Fortinet white logo
Fortinet white logo

CLI Reference

server-policy server-pool

server-policy server-pool

Use this command to configure an HTTP, FTP, or AD FS server pool.

Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes connections among, or where the connections pass through to, depending on the operation mode. Reverse Proxy mode actively distributes connections; Offline Protection and either of the transparent modes do not actively distribute connections.

To apply the server pool configuration, do one of the following:

  • Select it in a server policy directly.
  • Select it in an HTTP content writing policy that you can, in turn, select in a server policy.

For details, see server-policy policy and server-policy HTTP-content-routing-policy.

To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}. If you're planning to configure an FTP server policy, you'll need to confirm that system feature-visibility is enabled. For details, see system feature-visibility.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy server-pool

edit "<server-pool_name>"

set comment "<comment_str>"

set health "<health-check_name>"

set HTTP-reuse {aggressive | always | never | safe}

set lb-algo {least-connections | round-robin | weighted-round-robin | uri-hash | full-uri-hash | host-hash | host-domain-hash | src-ip-hash | least-response-time | probabilistic-weighted-least-response-time}

set persistence "<persistence-policy_name>"

set protocol {HTTP | FTP | ADFSPIP}

set reuse-conn-idle-time <int>

set reuse-conn-max-count <int>

set reuse-conn-max-request <int>

set reuse-conn-total-time <int>

set server-balance {enable | disable}

set server-pool-id

set type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp}

set proxy-protocol {enable | disable}

set proxy-protocol-version {v1 | v2}

set adfs-server-name <adfs-server-name_str>

config pserver-list

edit <entry_index>

set analyzer-policy "<fortianalyzer-policy_name>"

set backup-server {enable | disable}

set certificate "<certificate_name>"

set certificate-verify "<verifier_name>"

set client-certificate "<client-certificate_name>"

set client-certificate-forwarding {enable | disable}

set client-certificate-forwarding-cert-header "<header_str>"

set client-certificate-forwarding-sub-header "<header_str>"

set client-certificate-proxy {enable | disable}

set client-certificate-proxy-sign-ca <sign_ca>

set conn-limit <conn-limit_int>

set domain "<server_fqdn>"

set health-check-inherit {enable | disable}

set hlck-domain <hlck-domain_str>

set hpkp-header "<hpkp_name>"

set hsts-header {enable | disable}

set hsts-max-age <timeout_int>

set HTTP2 {enable | disable}

set http2-window-size <int>

set implicit_ssl {enable | disable}

set intermediate-certificate-group "<CA-group_name>"

set ip {"address_ipv4" | "address_ipv6"}

set port <port_int>

set server-certificate-verify {enable | disable}

set server-certificate-verify-action {alert | alert_deny | redirect}

set server-certificate-verify-policy "<policy_name>"

set recover <recover_int>

set server-side-sni {enable | disable}

set server-type {physical | domain | sdn-connector}

set sdn-addr-type {private | public | all}

set sdn {aws | azure}

set filter <string>

set session-id-reuse {enable | disable}

set session-ticket-reuse {enable | disable}

set sni {enable | disable}

set sni-certificate "<sni_name>"

set sni-strict {enable | disable}

set certificate-type {enable | disable}

set lets-certificate <name>

set ssl {enable | disable}

set ssl-cipher {medium | high | custom}

set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set tls13-custom-cipher

set rfc7919-comply {enable | disable}

set supported-groups {X25519 | prime256v1 | secp384r1 | secp521r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | ffdhe2048 | ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192}

set ssl-noreg {enable | disable}

set ssl-quiet-shutdown {enable | disable}

set ssl-session-timeout <ssl-session-timeout_int>

set status {disable |enable | maintain}

set tls-v10 {enable | disable}

set tls-v11 {enable | disable}

set tls-v12 {enable | disable}

set tls-v13 {enable | disable}

set url-cert {enable | disable}

set urlcert-group "<urlcert-group_name>"

set urlcert-hlen <len_int>

set warm-rate <warm-rate_int>

set warm-up <warm-up_int>

set weight <weight_int>

set adfs-username <adfs-username_str>

set adfs-password <adfs-password_str>

set multi-certificate {enable | disable}

set certificate-group <certificate-group_str>

set enforce-trust-establishment {enable | disable}

next

end

next

end


Variable Description Default

"<server-pool_name>"

Enter the name of the server pool. The maximum length is 63 characters.

To display the list of existing servers, enter:

edit ?

No default.

comment "<comment_str>"

Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 199 characters. No default.

health "<health-check_name>"

Enter the name of a server health check FortiWeb uses to determine the responsiveness of server pool members. The maximum length is 63 characters.

When you specify a health check for the pool, by default, all pool members use that health check. To select a different health check for a pool member, in the pool member configuration, specify disable for health-check-inherit and the health check to use for health.

To display the list of existing health checks, enter:

edit ?

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy and server-balance {enable | disable} is enable.

Note: If a pool member is unresponsive, wait until the server becomes responsive again before disabling its server health check. Server health checks record the up or down status of the server. If you deactivate the server health check while the server is unresponsive, the server health check cannot update the recorded status, and FortiWeb continues to regard the physical server as if it were unresponsive. You can determine the physical server’s connectivity status using the Service Status widget or an SNMP trap. For details, see system snmp community.

No default.

HTTP-reuse {aggressive | always | never | safe}

Configure multiplexing so that FortiWeb uses a single connection to a server for requests from multiple clients. Enter one of these options:

  • aggressive—The first request from a client can use a cached server connection only when the cached server connection has been used by more than one client.
  • always—Client requests will use an available connection cached server connection.
  • never—Disable multiplexing.
  • safe—A client will establish a new connection for the first request, but will use an available cached server connection for subsequent requests.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

never

lb-algo {least-connections | round-robin | weighted-round-robin | uri-hash | full-uri-hash | host-hash | host-domain-hash | src-ip-hash | least-response-time | probabilistic-weighted-least-response-time}

Select the load-balancing algorithms that FortiWeb uses when it distributes new connections among server pool members.

  • least-connections—Distributes new connections to the member with the fewest number of existing, fully-formed connections.
  • round-robin—Distributes new connections to the next member of the server pool, regardless of weight, response time, traffic load, or number of existing connections. Unresponsive servers are avoided.
  • weighted-round-robin—Distributes new connections using the round robin method, except that members with a higher weight value receive a larger percentage of connections.
  • uri-hash—Distributes new TCP connections using a hash algorithm based on the URI found in the HTTP header, excluding hostname.
  • full-uri-hash—Distributes new TCP connections using a hash algorithm based on the full URI string found in the HTTP header. The full URI string includes the hostname and path.
  • host-hash—Distributes new TCP connections using a hash algorithm based on the hostname in the HTTP Request header Host field.
  • host-domain-hash—Distributes new TCP connections using a hash algorithm based on the domain name in the HTTP Request header Host field.
  • src-ip-hash—Distributes new TCP connections using a hash algorithm based on the source IP address of the request.
  • least-response-time—Distributes the incoming traffic to the server with the shortest average response time and the lowest number of connections, thus making the client connect to the most efficient back-end server.
  • probabilistic-weighted-least-response-time—For the least-response-time, in extreme cases there might be a server consistently has relatively low response time compared to others, which causes most of traffic to be distributed to one server. As a solution to this case, probabilistic-weighted-least-response-time distributes traffic based on least response time as well as probabilities. The least response time server is most likely to receive traffic, while the rest servers still have a chance to process some of the traffic.

