Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

Enable to send TCP RST to the client and real server when the TCP session expires. This is disabled by default.

Note: This function is supported for both IPv4 and IPv6 in L4 and L2 virtual servers. For L4 virtual servers, Timeout Sent RST is supported for DNAT/FullNAT/NAT46/NAT64 packet forwarding methods.

Enable to insert the Client IP in the TCP option. This is disabled by default.

This function is applicable in Layer 4 TCP virtual servers using DNAT or Full NAT as the packet forwarding method. By inserting the Client IP in the TCP option it allows the real server to easily retrieve the client address even after the Client IP has been modified during packet forwarding.

Note:

FortiADC cannot insert the Client IP in the TCP option under the following conditions:

• If the TCP option number already exists.

• If the length of the TCP header will exceed 60 bytes once the client address is inserted.

The Client IP Insertion in TCP Option Number option is available if Client IP Insertion in TCP Option is enabled.

Specify the TCP Option Number which indicates the TCP option kind to be collected. The default is 28. The valid range is 2 to 255.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Enable to apply UDP stateless function.

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

This timeout is counted as the amount of time when the server did not send a complete response HTTP header to the FortiADC after the FortiADC sent a request to server. If this timeout expires, FortiADC will close the server side connection and send a 503 message to the client and close the connection to the client.

This timeout is counted as the amount of time during which FortiADC tried to connect to the server with TCP SYN. After this timeout, if TCP connection is not established, FortiADC will drop this current connection to server and respond with a 503 message to client side and close the connection to the client.

This timeout is counted as the amount of time during which the request is queued in the dispatched queue. When the request cannot be dispatched to a server by a load balance method (for example, the server's connection limited is reached), it will be put into a queue. If this timeout expires, the request in the queue will be dropped and FortiADC will respond with a 503 message to client side and close the connection to the client.

This timeout is counted as the amount of time it took FortiADC to send a response body data (not including the header); the time is counted starting from when the body is transferred. If this timeout expires, FortiADC will close the connection of both side.

This timeout is counted as the amount of time the client did not send a complete request (including both HTTP header and request body) to FortiADC after the client connected to FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

This timeout is counted as the time FortiADC can wait for a new request after the previous transaction is completed. This is an idle timeout if the client does not send anything in this period. If this timeout expires, FortiADC will close the connection to the client.

Use the original client IP address as the source address when connecting to the real server.

Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it.

If you only enable http-x-forwarded-for and do not configure http-x-forwarded-for-header, the default is to add such a header: X-Forwarded-For: <client's ip>

Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Examples: Forwarded-For, Real-IP, or True-IP.

If http-x-forwarded-for-header <string> is configured, the added header is: <string>: <client's ip>,

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if the request violates the IP reputation policy.

• Server Close—Close the connection to the real server after each HTTP transaction.
• Once Only— An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
• Keep Alive—Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.

Select a compression configuration object. See Configuring compression rules.

Select a decompression configuration object. See Configuring decompression rules.

Select an HTTP2 Profile configuration object. See Configuring HTTP2 profiles.

Select a caching configuration object. See Using caching features.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL.

Advanced Settings

Adjust the value of the HTTP/HTTPS VS's connection buffer size.

• For every session, there are two connection buffers.
• The default size is 8030, it is not recommended that you edit it. It's hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous because it may lead to concurrent session number reduction or other unpredictable problems.

Adjust the max header number that HTTP/HTTPS VS can process for every request or response. If a request or response has a header over this limit, it will be dropped, and return error message 400.

• The default value is 100, it's not recommended that you edit it. It is hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous and may lead to concurrent session number reduction or other unpredictable problems.

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

Use the original client IP address as the source address when connecting to the real server.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

Use the original client IP address as the source address when connecting to the real server.

Use the original client port as the source port when connecting to the real server.

The default is 300 seconds. The valid range is 1 to 3,600.

Enable or disable Dynamic Authorization for RADIUS Change of Authorization (CoA).

Configures the UDP port for CoA requests. The default is 3799.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, the system drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

Use the original client IP address as the source address in the connection to the real server.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

Adjust the value of the TCPS VS's connection buffer size.

• For every session, there are two connection buffers.
• The default size is 8030, it is not recommended that you edit it. It's hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous because it may lead to concurrent session number reduction or other unpredictable problems.

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

This timeout is counted as the amount of time when the server did not send a complete response HTTP header to the FortiADC after the FortiADC sent a request to server. If this timeout expires, FortiADC will close the server side connection and send a 503 message to the client and close the connection to the client.

This timeout is counted as the amount of time during which FortiADC tried to connect to the server with TCP SYN. After this timeout, if TCP connection is not established, FortiADC will drop this current connection to server and respond with a 503 message to client side and close the connection to the client.

This timeout is counted as the amount of time during which the request is queued in the dispatched queue. When the request cannot be dispatched to a server by a load balance method (for example, the server's connection limited is reached), it will be put into a queue. If this timeout expires, the request in the queue will be dropped and FortiADC will respond with a 503 message to client side and close the connection to the client.

