server-policy setting
Use this command to configure the server policy settings.
Syntax
config server-policy setting
set core-file-count <core-file-count_int>
set enable-core-file {enable | disable | enable-best-effort}
set enable-session-statistics {enable | disable}
set enable-single-worker {enable | disable}
set hsm {enable | disable}
set no-session-limit {enable | disable}
set no-ssl-encrypt-then-mac {enable | disable}
set offline-session-timeout {seconds_int}
set use-first-ack-mac {enable | disable}
set dpdk {enable | disable}
set high-compatibility-mode {enable | disable}
set graceful-shutdown {enable | disable}
set server-pool-connection-limit-log {enable | disable}
set tls13-early-data-mode {enable | disable}
set record-content-routing-error-log {enable | disable}
set server-invalid-no-reponse {enable | disable}
set using-dns-proxy {enable | disable}
set df-flag {enable | disable}
set tls12-compatible-sigalg {enable | disable}
set corefile-ha-failover {enable | disable}
set reverse-dns-cache-timeout <int>
end
core-file-count <core-file-count_int>
|
The maximum core dump file number. The valid values are 3 and 5.
|
No default |
enable-core-file {enable | disable | enable-best-effort}
|
disable: Disable coredump for proxyd.
enable: Enable coredump action for proxyd. It will stop if coredump cannot finish in hung task timeout seconds.
enable-best-effort: Enable coredump action for proxy. It will stop until the entire core file is generated.
This option is useful to analyze a tough issue, though it may cause your service to stop responding for a long time
|
disable |
enable-session-statistics {enable | disable}
|
Enable/disable session statistics for FortiView. |
No default |
enable-single-worker {enable | disable}
|
Enable/disable single worker mode. If enabled, there will be only one worker thread to handle the traffic. It's usually used for diagnose only. |
No default |
hsm {enable | disable}
|
Specifies whether the settings you use to integrate FortiWeb with an HSM (hardware security module) are displayed in the web UI. |
No default |
no-session-limit {enable | disable}
|
Enable not to limit the maximum concurrency sessions of FortiWeb-VM.
If this option is disabled, the maximum concurrent sessions for all the policies on a VM is 20,000 (2vCPUs), 50,000 (4vCPUs), or 100,000 (8vCPUs); For each policy, the number is 8,000 (2vCPUs), 15,000 (4vCPUs), or 50,000 (8vCPUs).
|
No default |
no-ssl-encrypt-then-mac {enable | disable}
|
Disable to include the encrypt-then-mac extension in the packets sent by the client. |
disable
|
use-first-ack-mac {enable | disable}
|
Once enabled, machine learning only observes the source MAC of two ACK packets for a URL at Three-way handshake. If disabled, machine leaning observes all ACK packets, which continues refreshing MAC, with the performance affected. |
enable
|
dpdk {enable | disable}
|
Enable/disable DPDK for packet processing. |
No default |
high-compatibility-mode {enable | disable}
|
Enable to accelerate SSL transport.
The setting works on certain hardware platforms which have SSL accelerate card. When enabled, the SSL accelerate card will do SSL traffic acceleration for SSL encryption and decryption.
|
disable
|
offline-session-timeout {seconds_int}
|
This setting only works in Offline Protection mode.
It's a session optimization option. FortiWeb's resources will be unnecessarily consumed if the connection always keeps on. With this option, you can configure the session timeout value to avoid them staying on for too long.
The valid range is seconds 30–1200 seconds.
|
No default |
graceful-shutdown {enable | disable}
|
If disabled, the peer TCP connections are reset during system shutdown. |
enable
|
server-pool-connection-limit-log {enable | disable}
|
Enable to send a warning level event log when the connection number of each real server reaches the limitation. |
disable
|
tls13-early-data-mode {enable | disable}
|
Enable O-RTT in TLS 1.3. |
disable
|
record-content-routing-error-log {enable | disable}
|
If enabled, the reason of the content routing failure will be recorded in event log.
|
disable
|
server-invalid-no-reponse {enable | disable}
|
Enable this option so that closes the client connection when all the servers in the server pool are unresponsive.
|
disable
|
using-dns-proxy {enable | disable}
|
This option is enabled by default. If it is disabled, the system uses getaddrinfo to resolve the domain name.
|
enable
|
df-flag {enable | disable}
|
Enable to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.
|
disable
|
tls12-compatible-sigalg {enable | disable}
|
When tls12-compatible-sigalg is enabled, signature algorithm negotiation in TLS handshake for FortiWeb behaves exactly the same as OpenSSL 1.1.0.
Please note executing this command causes the proxyd to restart so all current sessions will be dropped.
This command is specific to very rare case. Do not use it unless suggested by Fortinet support team.
|
disable
|
corefile-ha-failover {enable | disable}
|
Enable to trigger HA fail-over upon proxyd coredump, so that the secondary node can immediately take over the traffic when coredump file is being generated on the primary node.
Note the following when using this command:
-
You should set enable-core-file to enable or enable-best-effort for the corefile-ha-failover to work.
-
The enable-core-file and corefile-ha-failover attributes will NOT be synchronized to other devices in the same HA group, so you need to configure these configurations on each device if needed.
-
Currently only the proxyd daemon coredump can trigger corefile-ha-failover . Other daemons can't trigger it.
-
This function works in active-passive and active-active standard HA modes. It is not suggested to enable it in HA Manager mode on public clouds, because usually the load balancer in front of the FortiWeb devices will do health check and guarantee that traffic is dispatched to the healthy nodes.
-
It is recommended to enable this option only on one FortiWeb, usually the primary device. Otherwise a proxyd coredump occurring on both devices may lead to HA fail-over back and forth between two devices.
|
disable
|
reverse-dns-cache-timeout <int>
|
The system caches the reverse DNS lookup results. You can set the reverse-dns-cache-timeout value so that the cached items can be removed after the expiration time.
The valid value range is 1-1440.
|
60 (minutes)
|
Related topics