Note: When protocol {HTTP | FTP | ADFSPIP} is set to FTP, only round-robin, weighted-round-robin, least-connections, and src-ip-hash are available.

For hash-based methods, if you specify a value for persistence, after an initial client request, FortiWeb routes any subsequent requests according to the persistence method. Otherwise, it routes subsequent requests according to the hash-based algorithm.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy and server-balance {enable | disable} is enable.

round-robin

persistence "<persistence-policy_name>"

Enter the name of the persistence policy that specifies a session persistence method and timeout to apply to the pool.

For details, see server-policy persistence-policy.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

adfs-server-name <adfs-server-name_str>

Enter a name for the AD FS Server. It should be the federation service name. This option is mandatory if the AD FS Server needs to verify the server name in the SSL handshake.

This is only available if the server pool type is ADFSPIP.

No default.

protocol {HTTP | FTP | ADFSPIP}

Select one of the following:

  • HTTP—Specifies that the server pool governs HTTP traffic. Specific options for configuring an HTTP server pool become available.
  • FTP—Specifies that the server pool governs FTP traffic. Specific options for configuring an FTP server pool become available.
  • ADFSPIP—Specifies that the server pool governs ADFSPIP traffic. Specific options for configuring an ADFSPIP server pool become available.

HTTP

proxy-protocol {enable | disable}

If the back-end server enables proxy protocol, you need to enable the Proxy Protocol option on FortiWeb so that the TCP SSL and HTTP traffic can successfully go through. The real IP address of the client will be included in the proxy protocol header.
Available only if the type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is Reverse Proxy, True Transparent Proxy, Offline Protection, or Transparent Inspection.

disable

proxy-protocol-version {v1 | v2}

Select the proxy protocol version for the back-end server.

Available only if the type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is Reverse Proxy, or True Transparent Proxy.

v1

reuse-conn-idle-time <int>

Enter an idle time limit for a cached server connection. If a cached server connection remains idle for the set duration, it will be closed. The valid range is 1–1000.

10

reuse-conn-max-count <int>

Enter the maximum number of allowed cached server connections. If FortiWeb meets the set number, no more cached server connections will be established. The valid range is 1–1000 for each pserver.

Note: The minimum number of cached connections depends on the number of CPU kernels of the FortiWeb platform. For example, a FortiWeb 4000E has 40 CPU kernels, so there are always at least 40 reusable connections for each pserver. In addition, the valid range is set for each pserver; if there are two pservers and you enter a value of 1000, there will be up to 2000 reusable connections.

100

reuse-conn-max-request <int>

Enter the maximum number of HTTP responses that the cached server connection may handle. If a cached server connection meets the set number, it will be closed. The valid range is 1–1000.

100

reuse-conn-total-time <int>

Enter the maximum time limit in which a cached server connection may be reused. If a cached server connection exists for longer than the set limit, it will be closed. The valid range is 1–1000.

100

server-balance {enable | disable}

Specifies whether the pool contains a single server or multiple members.

If the value is enabled, FortiWeb uses the specified load-balancing algorithm to distribute TCP connections among the members. If a member is unresponsive to the specified server health check, FortiWeb forwards subsequent connections to another member of the pool.

Available only when type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy.

disable

server-pool-id

A 64-bit random integer assigned to each server policy. The policy-id is a unique identification number for each server policy.

When administrative domains (ADOMs) are enabled, ADOMs can create unique server policies with policy names that are identical to other server policies created by different ADOMs, so the policy-id can easily differentiate between different policies created by different ADOMs that may share the same policy name.

No default.

type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp}

Select the current operation mode of the appliance to display the corresponding pool options.

For details, see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}.

Note: This option is applicable only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

reverse-proxy

<entry_index>

Enter the index number of the member entry within the server pool. The valid range is 1–9,223,372,036,854,775,807.

For round robin-style load-balancing, the index number indicates the order in which FortiWeb distributes connections.

No default.

backup-server {enable | disable}

Enter enable to configure this pool member as a backup server.

FortiWeb only routes connections for the pool to a backup server when all the other members of the server pool fail their server health check.

The backup server mechanism does not work if you do not specify server health checks for the pool members.

If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use.
disable

certificate "<certificate_name>"

Enter the name of the certificate that FortiWeb uses to decrypt SSL-secured connections.

Available only if ssl {enable | disable} is enable. The maximum length is 63 characters.

To display the list of existing certificates, enter:

edit ?

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

certificate-verify "<verifier_name>"

Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not specify one, the client is not required to present a personal certificate.

However, if ssl {enable | disable} is enable and the domain in the client request matches an entry in the specified SNI policy, FortiWeb uses the SNI configuration to determine which certificate verifier to use.

Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website. For details about how the client’s certificate is verified, see ssl-client-verify "<verifier_name>".

You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see waf HTTP-authen HTTP-authen-rule.

Available only if ssl {enable | disable} is transparent-servers-for-tp and ssl is enable. For Reverse Proxy mode, configure this setting in the server policy instead. See ssl-client-verify "<verifier_name>".

The maximum length is 63 characters.

To display the list of existing verifiers, enter:

edit ?

Note: The client must support TLS 1.0, TLS 1.1, or TLS 1.2.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

client-certificate "<client-certificate_name>"

Enter the client certificate that FortiWeb uses to connect to this server pool member.

Used when connections to this pool member require a valid client certificate.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy or transparent-servers-for-tp and ssl {enable | disable} is enable.

To upload a client certificate for FortiWeb, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

client-certificate-forwarding {enable | disable}

Enable to configure FortiWeb to include any X.509 personal certificates presented by clients during the SSL/TLS handshake with the traffic it forwards to the pool member.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

client-certificate-forwarding-cert-header "<header_str>"

Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

x-client-cert

client-certificate-forwarding-sub-header "<header_str>"

Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

x-client-dn

client-certificate-proxy {enable | disable}

Enable to configure seamless PKI integration. When this option is configured, FortiWeb attempts to verify client certificates when users make requests and resigns new certificates that it sends to the server.

Also configure client-certificate-proxy-sign-ca <sign_ca>.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

client-certificate-proxy-sign-ca <sign_ca>

Select a Sign CA FortiWeb will use to verify and resign new client certificates.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

conn-limit <conn-limit_int>

Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

For no limit, specify 0 (the default value).

The valid range is 0–1,048,576.

0

domain "<server_fqdn>"

Enter the fully-qualified domain name of the web server to include in the pool, such as www.example.com.

Warning: Server policies do not apply features that do not yet support IPv6 to domain servers whose DNS names resolve to IPv6 addresses.

Tip: For domain servers, FortiWeb queries a DNS server to query and resolve each web server’s domain name to an IP address. For improved performance, do one of the following:

  • use physical servers instead
  • ensure highly reliable, low-latency service to a DNS server on your local network

Available only if server-type {physical | domain | sdn-connector} is domain.

