server-policy server-pool
Use this command to configure an HTTP, FTP, or AD FS server pool.
Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes connections among, or where the connections pass through to, depending on the operation mode. Reverse Proxy mode actively distributes connections; Offline Protection and either of the transparent modes do not actively distribute connections.
To apply the server pool configuration, do one of the following:
- Select it in a server policy directly.
- Select it in an HTTP content writing policy that you can, in turn, select in a server policy.
For details, see server-policy policy and server-policy HTTP-content-routing-policy.
To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}. If you're planning to configure an FTP server policy, you'll need to confirm that system feature-visibility is enabled. For details, see system feature-visibility.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the traroutegrp
area. For details, see Permissions.
Syntax
config server-policy server-pool
edit "<server-pool_name>"
set health "<health-check_name>"
set HTTP-reuse {aggressive | always | never | safe}
set persistence "<persistence-policy_name>"
set protocol {HTTP | FTP | ADFSPIP}
set reuse-conn-idle-time <int>
set reuse-conn-max-count <int>
set reuse-conn-max-request <int>
set reuse-conn-total-time <int>
set server-balance {enable | disable}
set server-pool-id
set proxy-protocol {enable | disable}
set proxy-protocol-version {v1 | v2}
set adfs-server-name <adfs-server-name_str>
config pserver-list
edit <entry_index>
set analyzer-policy "<fortianalyzer-policy_name>"
set backup-server {enable | disable}
set certificate "<certificate_name>"
set certificate-verify "<verifier_name>"
set client-certificate "<client-certificate_name>"
set client-certificate-forwarding {enable | disable}
set client-certificate-forwarding-cert-header "<header_str>"
set client-certificate-forwarding-sub-header "<header_str>"
set client-certificate-proxy {enable | disable}
set client-certificate-proxy-sign-ca <sign_ca>
set conn-limit <conn-limit_int>
set health-check-inherit {enable | disable}
set hlck-domain <hlck-domain_str>
set hsts-header {enable | disable}
set hsts-max-age <timeout_int>
set implicit_ssl {enable | disable}
set intermediate-certificate-group "<CA-group_name>"
set ip {"address_ipv4" | "address_ipv6"}
set port <port_int>
set server-certificate-verify {enable | disable}
set server-certificate-verify-action {alert | alert_deny | redirect}
set server-certificate-verify-policy "<policy_name>"
set server-side-sni {enable | disable}
set server-type {physical | domain | sdn-connector}
set sdn-addr-type {private | public | all}
set filter <string>
set session-id-reuse {enable | disable}
set session-ticket-reuse {enable | disable}
set sni-certificate "<sni_name>"
set sni-strict {enable | disable}
set certificate-type {enable | disable}
set ssl-cipher {medium | high | custom}
set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set rfc7919-comply {enable | disable}
set ssl-noreg {enable | disable}
set ssl-quiet-shutdown {enable | disable}
set ssl-session-timeout <ssl-session-timeout_int>
set status {disable |enable | maintain}
set tls-v10 {enable | disable}
set tls-v11 {enable | disable}
set tls-v12 {enable | disable}
set tls-v13 {enable | disable}
set url-cert {enable | disable}
set urlcert-group "<urlcert-group_name>"
set adfs-username <adfs-username_str>
set adfs-password <adfs-password_str>
set multi-certificate {enable | disable}
set certificate-group <certificate-group_str>
set enforce-trust-establishment {enable | disable}
next
end
next
end
Variable | Description | Default |
Enter the name of the server pool. The maximum length is 63 characters. To display the list of existing servers, enter:
|
No default. | |
Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 199 characters. |
No default. | |
Enter the name of a server health check FortiWeb uses to determine the responsiveness of server pool members. The maximum length is 63 characters. When you specify a health check for the pool, by default, all pool members use that health check. To select a different health check for a pool member, in the pool member configuration, specify To display the list of existing health checks, enter:
Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is Note: If a pool member is unresponsive, wait until the server becomes responsive again before disabling its server health check. Server health checks record the up or down status of the server. If you deactivate the server health check while the server is unresponsive, the server health check cannot update the recorded status, and FortiWeb continues to regard the physical server as if it were unresponsive. You can determine the physical server’s connectivity status using the Service Status widget or an SNMP trap. For details, see system snmp community. |
No default. | |
Configure multiplexing so that FortiWeb uses a single connection to a server for requests from multiple clients. Enter one of these options:
Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
never |
|
lb-algo {least-connections | round-robin | weighted-round-robin | uri-hash | full-uri-hash | host-hash | host-domain-hash | src-ip-hash | least-response-time | probabilistic-weighted-least-response-time} |
Select the load-balancing algorithms that FortiWeb uses when it distributes new connections among server pool members.
