Fortinet black logo

CLI Reference

system network-option

system network-option

Use this command to configure system-wide TCP connection options.

To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config system network-option

set tcp-timestamp {enable | disable}

set tcp-tw-recycle {enable | disable}

set ip-src-balance {enable | disable}

set ip6-src-balance {enable | disable}

set tcp-buffer {default | high | max}

set arp_ignore {enable | disable}

set loopback-mtu <loopback-mtu_int>

set tcp-usertimeout <tcp-usertimeout_int>

set tcp-keepcnt <tcp-keepcnt_int>

set tcp-keepidle <tcp-keepidle_int>

set tcp-keepintvl <tcp-keepintvl_int>

set loopback-tso-gso {enable | disable}

set route-priority {system | dhcp}

set dns-priority {system | dhcp}

set dns-cache-timeout <dns-cache-timeout_int>

set tcp-mtu-probing {enable | disable}

set system network-option

set system network-option

set ipfrag-timeout <ipfrag-timeout_int>

set ip6frag-high-thresh <ip6frag-high-thresh_int>

set ip6frag-low-thresh <ip6frag-low-thresh_int>

set ip6frag-timeout <ip6frag-timeout_int>

set tcp-usertimeout <integer>

end

Variable Description Default

tcp-timestamp {enable | disable}

Enable to:

  • Verify whether clients’ TCP timestamps are sequential
  • Include TCP timestamps in packets from FortiWeb

Disabling this option can be useful when multiple clients are in front of a source NAT gateway such as a FortiGate. If it applies source NAT but forwards packets to FortiWeb without modifying the TCP timestamp, packets received from that source IP will appear to FortiWeb to have an unstable timestamp. FortiWeb will therefore drop out-of-sequence packets. Disabling therefore prevents packets dropped due to this cause, and can improve performance in that case.

Caution: Disabling this option affects FortiWeb’s dynamic calculation of TCP retransmission timeout (RTO) and therefore round trip time (RTT). If you disable the timestamp when it is not necessary, this can result in decreased application performance.

enable

tcp-tw-recycle {enable | disable}

Enable to quickly recycle sockets that are ready to close (i.e. in the TIME_WAIT state per the TCP RFC).

This option can be useful in networks with both sustained high load and bursts of new connection requests. If all sockets are busy, new connection requests may be refused. Enabling this option frees sockets more quickly.

Caution: Enabling this option can cause issues with external load balancers and HA failover if they are not expecting the connection to close quickly. This can result in decreased application performance. Generally, it is safer to wait for sockets to safely close before they are reused.

disable

ip-src-balance {enable | disable}

Enable to allow FortiWeb to connect to the back-end servers using more than one IPv4 address. FortiWeb uses a round-robin load-balancing algorithm to distribute the connections among the available IP addresses.

To specify the additional IP addresses, see system interface.

This option is useful for performance testing when the number of concurrent connections between FortiWeb and a back-end server exceeds the number of ports that a single IP can provide.

disable

ip6-src-balance {enable | disable}

Enable to allow FortiWeb to connect to the back-end servers using more than one IPv6 address. FortiWeb uses a round-robin load-balancing algorithm to distribute the connections among the available IP addresses.

To specify the additional IP addresses, see system interface.

disable

tcp-buffer {default | high | max}

Specify high or max to increase the size of the TCP buffer.

This option is useful when amount of traffic between a server pool member and FortiWeb is significantly larger than traffic between FortiWeb and the client.

max

arp_ignore {enable | disable}

Specify how FortiWeb responds to ARP requests.

  • disable—Reply for any local target IP address, configured on any interface.
  • enable—Reply only if the target IP address is local address configured on the incoming interface.
disable

loopback-mtu <loopback-mtu_int>

If the operation mode is True Transparent Proxy, specify a global MTU for v-zones.

Caution: If this value is smaller than a v-zone's MTU, this value replaces the larger value in the v-zone configuration.

Available only when the operation mode is True Transparent Proxy.

65536

tcp-usertimeout <tcp-usertimeout_int>

Enter how long FortiWeb waits before it closes the connection with a client that is not sending any data or responding with ACK to keepalive packets, in seconds.