No default.

health-check-inherit {enable | disable}

Select either:

  • enable—Use the health check specified by health in the server pool configuration.
  • disable—Use the health check specified by health in this pool member configuration.

enable

hlck-domain <hlck-domain_str> Enter the domain name of the server pool. No default.

hpkp-header "<hpkp_name>"

Enter an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates.

Available only when the operating mode is True Transparent Proxy.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

hsts-header {enable | disable}

Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:

Strict-Transport-Security: max-age=31536000; includeSubDomains;Preload

This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display a dialog that allows the user to override the certificate mismatch error and continue.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

hsts-max-age <timeout_int>

Enter the time to live in seconds for the HSTS header.

This setting applies only if hsts-header {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

7776000

HTTP2 {enable | disable}

Enable to allow HTTP/2 communication between the FortiWeb and this back-end web server for HTTP/2 security inspections in Reverse Proxy mode; or enable HTTP/2 security inspections in True Transparent Proxy mode.

When HTTP/2 security inspection is enabled in Reverse Proxy mode (see server-policy policy):

  1. enable—Make sure the traffic is transferred in HTTP/2 between FortiWeb and this web server, if this web server supports HTTP/2.
    Note: Make sure that this back web server really supports HTTP/2 before you enable this, or connections will go failed.
  2. disable—Make FortiWeb to converse HTTP/2 to HTTP/1.x for this web server, or converse HTTP/1.x to HTTP/2 for the clients, if this web server does not support HTTP/2.

When FortiWeb operates in True Transparent Proxy mode( see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}):

  1. enable—Enable HTTP/2 security inspection. It only requires this option to be enabled and the SSL be well-configured to enable the HTTP/2 security inspection. No HTTP/2 configuration is required for server-policy policy. When HTTP/2 inspection is enabled in True Transparent Proxy mode, FortiWeb performs no protocol conversions between HTTP/1.x and HTTP/2, which means HTTP/2 connections will not be established between clients and back-end web servers if the web servers do not support HTTP/2.
  2. disable—Disable HTTP/2 security inspection.

Note:

  1. This option is available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is set to reverse-proxy or transparent-servers-for-tp; and when type is transparent-servers-for-tp, this option is available only if ssl {enable | disable} is enable.
  2. Please confirm your FortiWeb operation mode and the HTTP versions your back-end web servers are running first to make appropriate configuration here, so that HTTP/2 inspection can work correctly with your web servers.
  3. For details about HTTP/2 support, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

http2-window-size <int>

Enter the window size (determining the amount of data in bytes that FortiWeb is willing to receive at any given time) for HTTP/2 connections between the back-end server and FortiWeb.

The valid range is 65,535-2,147,483,647 bytes.

131,070

implicit_ssl {enable | disable}

Enable so that FortiWeb will communicate with the pool member using implicit SSL.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is set to FTP.

disable

intermediate-certificate-group "<CA-group_name>"

Enter the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients to complete the signing chain for them and validate the server certificate’s CA signature.

If clients receive certificate warnings that the server certificate configured in certificate "<certificate_name>" has been signed by an intermediary CA, rather than directly by a root CA or other CA currently trusted by the client, configure this option.

Alternatively, include the entire signing chain in the server certificate itself before uploading it to the FortiWeb appliance, thereby completing the chain of trust with a CA already known to the client. For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable. For Reverse Proxy mode, configure this setting in the server policy instead. For details, see intermediate-certificate-group "<CA-group_name>".

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

ip {"address_ipv4" | "address_ipv6"}

Enter the IP address of the web server to include in the pool.

Warning: Server policies do not apply to features that do not yet support IPv6 to servers specified using IPv6 addresses.

Available only if server-type {physical | domain | sdn-connector} is physical.

No default.

port <port_int>

Enter the TCP port number where the pool member listens for connections. The valid range is 1–65,535. 80 (HTTP)/21 (FTP)

recover <recover_int>

Specify the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

The default is 0 (disabled).

The valid range is 0–86,400.

After the recovery period elapses, FortiWeb assigns connections at the rate specified by warm-rate <warm-rate_int>.

Examples of when the server experiences a recovery and warm-up period:

  • A server is coming back online after the health check monitor detected it was down.
  • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

Tip: During scheduled maintenance, you can also manually apply these limits by setting status {disable |enable | maintain} to maintain.

0

server-side-sni {enable | disable}

Specify whether FortiWeb supports Server Name Indication (SNI) for back-end servers that it applies this policy to.

Enable this feature when the operating mode is transparent proxy, end-to-end encryption is required, and the back-end web server itself requires SNI support.

When the operating mode is Reverse Proxy, you enable server-side SNI support using the server policy.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

server-type {physical | domain | sdn-connector}

Specify whether to specify the pool member by IP address, domain, or automatically pulled by SDN connector.

If your application servers are deployed on AWS or Azure, you can select sdn-connector to authorize FortiWeb to access the VM instances in your public cloud account, in order to automatically obtain the IP addresses.

physical

sdn-addr-type {private | public | all}

Select whether you want FortiWeb to get the public or private addresses of your application's VM instances, or select all to get both the public and the private addresses.

Note: If you are using private IP addresses, ensure that FortiWeb can successfully establish connections with your application's VM instances in order to forward the traffic.

Available only if the server-type is sdn-connector.

private

sdn {aws | azure}

Select the SDN connector you have created. See system sdn-connector

Available only if the server-type is sdn-connector.

No default.

filter <string>

Once you select the SDN collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiWeb will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP.

AWS

  • instance-id (e.g. instance-id=i-12345678)
  • image-id (e.g. image-id=ami-123456)
  • key-name (e.g. key-name=aws-key-name)
  • subnet-id (e.g. subnet-id=sub-123456)
  • tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.)

Azure

  • vm-name (e.g. vm-name=myVM01)
  • tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.)

Available only if the server-type is sdn-connector.

No default.

session-id-reuse {enable | disable}

Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.

Note: This option is available only when ssl {enable | disable} is enabled.

disable

session-ticket-reuse {enable | disable}

Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

Note: This option is available only when ssl {enable | disable} is enabled.

disable

sni {enable | disable}

Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by certificate "<certificate_name>".

The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni.

If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration.

If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate "<certificate_name>".

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

sni-certificate "<sni_name>"

Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain.

The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain.

If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead.

Available only if sni {enable | disable} is enabled.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

sni-strict {enable | disable}

Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

certificate-type {enable | disable}

Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt.

disable

lets-certificate <name>

Select the Letsencrypt certificate you have created. See system certificate letsencrypt.

No default.

ssl {enable | disable}

For Reverse Proxy, Offline Protection, and Transparent Inspection modes, specifies whether connections between FortiWeb and the pool member use SSL/TLS.

For True Transparent Proxy and WCCP modes, specifies whether FortiWeb performs SSL/TLS processing for the pool members and connections between FortiWeb and the pool member use SSL/TLS.

For Offline Protection and transparent modes, also configure certificate "<certificate_name>". FortiWeb uses the certificate to decrypt and scan connections before passing the encrypted traffic through to the pool members (SSL inspection).

For True Transparent Proxy, also configure certificate "<certificate_name>" and additional SSL settings as required. FortiWeb handles SSL negotiations and encryption and decryption, instead of the pool member (SSL offloading).

For Reverse Proxy mode, you can configure SSL offloading for all members of a pool using a server policy. For details, see server-policy policy.