Note: When protocol {HTTP | FTP | ADFSPIP} is set to For hash-based methods, if you specify a value for Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is |
round-robin
|
Enter the name of the persistence policy that specifies a session persistence method and timeout to apply to the pool. For details, see server-policy persistence-policy. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Enter a name for the AD FS Server. It should be the federation service name. This option is mandatory if the AD FS Server needs to verify the server name in the SSL handshake. This is only available if the server pool type is ADFSPIP. |
No default. |
|
Select one of the following:
|
HTTP |
|
If the back-end server enables proxy protocol, you need to enable the Proxy Protocol option on FortiWeb so that the TCP SSL and HTTP traffic can successfully go through. The real IP address of the client will be included in the proxy protocol header. |
disable |
|
Select the proxy protocol version for the back-end server. Available only if the type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is Reverse Proxy, or True Transparent Proxy. |
v1 |
|
Enter an idle time limit for a cached server connection. If a cached server connection remains idle for the set duration, it will be closed. The valid range is 1–1000. |
10 |
|
Enter the maximum number of allowed cached server connections. If FortiWeb meets the set number, no more cached server connections will be established. The valid range is 1–1000 for each pserver. Note: The minimum number of cached connections depends on the number of CPU kernels of the FortiWeb platform. For example, a FortiWeb 4000E has 40 CPU kernels, so there are always at least 40 reusable connections for each pserver. In addition, the valid range is set for each pserver; if there are two pservers and you enter a value of 1000, there will be up to 2000 reusable connections. |
100 |
|
Enter the maximum number of HTTP responses that the cached server connection may handle. If a cached server connection meets the set number, it will be closed. The valid range is 1–1000. |
100 |
|
Enter the maximum time limit in which a cached server connection may be reused. If a cached server connection exists for longer than the set limit, it will be closed. The valid range is 1–1000. |
100 |
|
Specifies whether the pool contains a single server or multiple members. If the value is Available only when type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is |
disable
|
|
A 64-bit random integer assigned to each server policy. The When administrative domains (ADOMs) are enabled, ADOMs can create unique server policies with policy names that are identical to other server policies created by different ADOMs, so the |
No default. |
|
type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} |
Select the current operation mode of the appliance to display the corresponding pool options. For details, see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}. Note: This option is applicable only when the protocol {HTTP | FTP | ADFSPIP} is |
reverse-proxy
|
Enter the index number of the member entry within the server pool. The valid range is 1–9,223,372,036,854,775,807. For round robin-style load-balancing, the index number indicates the order in which FortiWeb distributes connections. |
No default. | |
Enter enable to configure this pool member as a backup server. FortiWeb only routes connections for the pool to a backup server when all the other members of the server pool fail their server health check. The backup server mechanism does not work if you do not specify server health checks for the pool members. If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use. |
disable
|
|
Enter the name of the certificate that FortiWeb uses to decrypt SSL-secured connections. Available only if ssl {enable | disable} is To display the list of existing certificates, enter:
Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not specify one, the client is not required to present a personal certificate. However, if ssl {enable | disable} is Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website. For details about how the client’s certificate is verified, see ssl-client-verify "<verifier_name>". You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see waf HTTP-authen HTTP-authen-rule. Available only if ssl {enable | disable} is transparent-servers-for-tp and The maximum length is 63 characters. To display the list of existing verifiers, enter:
Note: The client must support TLS 1.0, TLS 1.1, or TLS 1.2. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Enter the client certificate that FortiWeb uses to connect to this server pool member. Used when connections to this pool member require a valid client certificate. Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is reverse-proxy or transparent-servers-for-tp and ssl {enable | disable} is To upload a client certificate for FortiWeb, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable
|
|
