Fortinet white logo
Fortinet white logo

CLI Reference

server-policy setting

server-policy setting

Use this command to configure the server policy settings.

Syntax

config server-policy setting

set core-file-count <core-file-count_int>

set enable-core-file {enable | disable | enable-best-effort}

set enable-session-statistics {enable | disable}

set enable-single-worker {enable | disable}

set hsm {enable | disable}

set no-session-limit {enable | disable}

set no-ssl-encrypt-then-mac {enable | disable}

set offline-session-timeout {seconds_int}

set use-first-ack-mac {enable | disable}

set dpdk {enable | disable}

set high-compatibility-mode {enable | disable}

set graceful-shutdown {enable | disable}

set server-pool-connection-limit-log {enable | disable}

set tls13-early-data-mode {enable | disable}

set record-content-routing-error-log {enable | disable}

set server-invalid-no-reponse {enable | disable}

set using-dns-proxy {enable | disable}

set df-flag {enable | disable}

set tls12-compatible-sigalg {enable | disable}

set corefile-ha-failover {enable | disable}

set reverse-dns-cache-timeout <int>

set crldp-update-interval <int>

set crldp-ttl-failed <int>

end

Variable Description Default

core-file-count <core-file-count_int>

The maximum core dump file number. The valid values are 3 and 5.

No default

enable-core-file {enable | disable | enable-best-effort}

disable: Disable coredump for proxyd.

enable: Enable coredump action for proxyd. It will stop if coredump cannot finish in hung task timeout seconds.

enable-best-effort: Enable coredump action for proxy. It will stop until the entire core file is generated. This option is useful to analyze a tough issue, though it may cause your service to stop responding for a long time

disable

enable-session-statistics {enable | disable}

Enable/disable session statistics for FortiView. No default

enable-single-worker {enable | disable}

Enable/disable single worker mode. If enabled, there will be only one worker thread to handle the traffic. It's usually used for diagnose only. No default

hsm {enable | disable}

Specifies whether the settings you use to integrate FortiWeb with an HSM (hardware security module) are displayed in the web UI. No default

no-session-limit {enable | disable}

Enable not to limit the maximum concurrency sessions of FortiWeb-VM.

If this option is disabled, the maximum concurrent sessions for all the policies on a VM is 20,000 (2vCPUs), 50,000 (4vCPUs), or 100,000 (8vCPUs); For each policy, the number is 8,000 (2vCPUs), 15,000 (4vCPUs), or 50,000 (8vCPUs).

No default

no-ssl-encrypt-then-mac {enable | disable}

Disable to include the encrypt-then-mac extension in the packets sent by the client. disable

use-first-ack-mac {enable | disable}

Once enabled, machine learning only observes the source MAC of two ACK packets for a URL at Three-way handshake.
If disabled, machine leaning observes all ACK packets, which continues refreshing MAC, with the performance affected.
enable

dpdk {enable | disable}

Enable/disable DPDK for packet processing. No default

high-compatibility-mode {enable | disable}

Enable to accelerate SSL transport.

The setting works on certain hardware platforms which have SSL accelerate card. When enabled, the SSL accelerate card will do SSL traffic acceleration for SSL encryption and decryption.

disable

offline-session-timeout {seconds_int}

This setting only works in Offline Protection mode.

It's a session optimization option. FortiWeb's resources will be unnecessarily consumed if the connection always keeps on. With this option, you can configure the session timeout value to avoid them staying on for too long.

The valid range is seconds 30–1200 seconds.

No default
graceful-shutdown {enable | disable} If disabled, the peer TCP connections are reset during system shutdown. enable
server-pool-connection-limit-log {enable | disable} Enable to send a warning level event log when the connection number of each real server reaches the limitation. disable
tls13-early-data-mode {enable | disable} Enable O-RTT in TLS 1.3. disable
record-content-routing-error-log {enable | disable}

If enabled, the reason of the content routing failure will be recorded in event log.

disable

server-invalid-no-reponse {enable | disable}

Enable this option so that closes the client connection when all the servers in the server pool are unresponsive.

disable

using-dns-proxy {enable | disable}

This option is enabled by default. If it is disabled, the system uses getaddrinfo to resolve the domain name.

enable

df-flag {enable | disable}

Enable to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.

disable

tls12-compatible-sigalg {enable | disable}

When tls12-compatible-sigalg is enabled, signature algorithm negotiation in TLS handshake for FortiWeb behaves exactly the same as OpenSSL 1.1.0.