Note: When this option is enabled, the pool member must be configured to apply SSL.

Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb appliance is operating in Transparent Inspection or Offline Protection mode.

No default.

ssl-cipher {medium | high | custom}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member use a medium-security, high-security, or custom set of cipher suites.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member use a medium-security, high-security, or custom set of cipher suites.

If custom, also specify ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}.

Do not set to custom if HTTP2 {enable | disable} is set to enable.

For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

medium

ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

Specify one or more cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-DSS-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

DHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES256-CCM8

ECDHE-ECDSA-AES256-CCM

DHE-RSA-AES256-CCM8

DHE-RSA-AES256-CCM

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-DSS-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-CCM8

ECDHE-ECDSA-AES128-CCM

DHE-RSA-AES128-CCM8

DHE-RSA-AES128-CCM

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

DHE-DSS-AES256-SHA256

ECDHE-ECDSA-CAMELLIA256-SHA384

ECDHE-RSA-CAMELLIA256-SHA384

DHE-RSA-CAMELLIA256-SHA256

DHE-DSS-CAMELLIA256-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

DHE-DSS-AES128-SHA256

ECDHE-ECDSA-CAMELLIA128-SHA256

ECDHE-RSA-CAMELLIA128-SHA256

DHE-RSA-CAMELLIA128-SHA256

DHE-DSS-CAMELLIA128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA

DHE-DSS-AES256-SHA

DHE-RSA-CAMELLIA256-SHA

DHE-DSS-CAMELLIA256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

DHE-RSA-AES128-SHA

DHE-DSS-AES128-SHA

DHE-RSA-CAMELLIA128-SHA

DHE-DSS-CAMELLIA128-SHA

AES256-GCM-SHA384

AES256-CCM8

AES256-CCM

AES128-GCM-SHA256

AES128-CCM8

AES128-CCM

AES256-SHA256

CAMELLIA256-SHA256

AES128-SHA256

CAMELLIA128-SHA256

AES256-SHA

CAMELLIA256-SHA

AES128-SHA

CAMELLIA128-SHA

DHE-RSA-SEED-SHA

ECDHE_RSA_DES_CBC3_SHA

DES_CBC3_SHA

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

tls13-custom-cipher

Specify one or more TLS 1.3 cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_CCM_SHA256

TLS_AES_128_CCM_8_SHA256

TLS_AES_256_GCM_SHA384

rfc7919-comply {enable | disable}

Enable to apply cipher suites that comply with RFC-9719.

disable

supported-groups {X25519 | prime256v1 | secp384r1 | secp521r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | ffdhe2048 | ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192}

Select the RFC-9719 ciphers to be supported. The Supported Group is Elliptic Curve Parameters, while SSL/TLS negotiation could choose different Elliptic Curve algorithms, so please make sure to choose the corresponding ciphers in ssl-custom-cipher.

  • At least one FFDHE group should be selected.

  • At least one DHE cipher should be added.

    Due to design limitation, you need to select custom in ssl-cipher {medium | high | custom} and make sure to include at least one DHE cipher in the selected list. Using High or Medium together with RFC-9719 will lead to unexpected error. We will fix it in the future release.

The system will return error if any of the above two conditions is not met.

Please note RFC7919 does not comply with TLS 1.3, so if you have only enabled tls-v13, then RFC7919 will not take effect even if it's enabled. To apply both TLS 1.3 and RFC7919, it's recommended to enable a non-TLS 1.3 protocol, then select at least one DHE cipher.

No default

ssl-noreg {enable | disable}

Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL.

Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

enable

status {disable |enable | maintain}

To specify the status of the pool member, enter one of the following values:

  • enable—Specifies that this pool member can receive new sessions from FortiWeb.
  • disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
  • maintain—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
enable

tls-v10 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.0 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.0 cryptographic protocol.

This must be set to disable if HTTP2 {enable | disable} is set to enable.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

enable

tls-v11 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.1 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.1 cryptographic protocol.

This must be set to disable if HTTP2 {enable | disable} is set to enable.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

enable

tls-v12 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.2 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.2 cryptographic protocol.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

enable

tls-v13 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.3 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.3 cryptographic protocol.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

disable

url-cert {enable | disable}

Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

Available only if HTTPS-service "<service_name>" is configured.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

urlcert-group "<urlcert-group_name>"

Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate.

If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

For details about creating a group, see system certificate urlcert.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

urlcert-hlen <len_int>

Enter the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes.

FortiWeb blocks any matching requests that exceed the specified size.

This setting prevents a request from exceeding the maximum buffer size.

The valid range is 16–128.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

warm-rate <warm-rate_int>

Specify the maximum connection rate (per second) while the pool member is starting up.

The default is 10 connections per second. The valid range is 1–86,400.

The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

For example, if warm-up <warm-up_int> is 5 and warm-rate is 2, the maximum number of new connections increases at the following rate:

  • 1st second—Total of 2 new connections allowed (0+2).
  • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
  • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
  • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
  • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
10

warm-up <warm-up_int>

Specify for how long (in seconds) FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

For example, when the pool member begins to respond but startup is not fully complete.

The default is 0 (disabled).

The valid range is 0–86,400.

0

weight <weight_int>

If the server pool uses the weighted round robin load-balancing algorithm, type the numerical weight of the pool member. Members with a greater weight receive a greater proportion of connections.

The valid range is 1–9,999.

0
ssl-session-timeout <ssl-session-timeout_int> When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes. No default.
ssl-quiet-shutdown {enable | disable} For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN.
When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message.
Disable
server-certificate-verify {enable | disable} Enable so that FortiWeb appliance will verify certificates presented by HTTP server. Disable
server-certificate-verify-policy "<policy_name>" Enter the certificate verity policy name. No default.
server-certificate-verify-action {alert | alert_deny | redirect} Select which action the FortiWeb appliance will take when it detects a certificate violation. No default.
adfs-username <adfs-username_str> Type the username that will be used by FortiWeb to connect with the AD FS server. You should include the domain to which FortiWeb and the AD FS server belong. For example, damain1\administrator. No default.
adfs-password <adfs-password_str> Type the password that will be used by FortiWeb to connect with the AD FS server. No default.
multi-certificate {enable | disable} Enable this option to allow FortiWeb to use multiple local certificates. Available when:
ssl {enable | disable} is enabled, and
FortiWeb is operating in TTP or WCP mode that performs SSL inspection.
disable
certificate-group <certificate-group_str> Select the the multi-certificate file you have created. No default.

enforce-trust-establishment {enable | disable}

Enable to establish trust with ADFS servers before building up connections.

disable

Example

This example configures a server pool named server-pool1. It consists of two physical servers: 192.0.2.10 and 192.0.2.11.

When both servers are available, FortiWeb forwards connections to the server with the smallest number of connections.

config server-policy server-pool

edit "server-pool1"

set type reverse-proxy

set server-balance enable

set lb-algo least-connections

config pserver-list

edit 1

set status enable

set server-type physical

set ip "192.0.2.10"

set ssl disable

set port 8081

next

edit 2

set status enable

set server-type physical

set ip "192.0.2.11"

set ssl disable

set port 8082

next

end

next

end

Related topics

server-policy server-pool

server-policy server-pool

Use this command to configure an HTTP, FTP, or AD FS server pool.

Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes connections among, or where the connections pass through to, depending on the operation mode. Reverse Proxy mode actively distributes connections; Offline Protection and either of the transparent modes do not actively distribute connections.

To apply the server pool configuration, do one of the following:

  • Select it in a server policy directly.
  • Select it in an HTTP content writing policy that you can, in turn, select in a server policy.

For details, see server-policy policy and server-policy HTTP-content-routing-policy.

To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}. If you're planning to configure an FTP server policy, you'll need to confirm that system feature-visibility is enabled. For details, see system feature-visibility.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy server-pool

edit "<server-pool_name>"

set comment "<comment_str>"

set health "<health-check_name>"

set HTTP-reuse {aggressive | always | never | safe}

set lb-algo {least-connections | round-robin | weighted-round-robin | uri-hash | full-uri-hash | host-hash | host-domain-hash | src-ip-hash | least-response-time | probabilistic-weighted-least-response-time}

set persistence "<persistence-policy_name>"

set protocol {HTTP | FTP | ADFSPIP}

set reuse-conn-idle-time <int>

set reuse-conn-max-count <int>

set reuse-conn-max-request <int>

set reuse-conn-total-time <int>

set server-balance {enable | disable}

set server-pool-id

set type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp}

set proxy-protocol {enable | disable}

set proxy-protocol-version {v1 | v2}

set adfs-server-name <adfs-server-name_str>

config pserver-list

edit <entry_index>

set analyzer-policy "<fortianalyzer-policy_name>"

set backup-server {enable | disable}

set certificate "<certificate_name>"

set certificate-verify "<verifier_name>"

set client-certificate "<client-certificate_name>"

set client-certificate-forwarding {enable | disable}

set client-certificate-forwarding-cert-header "<header_str>"

set client-certificate-forwarding-sub-header "<header_str>"

set client-certificate-proxy {enable | disable}

set client-certificate-proxy-sign-ca <sign_ca>

set conn-limit <conn-limit_int>

set domain "<server_fqdn>"

set health-check-inherit {enable | disable}

set hlck-domain <hlck-domain_str>

set hpkp-header "<hpkp_name>"

set hsts-header {enable | disable}

set hsts-max-age <timeout_int>

set HTTP2 {enable | disable}

set http2-window-size <int>

set implicit_ssl {enable | disable}

set intermediate-certificate-group "<CA-group_name>"

set ip {"address_ipv4" | "address_ipv6"}

set port <port_int>

set server-certificate-verify {enable | disable}

set server-certificate-verify-action {alert | alert_deny | redirect}

set server-certificate-verify-policy "<policy_name>"

set recover <recover_int>

set server-side-sni {enable | disable}

set server-type {physical | domain | sdn-connector}

set sdn-addr-type {private | public | all}

set sdn {aws | azure}

set filter <string>

set session-id-reuse {enable | disable}

set session-ticket-reuse {enable | disable}

set sni {enable | disable}

set sni-certificate "<sni_name>"

set sni-strict {enable | disable}

set certificate-type {enable | disable}

set lets-certificate <name>

set ssl {enable | disable}

set ssl-cipher {medium | high | custom}

set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set tls13-custom-cipher

set rfc7919-comply {enable | disable}

set supported-groups {X25519 | prime256v1 | secp384r1 | secp521r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | ffdhe2048 | ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192}

set ssl-noreg {enable | disable}

set ssl-quiet-shutdown {enable | disable}

set ssl-session-timeout <ssl-session-timeout_int>

set status {disable |enable | maintain}

set tls-v10 {enable | disable}

set tls-v11 {enable | disable}

set tls-v12 {enable | disable}

set tls-v13 {enable | disable}

set url-cert {enable | disable}

set urlcert-group "<urlcert-group_name>"

set urlcert-hlen <len_int>

set warm-rate <warm-rate_int>

set warm-up <warm-up_int>

set weight <weight_int>

set adfs-username <adfs-username_str>

set adfs-password <adfs-password_str>

set multi-certificate {enable | disable}

set certificate-group <certificate-group_str>

set enforce-trust-establishment {enable | disable}

next

end

next

end


Variable Description Default

"<server-pool_name>"

Enter the name of the server pool. The maximum length is 63 characters.

To display the list of existing servers, enter:

edit ?

No default.

comment "<comment_str>"

Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 199 characters. No default.

health "<health-check_name>"

Enter the name of a server health check FortiWeb uses to determine the responsiveness of server pool members. The maximum length is 63 characters.

When you specify a health check for the pool, by default, all pool members use that health check. To select a different health check for a pool member, in the pool member configuration, specify disable for health-check-inherit and the health check to use for health.

To display the list of existing health checks, enter:

edit ?

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy and server-balance {enable | disable} is enable.

Note: If a pool member is unresponsive, wait until the server becomes responsive again before disabling its server health check. Server health checks record the up or down status of the server. If you deactivate the server health check while the server is unresponsive, the server health check cannot update the recorded status, and FortiWeb continues to regard the physical server as if it were unresponsive. You can determine the physical server’s connectivity status using the Service Status widget or an SNMP trap. For details, see system snmp community.

No default.

HTTP-reuse {aggressive | always | never | safe}

Configure multiplexing so that FortiWeb uses a single connection to a server for requests from multiple clients. Enter one of these options:

  • aggressive—The first request from a client can use a cached server connection only when the cached server connection has been used by more than one client.
  • always—Client requests will use an available connection cached server connection.
  • never—Disable multiplexing.
  • safe—A client will establish a new connection for the first request, but will use an available cached server connection for subsequent requests.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

never

lb-algo {least-connections | round-robin | weighted-round-robin | uri-hash | full-uri-hash | host-hash | host-domain-hash | src-ip-hash | least-response-time | probabilistic-weighted-least-response-time}

Select the load-balancing algorithms that FortiWeb uses when it distributes new connections among server pool members.

  • least-connections—Distributes new connections to the member with the fewest number of existing, fully-formed connections.
  • round-robin—Distributes new connections to the next member of the server pool, regardless of weight, response time, traffic load, or number of existing connections. Unresponsive servers are avoided.
  • weighted-round-robin—Distributes new connections using the round robin method, except that members with a higher weight value receive a larger percentage of connections.
  • uri-hash—Distributes new TCP connections using a hash algorithm based on the URI found in the HTTP header, excluding hostname.
  • full-uri-hash—Distributes new TCP connections using a hash algorithm based on the full URI string found in the HTTP header. The full URI string includes the hostname and path.
  • host-hash—Distributes new TCP connections using a hash algorithm based on the hostname in the HTTP Request header Host field.
  • host-domain-hash—Distributes new TCP connections using a hash algorithm based on the domain name in the HTTP Request header Host field.
  • src-ip-hash—Distributes new TCP connections using a hash algorithm based on the source IP address of the request.
  • least-response-time—Distributes the incoming traffic to the server with the shortest average response time and the lowest number of connections, thus making the client connect to the most efficient back-end server.
  • probabilistic-weighted-least-response-time—For the least-response-time, in extreme cases there might be a server consistently has relatively low response time compared to others, which causes most of traffic to be distributed to one server. As a solution to this case, probabilistic-weighted-least-response-time distributes traffic based on least response time as well as probabilities. The least response time server is most likely to receive traffic, while the rest servers still have a chance to process some of the traffic.