This timeout is counted as the amount of time it took FortiADC to send a response body data (not including the header); the time is counted starting from when the body is transferred. If this timeout expires, FortiADC will close the connection of both side.

This timeout is counted as the amount of time the client did not send a complete request (including both HTTP header and request body) to FortiADC after the client connected to FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

This timeout is counted as the time FortiADC can wait for a new request after the previous transaction is completed. This is an idle timeout if the client does not send anything in this period. If this timeout expires, FortiADC will close the connection to the client.

Use the original client IP address as the source address when connecting to the real server.

Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it.

If you only enable http-x-forwarded-for and do not configure http-x-forwarded-for-header, the default is to add such a header: X-Forwarded-For: <client's ip>

Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Examples: Forwarded-For, Real-IP, or True-IP.

If http-x-forwarded-for-header <string> is configured, the added header is: <string>: <client's ip>,

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if the request violates the IP reputation policy.

• Server Close—Close the connection to the real server after each HTTP transaction.
• Once Only— An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
• Keep Alive—Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.

Select a compression configuration object. See Configuring compression rules.

Select a decompression configuration object. See Configuring decompression rules.

Select an HTTP2 Profile configuration object. See Configuring HTTP2 profiles.

Select an HTTP3 Profile configuration object. See Configuring HTTP3 profiles.

Select a caching configuration object. See Using caching features.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL.

Advanced Settings

Adjust the value of the HTTP/HTTPS VS's connection buffer size.

• For every session, there are two connection buffers.
• The default size is 8030, it is not recommended that you edit it. It's hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous because it may lead to concurrent session number reduction or other unpredictable problems.

Adjust the max header number that HTTP/HTTPS VS can process for every request or response. If a request or response has a header over this limit, it will be dropped, and return error message 400.

• The default value is 100, it's not recommended that you edit it. It is hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous and may lead to concurrent session number reduction or other unpredictable problems.

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Client-side connection timeout. The default is 100 seconds. The valid range is from 1 to 86,400.

Enable to apply the FortiGuard IP reputation service.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Maximum message size. The default is 65535 bytes. The valid range is from 1 to 65,535.

Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300.

Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default.

Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default.

Client-side transport protocol:

• TCP
• UDP (default)

Server-side transport protocol.

• TCP
• UDP

Default is "unset", so the client-side protocol determines the server-side protocol.

Action when the SIP client cannot be reached:

• Drop—Drop the connection.
• Send—Drop the connection and send a message, for example, a status code and error message.

Action when the SIP server cannot be reached:

• Drop—Drop the connection.
• Send—Drop the connection and send a message, for example, a status code and error message.

Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request.

Use the original client IP address as the source address in the connection to the real server.

Change the media address of SIP payload to specified address. 0.0.0.0 is default.

Client-Request-Header-Insert (maximum 4 members)

• Insert If Not Exist—Insert before the first header only if the header is not already present.
• Insert Always—Insert before the first header even if the header is already present.
• Append If Not Exist—Append only if the header is not present.
• Append Always—Append after the last header.

The header:value pair to be inserted.

Client-Request-Header-Erase (maximum 4 members)

• All—Parse all headers for a match.
• First—Parse the first header for a match.

Header to be erased.

Client-Response-Header-Insert (maximum 4 members)

• Insert If Not Exist—Insert before the first header only if the header is not already present.
• Insert Always—Insert before the first header even if the header is already present.
• Append If Not Exist—Append only if the header is not present.
• Append Always—Append after the last header.

The header:value pair to be inserted.

Client-Response-Header-Erase (maximum 4 members)

• All—Parse all headers for a match.
• First—Parse the first header for a match.

Header to be erased.

Server-Request-Header-Insert (maximum 4 members)

• Insert If Not Exist—Insert before the first header only if the header is not already present.
• Insert Always—Insert before the first header even if the header is already present.
• Append If Not Exist—Append only if the header is not present.
• Append Always—Append after the last header.

The header:value pair to be inserted.

Server-Request-Header-Erase (maximum 4 members)

• All—Parse all headers for a match.
• First—Parse the first header for a match.

Header to be erased.

Server-Response-Header-Insert (maximum 4 members)

• Insert If Not Exist—Insert before the first header only if the header is not already present.
• Insert Always—Insert before the first header even if the header is already present.
• Append If Not Exist—Append only if the header is not present.
• Append Always—Append after the last header.

The header:value pair to be inserted.

Server-Response-Header-Erase (maximum 4 members)

• All—Parse all headers for a match.
• First—Parse the first header for a match.

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

Use the original client IP address as the source address in the connection to the real server.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

Adjust the value of the RDP VS's connection buffer size.

• For every session, there are two connection buffers.
• The default size is 8030, it is not recommended that you edit it. It's hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous because it may lead to concurrent session number reduction or other unpredictable problems.

Enable/disable to use the original client IP address as the source address when connecting to the real server.

Enable/disable the cache for the DNS virtual server.

Specify the cache age-out time (in seconds). The default is 3,600. The valid range is 0 to 65,535.

Specify the maximum cache size (in Megabytes). The default is 10. The valid range is 1 to 100.

