring decompression rules

    If the HTTP/HTTPS request body is compressed, FortiADC cannot pass it to the other functional modules which perform inspection or modification.

    To allow FortiADC to pass compressed HTTP/HTTPS client requests to other modules for inspection or modification before forwarding it to the back-end server, you must create a FortiADC decompression policy.

    You can configure FortiADC to temporarily decompress the body of a request based on its file type, which can be specified by the HTTP/HTTPS Content‑Type: header. The appliance can then inspect or modify the traffic. If no inspection or modification is needed, it will allow the compressed version of the request to pass to the back-end server.

    FortiADC supports HTTP/HTTPS request decompression in either gzip or deflate format. Upon receiving a compressed HTTP/HTTPS request body, FortiADC first extracts the HTTP/HTTPS request body to a temporary buffer and then sends the buffer to the other modules.

    Note that, for the current release, decompression only works for Web Application Firewall (WAF) and Scripting functions.

    FortiADC supports decompression of the following content-type files:

    • application/javascript
    • application/soap+xml
    • application/x-javascript
    • application/xml
    • text/css
    • text/html
    • text/javascript
    • text/plain
    • text/xml
    • custom
    Before you begin:
    • You must have a good understanding of HTTP decompression and knowledge of the content types served from the backend real servers.
    • You must have Read-Write permission for Load Balance settings.

    Decompression is not enabled by default. After you have configured a decompression rule, you can select it in the profile configuration. To enable decompression, select the profile when you configure the virtual server.

    To configure a decompression rule:
    1. Click Server Load Balance > Application Resources.
    2. Click the Decompression tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in Decompression configuration.
    5. Save the configuration.

    Decompression configuration
    Settings Guidelines

    Name

    Specify a unique name for the decompression rule. Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the profile configuration.

    Note: After you initially save the configuration, you cannot edit the name.

    URI List Type
    • Include— Select this option to create a decompression inclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will be decompressed by FortiADC before being passed to the client.
    • Exclude—Select this option to create a decompression exclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will not be decompressed by FortiADC before being passed to the client.

    URI List

    Click Add and specify URIs to build the list.

    Content Types

    Click Add and select from the following content types to build the list:

    • application/javascript
    • application/soap+xml
    • application/x-javascript
    • application/xml
    • text/css
    • text/html
    • text/javascript
    • text/plain
    • text/xml
    • custom

    Note: The "custom" option allows you to specify almost any content/media type, including image files in .JPG, .PNG, and .BMP formats. The default is */*, which means any content/media type.

    You can use the CLI to configure decompression rules:

    config load-balance decompression

    edit <name>

    set cpu-limit {enable | disable}

    set max-cpu-usage [1-100]

    set uri-list-type {include | exclude}

    config uri_list

    edit <ID>

    set uri <refex_pattern>

    next

    end

    config content-types

    edit <ID>

    set content-type <types>

    {

    application/javascript

    application/soap+xml

    application/x-javascript

    application/xml

    custom <plain-string>

    text/css

    text/html

    text/javascript

    text/plain

    text/xml

    }

    next

    end

    You can use the CLI to select a decompression rule in a server load balance profile (HTTP):

    config load-balance profile

    edit <name>

    ...

    set decompression <decompression name>

    ...

    next

    end

    Using decompression with script data body manipulation

    Script data body manipulation can work in tandem with compression or decompression rules in a rather transparent way. When a decompression rule is configured and used with scripting, FortiADC will decompress HTTP data first, then apply script data body manipulation, and then re-compress the data before sending it to clients.

    So, if HTTP data is compressed before being sent out from the real server, you must create a decompression rule if you want to access the original data and use it in a script. This can be done either via the GUI or the Console. The following paragraphs show you the basic steps for configuring decompression rules to work with script data body manipulation.

    From the GUI

    Step 1: Creating a decompression rule
    1. Click Server Load Balance > Application Resources > Decompression.
    2. Click Create New to open the Decompression configuration dialog.
    3. For Name, specify a unique name for the decompression rule.
    4. For URI Rule Type, select Include or Exclude.
    5. Click Save. The dialog closes and the decompression rule appears in the Decompression table.
    6. Double-click the decompression rule (or click the corresponding Edit button) to open it.
    7. In the URI Rule section, make the desired configuration. (Optional)
    8. In the Content Types sections, make the desired configuration. (Optional)
    9. Click Save.
    10. Repeat the above steps to create as many decompression rules as needed.
    Step 2: Configuring a load balance profile
    1. Click Server Load Balance > Application Resources > Application Profile.
    2. Click Create New to open the Application Profile configuration dialog.
    3. For Type, click the down arrow and select HTTP or HTTPS from the list menu.
    4. For Decompression, click the down arrow and select a decompression rule from the list menu.
    5. Complete all the other fields required for load-balancing profile configuration.
    6. Click Save.
    Step 3: Enabling scripting in virtual server configuration
    1. Click Server Load Balance > Virtual Server > Virtual Server.
    2. Click Add > Advanced Mode.
    3. For Type (under the Basic section), be sure to select Layer 7.
    4. For Profile (under the General section), be sure to select an HTTP or HTTPS profile associated with the decompression rules that you have configured.
    5. For Scripting, be sure to turn it on (enable it), and then select the desired script or scripts.
    6. Complete all the other fields required for virtual server configuration.
    7. Click Save.

    From the Console

    Use the following example commands as a reference when configuring decompression and script data body manipulation from the Console.

    Step 1: Creating a decompression rule

    config load-balance decompression

    edit "decompress"

    set uri-list-type include

    config uri_list

    edit 1

    set uri /

    next

    end

    config content_types

    edit 1

    set content-type text/html

    next

    end

    next

    end

    Step 2: Configuring a load balance profile

    config load-balance profile

    edit "http"

    set type http

    set decompression decompress

    next

    end

    Step 3: Enabling scripting in virtual server configuration

    config load-balance virtual-server

    edit "vs"

    set load-balance-profile http

    set scripting-flag enable

    set scripting-list data

    next

    end

    Previous
    Next