Note: When protocol {HTTP | FTP | ADFSPIP} is set to FTP, only round-robin, weighted-round-robin, least-connections, and src-ip-hash are available.

For hash-based methods, if you specify a value for persistence, after an initial client request, FortiWeb routes any subsequent requests according to the persistence method. Otherwise, it routes subsequent requests according to the hash-based algorithm.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy and server-balance {enable | disable} is enable.

round-robin

persistence "<persistence-policy_name>"

Enter the name of the persistence policy that specifies a session persistence method and timeout to apply to the pool.

For details, see server-policy persistence-policy.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

adfs-server-name <adfs-server-name_str>

Enter a name for the AD FS Server. It should be the federation service name. This option is mandatory if the AD FS Server needs to verify the server name in the SSL handshake.

This is only available if the server pool type is ADFSPIP.

No default.

protocol {HTTP | FTP | ADFSPIP}

Select one of the following:

  • HTTP—Specifies that the server pool governs HTTP traffic. Specific options for configuring an HTTP server pool become available.
  • FTP—Specifies that the server pool governs FTP traffic. Specific options for configuring an FTP server pool become available.
  • ADFSPIP—Specifies that the server pool governs ADFSPIP traffic. Specific options for configuring an ADFSPIP server pool become available.

HTTP

proxy-protocol {enable | disable}

If the back-end server enables proxy protocol, you need to enable the Proxy Protocol option on FortiWeb so that the TCP SSL and HTTP traffic can successfully go through. The real IP address of the client will be included in the proxy protocol header.
Available only if the type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is Reverse Proxy, True Transparent Proxy, Offline Protection, or Transparent Inspection.

disable

proxy-protocol-version {v1 | v2}

Select the proxy protocol version for the back-end server.

Available only if the type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is Reverse Proxy, or True Transparent Proxy.

v1

reuse-conn-idle-time <int>

Enter an idle time limit for a cached server connection. If a cached server connection remains idle for the set duration, it will be closed. The valid range is 1–1000.

10

reuse-conn-max-count <int>

Enter the maximum number of allowed cached server connections. If FortiWeb meets the set number, no more cached server connections will be established. The valid range is 1–1000 for each pserver.

Note: The minimum number of cached connections depends on the number of CPU kernels of the FortiWeb platform. For example, a FortiWeb 4000E has 40 CPU kernels, so there are always at least 40 reusable connections for each pserver. In addition, the valid range is set for each pserver; if there are two pservers and you enter a value of 1000, there will be up to 2000 reusable connections.

100

reuse-conn-max-request <int>

Enter the maximum number of HTTP responses that the cached server connection may handle. If a cached server connection meets the set number, it will be closed. The valid range is 1–1000.

100

reuse-conn-total-time <int>

Enter the maximum time limit in which a cached server connection may be reused. If a cached server connection exists for longer than the set limit, it will be closed. The valid range is 1–1000.

100

server-balance {enable | disable}

Specifies whether the pool contains a single server or multiple members.

If the value is enabled, FortiWeb uses the specified load-balancing algorithm to distribute TCP connections among the members. If a member is unresponsive to the specified server health check, FortiWeb forwards subsequent connections to another member of the pool.

Available only when type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy.

disable

server-pool-id

A 64-bit random integer assigned to each server policy. The policy-id is a unique identification number for each server policy.

When administrative domains (ADOMs) are enabled, ADOMs can create unique server policies with policy names that are identical to other server policies created by different ADOMs, so the policy-id can easily differentiate between different policies created by different ADOMs that may share the same policy name.

No default.

type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp}

Select the current operation mode of the appliance to display the corresponding pool options.

For details, see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}.

Note: This option is applicable only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

reverse-proxy

<entry_index>

Enter the index number of the member entry within the server pool. The valid range is 1–9,223,372,036,854,775,807.

For round robin-style load-balancing, the index number indicates the order in which FortiWeb distributes connections.

No default.

backup-server {enable | disable}

Enter enable to configure this pool member as a backup server.

FortiWeb only routes connections for the pool to a backup server when all the other members of the server pool fail their server health check.

The backup server mechanism does not work if you do not specify server health checks for the pool members.

If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use.
disable

certificate "<certificate_name>"

Enter the name of the certificate that FortiWeb uses to decrypt SSL-secured connections.

Available only if ssl {enable | disable} is enable. The maximum length is 63 characters.

To display the list of existing certificates, enter:

edit ?

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

certificate-verify "<verifier_name>"

Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not specify one, the client is not required to present a personal certificate.

However, if ssl {enable | disable} is enable and the domain in the client request matches an entry in the specified SNI policy, FortiWeb uses the SNI configuration to determine which certificate verifier to use.

Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website. For details about how the client’s certificate is verified, see ssl-client-verify "<verifier_name>".

You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see waf HTTP-authen HTTP-authen-rule.

Available only if ssl {enable | disable} is transparent-servers-for-tp and ssl is enable. For Reverse Proxy mode, configure this setting in the server policy instead. See ssl-client-verify "<verifier_name>".

The maximum length is 63 characters.

To display the list of existing verifiers, enter:

edit ?

Note: The client must support TLS 1.0, TLS 1.1, or TLS 1.2.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

client-certificate "<client-certificate_name>"

Enter the client certificate that FortiWeb uses to connect to this server pool member.

Used when connections to this pool member require a valid client certificate.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy or transparent-servers-for-tp and ssl {enable | disable} is enable.

To upload a client certificate for FortiWeb, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

client-certificate-forwarding {enable | disable}

Enable to configure FortiWeb to include any X.509 personal certificates presented by clients during the SSL/TLS handshake with the traffic it forwards to the pool member.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

client-certificate-forwarding-cert-header "<header_str>"

Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

x-client-cert

client-certificate-forwarding-sub-header "<header_str>"

Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

x-client-dn

client-certificate-proxy {enable | disable}

Enable to configure seamless PKI integration. When this option is configured, FortiWeb attempts to verify client certificates when users make requests and resigns new certificates that it sends to the server.

Also configure client-certificate-proxy-sign-ca <sign_ca>.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

client-certificate-proxy-sign-ca <sign_ca>

Select a Sign CA FortiWeb will use to verify and resign new client certificates.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

conn-limit <conn-limit_int>

Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

For no limit, specify 0 (the default value).

The valid range is 0–1,048,576.

0

domain "<server_fqdn>"

Enter the fully-qualified domain name of the web server to include in the pool, such as www.example.com.

Warning: Server policies do not apply features that do not yet support IPv6 to domain servers whose DNS names resolve to IPv6 addresses.

Tip: For domain servers, FortiWeb queries a DNS server to query and resolve each web server’s domain name to an IP address. For improved performance, do one of the following:

  • use physical servers instead
  • ensure highly reliable, low-latency service to a DNS server on your local network

Available only if server-type {physical | domain | sdn-connector} is domain.

No default.

health-check-inherit {enable | disable}

Select either:

  • enable—Use the health check specified by health in the server pool configuration.
  • disable—Use the health check specified by health in this pool member configuration.

enable

hlck-domain <hlck-domain_str> Enter the domain name of the server pool. No default.

hpkp-header "<hpkp_name>"

Enter an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates.