Please note executing this command causes the proxyd to restart so all current sessions will be dropped.

This command is specific to very rare case. Do not use it unless suggested by Fortinet support team.

disable

corefile-ha-failover {enable | disable}

Enable to trigger HA fail-over upon proxyd coredump, so that the secondary node can immediately take over the traffic when coredump file is being generated on the primary node.

Note the following when using this command:

  • You should set enable-core-file to enable or enable-best-effort for the corefile-ha-failover to work.

  • The enable-core-file and corefile-ha-failover attributes will NOT be synchronized to other devices in the same HA group, so you need to configure these configurations on each device if needed.

  • Currently only the proxyd daemon coredump can trigger corefile-ha-failover. Other daemons can't trigger it.

  • This function works in active-passive and active-active standard HA modes. It is not suggested to enable it in HA Manager mode on public clouds, because usually the load balancer in front of the FortiWeb devices will do health check and guarantee that traffic is dispatched to the healthy nodes.

  • It is recommended to enable this option only on one FortiWeb, usually the primary device. Otherwise a proxyd coredump occurring on both devices may lead to HA fail-over back and forth between two devices.

disable

reverse-dns-cache-timeout <int>

The system caches the reverse DNS lookup results. You can set the reverse-dns-cache-timeout value so that the cached items can be removed after the expiration time.

The valid value range is 1-1440.

60 (minutes)

crldp-update-interval <int>

Specify the update interval (in seconds) for Certificate Revocation Lists (CRL) distribution point. CRL files can be outdated, so the CRL distribution point should check from time to time for each entry so as to keep them up-to-date.

you can run the following commands to check the CRL retrieval debug information

diagnose debug application crl_update <0-8>

diag debug enable​

3 (seconds)

crldp-ttl-failed <int>

Specify the TTL (time-to-alive) in minutes for failed retrievals. If FortiWeb fails to retrieve CRL from the distribution point, it will make another attempt to retrieve it after the specified crldp-ttl-failed time.

If the CRL is expired, the system will block the client traffic even if it has a valid certificate. You can allow the use of previously retrieved CRLs when the current CRL distribution point retrievals fail or are pending.

config system certificate verify

set crl-allow-expired enable

end

We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.

For more information on CRL, see "Revoking certificates" in FortiWeb Administration Guide.

5 (minutes)

Related topics

server-policy setting

server-policy setting

Use this command to configure the server policy settings.

Syntax

config server-policy setting

set core-file-count <core-file-count_int>

set enable-core-file {enable | disable | enable-best-effort}

set enable-session-statistics {enable | disable}

set enable-single-worker {enable | disable}

set hsm {enable | disable}

set no-session-limit {enable | disable}

set no-ssl-encrypt-then-mac {enable | disable}

set offline-session-timeout {seconds_int}

set use-first-ack-mac {enable | disable}

set dpdk {enable | disable}

set high-compatibility-mode {enable | disable}

set graceful-shutdown {enable | disable}

set server-pool-connection-limit-log {enable | disable}

set tls13-early-data-mode {enable | disable}

set record-content-routing-error-log {enable | disable}

set server-invalid-no-reponse {enable | disable}

set using-dns-proxy {enable | disable}

set df-flag {enable | disable}

set tls12-compatible-sigalg {enable | disable}

set corefile-ha-failover {enable | disable}

set reverse-dns-cache-timeout <int>

set crldp-update-interval <int>

set crldp-ttl-failed <int>

end

Variable Description Default

core-file-count <core-file-count_int>

The maximum core dump file number. The valid values are 3 and 5.

No default

enable-core-file {enable | disable | enable-best-effort}

disable: Disable coredump for proxyd.

enable: Enable coredump action for proxyd. It will stop if coredump cannot finish in hung task timeout seconds.

enable-best-effort: Enable coredump action for proxy. It will stop until the entire core file is generated. This option is useful to analyze a tough issue, though it may cause your service to stop responding for a long time

disable

enable-session-statistics {enable | disable}

Enable/disable session statistics for FortiView. No default

enable-single-worker {enable | disable}

Enable/disable single worker mode. If enabled, there will be only one worker thread to handle the traffic. It's usually used for diagnose only. No default

hsm {enable | disable}

Specifies whether the settings you use to integrate FortiWeb with an HSM (hardware security module) are displayed in the web UI. No default

no-session-limit {enable | disable}

Enable not to limit the maximum concurrency sessions of FortiWeb-VM.