120

tcp-keepcnt <tcp-keepcnt_int>

Enter only if no value is specified for tcp-usertimeout <tcp-usertimeout_int>. Fortinet recommends that you always specify a tcp-usertimeout value.

3

tcp-keepidle <tcp-keepidle_int>

Enter how long FortiWeb waits before it sends a client or server that keeps a connection with FortiWeb open without sending data a keepalive packet, in seconds.

60

tcp-keepintvl <tcp-keepintvl_int>

Enter how often FortiWeb sends a keepalive packet to a client that keeps a connection open without sending data, in seconds.

20

loopback-tso-gso {enable | disable}

Used for debugging. disable

route-priority {system | dhcp}

Configure the priority of route IP address obtained by the system and dhcp, whose route IP address has the priority. No default

dns-priority {system | dhcp}

Configure the priority of DNS obtained by the system and dhcp, whose DNS has the priority. No default
dns-cache-timeout <dns-cache-timeout_int> Configure how long the DNS proxy cache expires. The valid range is 0~60 (minutes). Only integers are supported.

For example, if the value is set to 3, the DNS proxy queries the DNS records from the DNS server and renews the records in the cache every 3 minutes. Please note that if the DNS records in the DNS server are changed during the 3-minute interval, and a client requests for a connection to the domain at this point, the connection will fail because the DNS record stored in the DNS proxy cache is not valid anymore.

To avoid this problem, you can set the dns-cache-timeout to a smaller value, so that the DNS proxy renews its cache more frequently. You can also set it to 0 (the default value), which means the DNS proxy doesn't cache the DNS records. It initiates query to the DNS server whenever there is a request to look up the DNS records.
0

tcp-mtu-probing {enable | disable}

Enable to negotiate with the upstream and downstream switches to get the maximum MTU value. Adjust the MTU accordingly for actual need. disable

ipfrag-high-thresh <ipfrag-high-thresh_int>

Enter the maximum threshold of the queued IP fragments memory that FortiWeb receives.

The valid range is 0-4194304 bytes.

4194304

ipfrag-low-thresh <ipfrag-low-thresh_int>

Enter the minimum threshold of the queued IP fragments memory that FortiWeb receives.

The valid range is 0-3145728 bytes.

3145728

ipfrag-timeout <ipfrag-timeout_int>

Type the number of seconds before the next IP fragment is received.

The valid range is 0-30 seconds.

30

ip6frag-high-thresh <ip6frag-high-thresh_int>

Enter the maximum threshold of the queued IP6 IP fragments memory that FortiWeb receives.

The valid range is 0-4194304 bytes.

4194304

ip6frag-low-thresh <ip6frag-low-thresh_int>

Enter the minimum threshold of the queued IP6 fragments memory that FortiWeb receives.

The valid range is 0-3145728 bytes.

3145728

ip6frag-timeout <ip6frag-timeout_int>

Type the number of seconds before the next IP6 fragment is received.

The valid range is 0-30 seconds.

30

tcp-usertimeout <integer>

When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for the specified time until it sends the 503 error code. It's recommended to set a value smaller than 20 (seconds). This is to avoid too many times of retry being accumulated during the waiting time, which may cause the connection to be closed before FortiWeb has the chance to send the error code.

This option is at the appliance level. It affects all the policies on the appliance. You can also set the tcp-conn-timeout under config server-policy policy which only affects a specific policy. If the timeout is configured both at the policy and the appliance level, FortiWeb will take the value whichever is smaller.

Sometimes when there is a third device, such as a gateway, deployed between FortiWeb and the back-end server, FortiWeb will directly get the status code from the third device instead of waiting along the timeout period.

The valid range for this option is 0-600 (seconds).

0 means FortiWeb will send the 503 error code as soon as it detects the back-end server is not responsive.

120

Example

This example assigns additional IP addresses to port1. FortiWeb uses a round-robin load-balancing algorithm to distribute connections to back-end servers among the available IP addresses.

config system network-option

set ip-src-balance enable

end

config system interface

edit port1

set type physical

set ip 192.0.2.71/24

set allowaccess https ping ssh snmp http telnet

config secondaryip

edit 1

set ip 192.0.2.72/24

next

edit 2

set ip 192.0.2.73/24

next

end

next

end

Related topics

system network-option

system network-option

Use this command to configure system-wide TCP connection options.