Available only when the operating mode is True Transparent Proxy.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

hsts-header {enable | disable}

Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:

Strict-Transport-Security: max-age=31536000; includeSubDomains;Preload

This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display a dialog that allows the user to override the certificate mismatch error and continue.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

hsts-max-age <timeout_int>

Enter the time to live in seconds for the HSTS header.

This setting applies only if hsts-header {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

7776000

HTTP2 {enable | disable}

Enable to allow HTTP/2 communication between the FortiWeb and this back-end web server for HTTP/2 security inspections in Reverse Proxy mode; or enable HTTP/2 security inspections in True Transparent Proxy mode.

When HTTP/2 security inspection is enabled in Reverse Proxy mode (see server-policy policy):

  1. enable—Make sure the traffic is transferred in HTTP/2 between FortiWeb and this web server, if this web server supports HTTP/2.
    Note: Make sure that this back web server really supports HTTP/2 before you enable this, or connections will go failed.
  2. disable—Make FortiWeb to converse HTTP/2 to HTTP/1.x for this web server, or converse HTTP/1.x to HTTP/2 for the clients, if this web server does not support HTTP/2.

When FortiWeb operates in True Transparent Proxy mode( see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}):

  1. enable—Enable HTTP/2 security inspection. It only requires this option to be enabled and the SSL be well-configured to enable the HTTP/2 security inspection. No HTTP/2 configuration is required for server-policy policy. When HTTP/2 inspection is enabled in True Transparent Proxy mode, FortiWeb performs no protocol conversions between HTTP/1.x and HTTP/2, which means HTTP/2 connections will not be established between clients and back-end web servers if the web servers do not support HTTP/2.
  2. disable—Disable HTTP/2 security inspection.

Note:

  1. This option is available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is set to reverse-proxy or transparent-servers-for-tp; and when type is transparent-servers-for-tp, this option is available only if ssl {enable | disable} is enable.
  2. Please confirm your FortiWeb operation mode and the HTTP versions your back-end web servers are running first to make appropriate configuration here, so that HTTP/2 inspection can work correctly with your web servers.
  3. For details about HTTP/2 support, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

http2-window-size <int>

Enter the window size (determining the amount of data in bytes that FortiWeb is willing to receive at any given time) for HTTP/2 connections between the back-end server and FortiWeb.

The valid range is 65,535-2,147,483,647 bytes.

131,070

implicit_ssl {enable | disable}

Enable so that FortiWeb will communicate with the pool member using implicit SSL.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is set to FTP.

disable

intermediate-certificate-group "<CA-group_name>"

Enter the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients to complete the signing chain for them and validate the server certificate’s CA signature.

If clients receive certificate warnings that the server certificate configured in certificate "<certificate_name>" has been signed by an intermediary CA, rather than directly by a root CA or other CA currently trusted by the client, configure this option.

Alternatively, include the entire signing chain in the server certificate itself before uploading it to the FortiWeb appliance, thereby completing the chain of trust with a CA already known to the client. For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable. For Reverse Proxy mode, configure this setting in the server policy instead. For details, see intermediate-certificate-group "<CA-group_name>".

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

ip {"address_ipv4" | "address_ipv6"}

Enter the IP address of the web server to include in the pool.

Warning: Server policies do not apply to features that do not yet support IPv6 to servers specified using IPv6 addresses.

Available only if server-type {physical | domain | sdn-connector} is physical.

No default.

port <port_int>

Enter the TCP port number where the pool member listens for connections. The valid range is 1–65,535. 80 (HTTP)/21 (FTP)

recover <recover_int>

Specify the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

The default is 0 (disabled).

The valid range is 0–86,400.

After the recovery period elapses, FortiWeb assigns connections at the rate specified by warm-rate <warm-rate_int>.

Examples of when the server experiences a recovery and warm-up period:

  • A server is coming back online after the health check monitor detected it was down.
  • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

Tip: During scheduled maintenance, you can also manually apply these limits by setting status {disable |enable | maintain} to maintain.

0

server-side-sni {enable | disable}

Specify whether FortiWeb supports Server Name Indication (SNI) for back-end servers that it applies this policy to.

Enable this feature when the operating mode is transparent proxy, end-to-end encryption is required, and the back-end web server itself requires SNI support.

When the operating mode is Reverse Proxy, you enable server-side SNI support using the server policy.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

server-type {physical | domain | sdn-connector}

Specify whether to specify the pool member by IP address, domain, or automatically pulled by SDN connector.

If your application servers are deployed on AWS or Azure, you can select sdn-connector to authorize FortiWeb to access the VM instances in your public cloud account, in order to automatically obtain the IP addresses.

physical

sdn-addr-type {private | public | all}

Select whether you want FortiWeb to get the public or private addresses of your application's VM instances, or select all to get both the public and the private addresses.

Note: If you are using private IP addresses, ensure that FortiWeb can successfully establish connections with your application's VM instances in order to forward the traffic.

Available only if the server-type is sdn-connector.

private

sdn {aws | azure}

Select the SDN connector you have created. See system sdn-connector

Available only if the server-type is sdn-connector.

No default.

filter <string>

Once you select the SDN collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiWeb will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP.

AWS

  • instance-id (e.g. instance-id=i-12345678)
  • image-id (e.g. image-id=ami-123456)
  • key-name (e.g. key-name=aws-key-name)
  • subnet-id (e.g. subnet-id=sub-123456)
  • tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.)

Azure

  • vm-name (e.g. vm-name=myVM01)
  • tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.)

Available only if the server-type is sdn-connector.

No default.

session-id-reuse {enable | disable}

Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.

Note: This option is available only when ssl {enable | disable} is enabled.

disable

session-ticket-reuse {enable | disable}

Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

Note: This option is available only when ssl {enable | disable} is enabled.

disable

sni {enable | disable}

Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by certificate "<certificate_name>".

The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni.

If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration.

If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate "<certificate_name>".

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

sni-certificate "<sni_name>"

Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain.

The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain.

If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead.

Available only if sni {enable | disable} is enabled.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

sni-strict {enable | disable}

Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

certificate-type {enable | disable}

Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt.

disable

lets-certificate <name>

Select the Letsencrypt certificate you have created. See system certificate letsencrypt.

No default.

ssl {enable | disable}

For Reverse Proxy, Offline Protection, and Transparent Inspection modes, specifies whether connections between FortiWeb and the pool member use SSL/TLS.

For True Transparent Proxy and WCCP modes, specifies whether FortiWeb performs SSL/TLS processing for the pool members and connections between FortiWeb and the pool member use SSL/TLS.

For Offline Protection and transparent modes, also configure certificate "<certificate_name>". FortiWeb uses the certificate to decrypt and scan connections before passing the encrypted traffic through to the pool members (SSL inspection).

For True Transparent Proxy, also configure certificate "<certificate_name>" and additional SSL settings as required. FortiWeb handles SSL negotiations and encryption and decryption, instead of the pool member (SSL offloading).

For Reverse Proxy mode, you can configure SSL offloading for all members of a pool using a server policy. For details, see server-policy policy.

Note: When this option is enabled, the pool member must be configured to apply SSL.

Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb appliance is operating in Transparent Inspection or Offline Protection mode.

