system network-option
Use this command to configure system-wide TCP connection options.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the netgrp
area. For details, see Permissions.
Syntax
config system network-option
set tcp-timestamp {enable | disable}
set tcp-tw-recycle {enable | disable}
set ip-src-balance {enable | disable}
set ip6-src-balance {enable | disable}
set tcp-buffer {default | high | max | ultra}
set arp_ignore {enable | disable}
set loopback-mtu <loopback-mtu_int>
set tcp-usertimeout <tcp-usertimeout_int>
set tcp-keepcnt <tcp-keepcnt_int>
set tcp-keepidle <tcp-keepidle_int>
set tcp-keepintvl <tcp-keepintvl_int>
set loopback-tso-gso {enable | disable}
set route-priority {system | dhcp}
set dns-priority {system | dhcp}
set dns-cache-timeout <dns-cache-timeout_int>
set tcp-mtu-probing {enable | disable}
set ipfrag-high-thresh <ipfrag-high-thresh_int>
set ipfrag-low-thresh <ipfrag-low-thresh_int>
set ipfrag-timeout <ipfrag-timeout_int>
set ip6frag-high-thresh <ip6frag-high-thresh_int>
set ip6frag-low-thresh <ip6frag-low-thresh_int>
set ip6frag-timeout <ip6frag-timeout_int>
end
Variable | Description | Default |
Enable to:
Disabling this option can be useful when multiple clients are in front of a source NAT gateway such as a FortiGate. If it applies source NAT but forwards packets to FortiWeb without modifying the TCP timestamp, packets received from that source IP will appear to FortiWeb to have an unstable timestamp. FortiWeb will therefore drop out-of-sequence packets. Disabling therefore prevents packets dropped due to this cause, and can improve performance in that case. Caution: Disabling this option affects FortiWeb’s dynamic calculation of TCP retransmission timeout (RTO) and therefore round trip time (RTT). If you disable the timestamp when it is not necessary, this can result in decreased application performance. |
enable
|
|
Enable to quickly recycle sockets that are ready to close (i.e. in the This option can be useful in networks with both sustained high load and bursts of new connection requests. If all sockets are busy, new connection requests may be refused. Enabling this option frees sockets more quickly. Caution: Enabling this option can cause issues with external load balancers and HA failover if they are not expecting the connection to close quickly. This can result in decreased application performance. Generally, it is safer to wait for sockets to safely close before they are reused. |
disable
|
|
Enable to allow FortiWeb to connect to the back-end servers using more than one IPv4 address. FortiWeb uses a round-robin load-balancing algorithm to distribute the connections among the available IP addresses. To specify the additional IP addresses, see system interface. This option is useful for performance testing when the number of concurrent connections between FortiWeb and a back-end server exceeds the number of ports that a single IP can provide. |
disable
|
|
Enable to allow FortiWeb to connect to the back-end servers using more than one IPv6 address. FortiWeb uses a round-robin load-balancing algorithm to distribute the connections among the available IP addresses. To specify the additional IP addresses, see system interface. |
disable
|
|
This option is useful when amount of traffic between a server pool member and FortiWeb is significantly larger than traffic between FortiWeb and the client. |
max
|
|
Specify how FortiWeb responds to ARP requests.
|
disable
|
|
If the operation mode is True Transparent Proxy, specify a global MTU for v-zones. Caution: If this value is smaller than a v-zone's MTU, this value replaces the larger value in the v-zone configuration. Available only when the operation mode is True Transparent Proxy. |
65536
|
|
Enter how long FortiWeb waits before it closes the connection with a client that is not sending any data or responding with ACK to keepalive packets, in seconds. |
120
|
|
Enter only if no value is specified for tcp-usertimeout <tcp-usertimeout_int>. Fortinet recommends that you always specify a |
3
|
|
Enter how long FortiWeb waits before it sends a client or server that keeps a connection with FortiWeb open without sending data a keepalive packet, in seconds. |
60
|
|
Enter how often FortiWeb sends a keepalive packet to a client that keeps a connection open without sending data, in seconds. |
20
|
|
Used for debugging. | disable
|
|
Configure the priority of route IP address obtained by the system and dhcp, whose route IP address has the priority. | No default | |
Configure the priority of DNS obtained by the system and dhcp, whose DNS has the priority. | No default | |
dns-cache-timeout <dns-cache-timeout_int> | Configure how long the DNS proxy cache expires. The valid range is 0~60 (minutes). Only integers are supported. For example, if the value is set to 3, the DNS proxy queries the DNS records from the DNS server and renews the records in the cache every 3 minutes. Please note that if the DNS records in the DNS server are changed during the 3-minute interval, and a client requests for a connection to the domain at this point, the connection will fail because the DNS record stored in the DNS proxy cache is not valid anymore. To avoid this problem, you can set the dns-cache-timeout to a smaller value, so that the DNS proxy renews its cache more frequently. You can also set it to 0 (the default value), which means the DNS proxy doesn't cache the DNS records. It initiates query to the DNS server whenever there is a request to look up the DNS records. |
0
|
Enable to negotiate with the upstream and downstream switches to get the maximum MTU value. Adjust the MTU accordingly for actual need. | disable
|
|
Enter the maximum threshold of the queued IP fragments memory that FortiWeb receives. The valid range is 0-4194304 bytes. |
4194304
|
|
Enter the minimum threshold of the queued IP fragments memory that FortiWeb receives. The valid range is 0-3145728 bytes. |
3145728
|
|
Type the number of seconds before the next IP fragment is received. The valid range is 0-30 seconds. |
30
|
|
Enter the maximum threshold of the queued IP6 IP fragments memory that FortiWeb receives. The valid range is 0-4194304 bytes. |
4194304
|
|
Enter the minimum threshold of the queued IP6 fragments memory that FortiWeb receives. The valid range is 0-3145728 bytes. |
3145728
|
|
Type the number of seconds before the next IP6 fragment is received. The valid range is 0-30 seconds. |
30
|
|
When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for the specified time until it sends the 503 error code. It's recommended to set a value smaller than 20 (seconds). This is to avoid too many times of retry being accumulated during the waiting time, which may cause the connection to be closed before FortiWeb has the chance to send the error code. This option is at the appliance level. It affects all the policies on the appliance. You can also set the Sometimes when there is a third device, such as a gateway, deployed between FortiWeb and the back-end server, FortiWeb will directly get the status code from the third device instead of waiting along the timeout period. The valid range for this option is 0-600 (seconds). 0 means FortiWeb will send the 503 error code as soon as it detects the back-end server is not responsive. |
120 |
|
|
|
|
Example
This example assigns additional IP addresses to port1. FortiWeb uses a round-robin load-balancing algorithm to distribute connections to back-end servers among the available IP addresses.
config system network-option
set ip-src-balance enable
end
config system interface
edit port1
set type physical
set ip 192.0.2.71/24
set allowaccess HTTPS ping ssh snmp HTTP telnet
config secondaryip
edit 1
set ip 192.0.2.72/24
next
edit 2
set ip 192.0.2.73/24
next
end
next
end