To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config system network-option

set tcp-timestamp {enable | disable}

set tcp-tw-recycle {enable | disable}

set ip-src-balance {enable | disable}

set ip6-src-balance {enable | disable}

set tcp-buffer {default | high | max}

set arp_ignore {enable | disable}

set loopback-mtu <loopback-mtu_int>

set tcp-usertimeout <tcp-usertimeout_int>

set tcp-keepcnt <tcp-keepcnt_int>

set tcp-keepidle <tcp-keepidle_int>

set tcp-keepintvl <tcp-keepintvl_int>

set loopback-tso-gso {enable | disable}

set route-priority {system | dhcp}

set dns-priority {system | dhcp}

set dns-cache-timeout <dns-cache-timeout_int>

set tcp-mtu-probing {enable | disable}

set system network-option

set system network-option

set ipfrag-timeout <ipfrag-timeout_int>

set ip6frag-high-thresh <ip6frag-high-thresh_int>

set ip6frag-low-thresh <ip6frag-low-thresh_int>

set ip6frag-timeout <ip6frag-timeout_int>

set tcp-usertimeout <integer>

end

Variable Description Default

tcp-timestamp {enable | disable}

Enable to:

  • Verify whether clients’ TCP timestamps are sequential
  • Include TCP timestamps in packets from FortiWeb

Disabling this option can be useful when multiple clients are in front of a source NAT gateway such as a FortiGate. If it applies source NAT but forwards packets to FortiWeb without modifying the TCP timestamp, packets received from that source IP will appear to FortiWeb to have an unstable timestamp. FortiWeb will therefore drop out-of-sequence packets. Disabling therefore prevents packets dropped due to this cause, and can improve performance in that case.

Caution: Disabling this option affects FortiWeb’s dynamic calculation of TCP retransmission timeout (RTO) and therefore round trip time (RTT). If you disable the timestamp when it is not necessary, this can result in decreased application performance.

enable

tcp-tw-recycle {enable | disable}

Enable to quickly recycle sockets that are ready to close (i.e. in the TIME_WAIT state per the TCP RFC).

This option can be useful in networks with both sustained high load and bursts of new connection requests. If all sockets are busy, new connection requests may be refused. Enabling this option frees sockets more quickly.

Caution: Enabling this option can cause issues with external load balancers and HA failover if they are not expecting the connection to close quickly. This can result in decreased application performance. Generally, it is safer to wait for sockets to safely close before they are reused.

disable

ip-src-balance {enable | disable}

Enable to allow FortiWeb to connect to the back-end servers using more than one IPv4 address. FortiWeb uses a round-robin load-balancing algorithm to distribute the connections among the available IP addresses.

To specify the additional IP addresses, see system interface.

This option is useful for performance testing when the number of concurrent connections between FortiWeb and a back-end server exceeds the number of ports that a single IP can provide.

disable

ip6-src-balance {enable | disable}

Enable to allow FortiWeb to connect to the back-end servers using more than one IPv6 address. FortiWeb uses a round-robin load-balancing algorithm to distribute the connections among the available IP addresses.

To specify the additional IP addresses, see system interface.

disable

tcp-buffer {default | high | max}

Specify high or max to increase the size of the TCP buffer.

This option is useful when amount of traffic between a server pool member and FortiWeb is significantly larger than traffic between FortiWeb and the client.

max

arp_ignore {enable | disable}

Specify how FortiWeb responds to ARP requests.

  • disable—Reply for any local target IP address, configured on any interface.
  • enable—Reply only if the target IP address is local address configured on the incoming interface.
disable

loopback-mtu <loopback-mtu_int>

If the operation mode is True Transparent Proxy, specify a global MTU for v-zones.

Caution: If this value is smaller than a v-zone's MTU, this value replaces the larger value in the v-zone configuration.

Available only when the operation mode is True Transparent Proxy.

65536

tcp-usertimeout <tcp-usertimeout_int>

Enter how long FortiWeb waits before it closes the connection with a client that is not sending any data or responding with ACK to keepalive packets, in seconds.