No default.

ssl-cipher {medium | high | custom}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member use a medium-security, high-security, or custom set of cipher suites.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member use a medium-security, high-security, or custom set of cipher suites.

If custom, also specify ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}.

Do not set to custom if HTTP2 {enable | disable} is set to enable.

For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

medium

ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

Specify one or more cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-DSS-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

DHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES256-CCM8

ECDHE-ECDSA-AES256-CCM

DHE-RSA-AES256-CCM8

DHE-RSA-AES256-CCM

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-DSS-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-CCM8

ECDHE-ECDSA-AES128-CCM

DHE-RSA-AES128-CCM8

DHE-RSA-AES128-CCM

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

DHE-DSS-AES256-SHA256

ECDHE-ECDSA-CAMELLIA256-SHA384

ECDHE-RSA-CAMELLIA256-SHA384

DHE-RSA-CAMELLIA256-SHA256

DHE-DSS-CAMELLIA256-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

DHE-DSS-AES128-SHA256

ECDHE-ECDSA-CAMELLIA128-SHA256

ECDHE-RSA-CAMELLIA128-SHA256

DHE-RSA-CAMELLIA128-SHA256

DHE-DSS-CAMELLIA128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA

DHE-DSS-AES256-SHA

DHE-RSA-CAMELLIA256-SHA

DHE-DSS-CAMELLIA256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

DHE-RSA-AES128-SHA

DHE-DSS-AES128-SHA

DHE-RSA-CAMELLIA128-SHA

DHE-DSS-CAMELLIA128-SHA

AES256-GCM-SHA384

AES256-CCM8

AES256-CCM

AES128-GCM-SHA256

AES128-CCM8

AES128-CCM

AES256-SHA256

CAMELLIA256-SHA256

AES128-SHA256

CAMELLIA128-SHA256

AES256-SHA

CAMELLIA256-SHA

AES128-SHA

CAMELLIA128-SHA

DHE-RSA-SEED-SHA

ECDHE_RSA_DES_CBC3_SHA

DES_CBC3_SHA

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

tls13-custom-cipher

Specify one or more TLS 1.3 cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_CCM_SHA256

TLS_AES_128_CCM_8_SHA256

TLS_AES_256_GCM_SHA384

rfc7919-comply {enable | disable}

Enable to apply cipher suites that comply with RFC-9719.

disable

supported-groups {X25519 | prime256v1 | secp384r1 | secp521r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | ffdhe2048 | ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192}

Select the RFC-9719 ciphers to be supported. The Supported Group is Elliptic Curve Parameters, while SSL/TLS negotiation could choose different Elliptic Curve algorithms, so please make sure to choose the corresponding ciphers in ssl-custom-cipher.

  • At least one FFDHE group should be selected.

  • At least one DHE cipher should be added.

    Due to design limitation, you need to select custom in ssl-cipher {medium | high | custom} and make sure to include at least one DHE cipher in the selected list. Using High or Medium together with RFC-9719 will lead to unexpected error. We will fix it in the future release.

The system will return error if any of the above two conditions is not met.

Please note RFC7919 does not comply with TLS 1.3, so if you have only enabled tls-v13, then RFC7919 will not take effect even if it's enabled. To apply both TLS 1.3 and RFC7919, it's recommended to enable a non-TLS 1.3 protocol, then select at least one DHE cipher.

No default

ssl-noreg {enable | disable}

Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL.

Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is enable.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

enable

status {disable |enable | maintain}

To specify the status of the pool member, enter one of the following values:

  • enable—Specifies that this pool member can receive new sessions from FortiWeb.
  • disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
  • maintain—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
enable

tls-v10 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.0 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.0 cryptographic protocol.

This must be set to disable if HTTP2 {enable | disable} is set to enable.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

enable

tls-v11 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.1 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.1 cryptographic protocol.

This must be set to disable if HTTP2 {enable | disable} is set to enable.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

enable

tls-v12 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.2 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.2 cryptographic protocol.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

enable

tls-v13 {enable | disable}

For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.3 cryptographic protocol.

For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.3 cryptographic protocol.

Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy, transparent-servers-for-tp, or transparent-servers-for-wccp, and ssl {enable | disable} is enable.

disable

url-cert {enable | disable}

Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

Available only if HTTPS-service "<service_name>" is configured.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

disable

urlcert-group "<urlcert-group_name>"

Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate.

If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

For details about creating a group, see system certificate urlcert.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

urlcert-hlen <len_int>

Enter the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes.

FortiWeb blocks any matching requests that exceed the specified size.

This setting prevents a request from exceeding the maximum buffer size.

The valid range is 16–128.

Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is HTTP.

No default.

warm-rate <warm-rate_int>

Specify the maximum connection rate (per second) while the pool member is starting up.

The default is 10 connections per second. The valid range is 1–86,400.

The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

For example, if warm-up <warm-up_int> is 5 and warm-rate is 2, the maximum number of new connections increases at the following rate:

  • 1st second—Total of 2 new connections allowed (0+2).
  • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
  • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
  • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
  • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
10

warm-up <warm-up_int>

Specify for how long (in seconds) FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

For example, when the pool member begins to respond but startup is not fully complete.

The default is 0 (disabled).

The valid range is 0–86,400.

0

weight <weight_int>

If the server pool uses the weighted round robin load-balancing algorithm, type the numerical weight of the pool member. Members with a greater weight receive a greater proportion of connections.

The valid range is 1–9,999.

0
ssl-session-timeout <ssl-session-timeout_int> When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes. No default.
ssl-quiet-shutdown {enable | disable} For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN.
When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message.
Disable
server-certificate-verify {enable | disable} Enable so that FortiWeb appliance will verify certificates presented by HTTP server. Disable
server-certificate-verify-policy "<policy_name>" Enter the certificate verity policy name. No default.
server-certificate-verify-action {alert | alert_deny | redirect} Select which action the FortiWeb appliance will take when it detects a certificate violation. No default.
adfs-username <adfs-username_str> Type the username that will be used by FortiWeb to connect with the AD FS server. You should include the domain to which FortiWeb and the AD FS server belong. For example, damain1\administrator. No default.
adfs-password <adfs-password_str> Type the password that will be used by FortiWeb to connect with the AD FS server. No default.
multi-certificate {enable | disable} Enable this option to allow FortiWeb to use multiple local certificates. Available when:
ssl {enable | disable} is enabled, and
FortiWeb is operating in TTP or WCP mode that performs SSL inspection.
disable
certificate-group <certificate-group_str> Select the the multi-certificate file you have created. No default.

enforce-trust-establishment {enable | disable}

Enable to establish trust with ADFS servers before building up connections.

disable

Example

This example configures a server pool named server-pool1. It consists of two physical servers: 192.0.2.10 and 192.0.2.11.

When both servers are available, FortiWeb forwards connections to the server with the smallest number of connections.

config server-policy server-pool

edit "server-pool1"

set type reverse-proxy

set server-balance enable

set lb-algo least-connections

config pserver-list

edit 1

set status enable

set server-type physical

set ip "192.0.2.10"

set ssl disable

set port 8081

next

edit 2

set status enable

set server-type physical

set ip "192.0.2.11"

set ssl disable

set port 8082

next

end

next

end

Related topics