If this option is disabled, the maximum concurrent sessions for all the policies on a VM is 20,000 (2vCPUs), 50,000 (4vCPUs), or 100,000 (8vCPUs); For each policy, the number is 8,000 (2vCPUs), 15,000 (4vCPUs), or 50,000 (8vCPUs).

No default

no-ssl-encrypt-then-mac {enable | disable}

Disable to include the encrypt-then-mac extension in the packets sent by the client. disable

use-first-ack-mac {enable | disable}

Once enabled, machine learning only observes the source MAC of two ACK packets for a URL at Three-way handshake.
If disabled, machine leaning observes all ACK packets, which continues refreshing MAC, with the performance affected.
enable

dpdk {enable | disable}

Enable/disable DPDK for packet processing. No default

high-compatibility-mode {enable | disable}

Enable to accelerate SSL transport.

The setting works on certain hardware platforms which have SSL accelerate card. When enabled, the SSL accelerate card will do SSL traffic acceleration for SSL encryption and decryption.

disable

offline-session-timeout {seconds_int}

This setting only works in Offline Protection mode.

It's a session optimization option. FortiWeb's resources will be unnecessarily consumed if the connection always keeps on. With this option, you can configure the session timeout value to avoid them staying on for too long.

The valid range is seconds 30–1200 seconds.

No default
graceful-shutdown {enable | disable} If disabled, the peer TCP connections are reset during system shutdown. enable
server-pool-connection-limit-log {enable | disable} Enable to send a warning level event log when the connection number of each real server reaches the limitation. disable
tls13-early-data-mode {enable | disable} Enable O-RTT in TLS 1.3. disable
record-content-routing-error-log {enable | disable}

If enabled, the reason of the content routing failure will be recorded in event log.

disable

server-invalid-no-reponse {enable | disable}

Enable this option so that closes the client connection when all the servers in the server pool are unresponsive.

disable

using-dns-proxy {enable | disable}

This option is enabled by default. If it is disabled, the system uses getaddrinfo to resolve the domain name.

enable

df-flag {enable | disable}

Enable to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.

disable

tls12-compatible-sigalg {enable | disable}

When tls12-compatible-sigalg is enabled, signature algorithm negotiation in TLS handshake for FortiWeb behaves exactly the same as OpenSSL 1.1.0.

Please note executing this command causes the proxyd to restart so all current sessions will be dropped.

This command is specific to very rare case. Do not use it unless suggested by Fortinet support team.

disable

corefile-ha-failover {enable | disable}

Enable to trigger HA fail-over upon proxyd coredump, so that the secondary node can immediately take over the traffic when coredump file is being generated on the primary node.

Note the following when using this command:

  • You should set enable-core-file to enable or enable-best-effort for the corefile-ha-failover to work.

  • The enable-core-file and corefile-ha-failover attributes will NOT be synchronized to other devices in the same HA group, so you need to configure these configurations on each device if needed.

  • Currently only the proxyd daemon coredump can trigger corefile-ha-failover. Other daemons can't trigger it.

  • This function works in active-passive and active-active standard HA modes. It is not suggested to enable it in HA Manager mode on public clouds, because usually the load balancer in front of the FortiWeb devices will do health check and guarantee that traffic is dispatched to the healthy nodes.

  • It is recommended to enable this option only on one FortiWeb, usually the primary device. Otherwise a proxyd coredump occurring on both devices may lead to HA fail-over back and forth between two devices.

disable

reverse-dns-cache-timeout <int>

The system caches the reverse DNS lookup results. You can set the reverse-dns-cache-timeout value so that the cached items can be removed after the expiration time.

The valid value range is 1-1440.

60 (minutes)

crldp-update-interval <int>

Specify the update interval (in seconds) for Certificate Revocation Lists (CRL) distribution point. CRL files can be outdated, so the CRL distribution point should check from time to time for each entry so as to keep them up-to-date.

you can run the following commands to check the CRL retrieval debug information

diagnose debug application crl_update <0-8>

diag debug enable​

3 (seconds)

crldp-ttl-failed <int>

Specify the TTL (time-to-alive) in minutes for failed retrievals. If FortiWeb fails to retrieve CRL from the distribution point, it will make another attempt to retrieve it after the specified crldp-ttl-failed time.

If the CRL is expired, the system will block the client traffic even if it has a valid certificate. You can allow the use of previously retrieved CRLs when the current CRL distribution point retrievals fail or are pending.

config system certificate verify

set crl-allow-expired enable

end

We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.

For more information on CRL, see "Revoking certificates" in FortiWeb Administration Guide.

5 (minutes)

Related topics