120

tcp-keepcnt <tcp-keepcnt_int>

Enter only if no value is specified for tcp-usertimeout <tcp-usertimeout_int>. Fortinet recommends that you always specify a tcp-usertimeout value.

3

tcp-keepidle <tcp-keepidle_int>

Enter how long FortiWeb waits before it sends a client or server that keeps a connection with FortiWeb open without sending data a keepalive packet, in seconds.

60

tcp-keepintvl <tcp-keepintvl_int>

Enter how often FortiWeb sends a keepalive packet to a client that keeps a connection open without sending data, in seconds.

20

loopback-tso-gso {enable | disable}

Used for debugging. disable

route-priority {system | dhcp}

Configure the priority of route IP address obtained by the system and dhcp, whose route IP address has the priority. No default

dns-priority {system | dhcp}

Configure the priority of DNS obtained by the system and dhcp, whose DNS has the priority. No default
dns-cache-timeout <dns-cache-timeout_int> Configure how long the DNS proxy cache expires. The valid range is 0~60 (minutes). Only integers are supported.

For example, if the value is set to 3, the DNS proxy queries the DNS records from the DNS server and renews the records in the cache every 3 minutes. Please note that if the DNS records in the DNS server are changed during the 3-minute interval, and a client requests for a connection to the domain at this point, the connection will fail because the DNS record stored in the DNS proxy cache is not valid anymore.

To avoid this problem, you can set the dns-cache-timeout to a smaller value, so that the DNS proxy renews its cache more frequently. You can also set it to 0 (the default value), which means the DNS proxy doesn't cache the DNS records. It initiates query to the DNS server whenever there is a request to look up the DNS records.
0

tcp-mtu-probing {enable | disable}

Enable to negotiate with the upstream and downstream switches to get the maximum MTU value. Adjust the MTU accordingly for actual need. disable

ipfrag-high-thresh <ipfrag-high-thresh_int>

Enter the maximum threshold of the queued IP fragments memory that FortiWeb receives.

The valid range is 0-4194304 bytes.

4194304

ipfrag-low-thresh <ipfrag-low-thresh_int>

Enter the minimum threshold of the queued IP fragments memory that FortiWeb receives.

The valid range is 0-3145728 bytes.

3145728

ipfrag-timeout <ipfrag-timeout_int>

Type the number of seconds before the next IP fragment is received.

The valid range is 0-30 seconds.

30

ip6frag-high-thresh <ip6frag-high-thresh_int>

Enter the maximum threshold of the queued IP6 IP fragments memory that FortiWeb receives.

The valid range is 0-4194304 bytes.

4194304

ip6frag-low-thresh <ip6frag-low-thresh_int>

Enter the minimum threshold of the queued IP6 fragments memory that FortiWeb receives.

The valid range is 0-3145728 bytes.

3145728

ip6frag-timeout <ip6frag-timeout_int>

Type the number of seconds before the next IP6 fragment is received.

The valid range is 0-30 seconds.

30

tcp-usertimeout <integer>

When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for the specified time until it sends the 503 error code. It's recommended to set a value smaller than 20 (seconds). This is to avoid too many times of retry being accumulated during the waiting time, which may cause the connection to be closed before FortiWeb has the chance to send the error code.

This option is at the appliance level. It affects all the policies on the appliance. You can also set the tcp-conn-timeout under config server-policy policy which only affects a specific policy. If the timeout is configured both at the policy and the appliance level, FortiWeb will take the value whichever is smaller.

Sometimes when there is a third device, such as a gateway, deployed between FortiWeb and the back-end server, FortiWeb will directly get the status code from the third device instead of waiting along the timeout period.

The valid range for this option is 0-600 (seconds).

0 means FortiWeb will send the 503 error code as soon as it detects the back-end server is not responsive.

120

Example

This example assigns additional IP addresses to port1. FortiWeb uses a round-robin load-balancing algorithm to distribute connections to back-end servers among the available IP addresses.

config system network-option

set ip-src-balance enable

end

config system interface

edit port1

set type physical

set ip 192.0.2.71/24

set allowaccess https ping ssh snmp http telnet

config secondaryip

edit 1

set ip 192.0.2.72/24

next

edit 2

set ip 192.0.2.73/24

next

end

next

end

Related topics