Specify the maximum cache entry size. The default is 512. The valid range is 256 to 4,096.

Select either of the following cache response types:

• All Records

• Round Robin

Select either of the following reactions for the malformed requests:

• Drop

• Forward

Specify the maximum query length. The default is 512. The valid range is 256 to 4,096.

Enable to apply FortiGuard IP reputation service. IP reputation. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

Use the original client IP address as the source address in the connection to the real server.

Note: When using the NAT Source Pool for SMTP VS, ensure the SMTP application profile is disabled for Client Address. When the SMTP is enabled for Client Address, it will use the original client IP address as the source address when connecting to the real server, which cannot be done when the NAT source pool is used at the same time.

Select one of the following:

• Allow—The client can either use or not use the STARTTLS command.
• Required—The STARTTLS command must be used to encrypt the connection first.
• None—The STARTTLS command is NOT supported.

Enable/disable to forbid the command(s) selected in Forbidden Command.

Select any, all, or none of the commands:

• EXPN

• TURN

• VRFY

If selected, the command or commands will be rejected by FortiADC; otherwise, the command or commands will be accepted and forwarded to the back end.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool.

Specify the Origin Host.

Once defined, FortiADC will change the Origin-Host AVP of the Diameter packet.

Specify the Origin Realm.

Once defined, FortiADC will change the Origin-Realm AVP of the Diameter packet.

Specify the Vendor ID. Default is 0. Range is 0-2147483647.

Once defined, FortiADC will change the Vendor-ID AVP of the Diameter packet.

Specify the Product Name.

Once defined, FortiADC will change the Product-Name AVP of the Diameter packet.

300 (seconds) by default. Valid values range from 1 to 86,400.

This refers to the built-in session ID persistence timeout.

Disabled by default, this means that the connection on the client side stays open when the server closes the connection on its side.

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400 seconds.

Specify the encode type for protocol message:

• ASCII

• Binary

The default option is ASCII.

Specify the encode type of length indicator:

• binary

• BCD

• decimal-str

• hex-str

The default option is binary.

Specify bytes to shift from the beginning of payload to read length value. Default is 0, range 0-32.

Specify total bytes reading to calculate length. Default is 2, range 0-8.

Specify length of optional header before MTI, including the length-indicator. Default is 0, range 0-32.

Specify hex string of optional trailer, maximum length 16, i.e. 8 bytes in binary

Select a Geo IP block list configuration object. See Using the Geo IP block list.

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. The default is 50 seconds. The valid range is 1 to 86,400 seconds.

Specify the maximum inactivity time for MS SQL server on the server side.

Specify the maximum connections that can connect to the MS SQL server on the server side.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

This timeout is counted as the amount of time when the server did not send a complete response HTTP header to the FortiADC after the FortiADC sent a request to server. If this timeout expires, FortiADC will close the server side connection and send a 503 message to the client and close the connection to the client.

This timeout is counted as the amount of time during which FortiADC tried to connect to the server with TCP SYN. After this timeout, if TCP connection is not established, FortiADC will drop this current connection to server and respond with a 503 message to client side and close the connection to the client.

This timeout is counted as the amount of time during which the request is queued in the dispatched queue. When the request cannot be dispatched to a server by a load balance method (for example, the server's connection limited is reached), it will be put into a queue. If this timeout expires, the request in the queue will be dropped and FortiADC will respond with a 503 message to client side and close the connection to the client.

This timeout is counted as the amount of time it took FortiADC to send a response body data (not including the header); the time is counted starting from when the body is transferred. If this timeout expires, FortiADC will close the connection of both side.

This timeout is counted as the amount of time the client did not send a complete request (including both HTTP header and request body) to FortiADC after the client connected to FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client.

This timeout is counted as the time FortiADC can wait for a new request after the previous transaction is completed. This is an idle timeout if the client does not send anything in this period. If this timeout expires, FortiADC will close the connection to the client.

Use the original client IP address as the source address when connecting to the real server.

Enable this option to append the client IP address found in IP layer packets to the HTTP header, for example, X-forwarded-for: 192.168.161.100.

The default header name is X-forwarded-for. If you prefer a different name, use X-Forwarded-For Header to define a custom name.

Specify a custom name for the HTTP header which carries the client IP address. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if the request violates the IP reputation policy.

Select a compression configuration object. See Configuring compression rules.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Select an allowlist configuration object. See Using the Geo IP allowlist.

For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL.

Advanced Settings

Adjust the value of the HTTP/HTTPS VS's connection buffer size.

• For every session, there are two connection buffers.
• The default size is 8030, it is not recommended that you edit it. It's hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous because it may lead to concurrent session number reduction or other unpredictable problems.

Adjust the max header number that HTTP/HTTPS VS can process for every request or response. If a request or response has a header over this limit, it will be dropped, and return error message 400.

• The default value is 100, it's not recommended that you edit it. It is hidden in the Advance tab, and when you edit it you will get a warning message.
• Tuning this option is dangerous and may lead to concurrent session number reduction or other unpredictable problems.

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400 seconds.

Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings.

Select a Geo IP block list configuration object. See Using the Geo IP block list.