Enable to configure FortiWeb to include any X.509 personal certificates presented by clients during the SSL/TLS handshake with the traffic it forwards to the pool member. Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable
|
|
Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
x-client-cert |
|
Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
x-client-dn |
|
Enable to configure seamless PKI integration. When this option is configured, FortiWeb attempts to verify client certificates when users make requests and resigns new certificates that it sends to the server. Also configure client-certificate-proxy-sign-ca <sign_ca>. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable |
|
Select a Sign CA FortiWeb will use to verify and resign new client certificates. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member. For no limit, specify The valid range is 0–1,048,576. |
0
|
|
Enter the fully-qualified domain name of the web server to include in the pool, such as Warning: Server policies do not apply features that do not yet support IPv6 to domain servers whose DNS names resolve to IPv6 addresses. Tip: For domain servers, FortiWeb queries a DNS server to query and resolve each web server’s domain name to an IP address. For improved performance, do one of the following:
Available only if server-type {physical | domain | sdn-connector} is |
No default. | |
Select either:
|
enable |
|
hlck-domain <hlck-domain_str>
|
Enter the domain name of the server pool. | No default. |
Enter an HPKP profile, if any, to use to verify certificates when clients attempt to access a server. HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. Available only when the operating mode is True Transparent Proxy. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable |
|
Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:
This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display a dialog that allows the user to override the certificate mismatch error and continue. Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable
|
|
Enter the time to live in seconds for the HSTS header. This setting applies only if hsts-header {enable | disable} is Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
7776000
|
|
Enable to allow HTTP/2 communication between the FortiWeb and this back-end web server for HTTP/2 security inspections in Reverse Proxy mode; or enable HTTP/2 security inspections in True Transparent Proxy mode. When HTTP/2 security inspection is enabled in Reverse Proxy mode (see server-policy policy):
When FortiWeb operates in True Transparent Proxy mode( see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}):
Note:
Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable |
|
Enter the window size (determining the amount of data in bytes that FortiWeb is willing to receive at any given time) for HTTP/2 connections between the back-end server and FortiWeb. The valid range is 65,535-2,147,483,647 bytes. |
131,070 |
|
Enable so that FortiWeb will communicate with the pool member using implicit SSL. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is set to |
disable |
|
Enter the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients to complete the signing chain for them and validate the server certificate’s CA signature. If clients receive certificate warnings that the server certificate configured in certificate "<certificate_name>" has been signed by an intermediary CA, rather than directly by a root CA or other CA currently trusted by the client, configure this option. Alternatively, include the entire signing chain in the server certificate itself before uploading it to the FortiWeb appliance, thereby completing the chain of trust with a CA already known to the client. For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Enter the IP address of the web server to include in the pool. Warning: Server policies do not apply to features that do not yet support IPv6 to servers specified using IPv6 addresses. Available only if server-type {physical | domain | sdn-connector} is |
No default. | |
Enter the TCP port number where the pool member listens for connections. The valid range is 1–65,535. | 80 (HTTP)/21 (FTP) |
|
Specify the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.
The default is The valid range is 0–86,400. After the recovery period elapses, FortiWeb assigns connections at the rate specified by warm-rate <warm-rate_int>. Examples of when the server experiences a recovery and warm-up period:
To avoid connection problems, specify the separate warm-up rate, recovery rate, or both. Tip: During scheduled maintenance, you can also manually apply these limits by setting status {disable |enable | maintain} to |
0
|
|
Specify whether FortiWeb supports Server Name Indication (SNI) for back-end servers that it applies this policy to. Enable this feature when the operating mode is transparent proxy, end-to-end encryption is required, and the back-end web server itself requires SNI support. When the operating mode is Reverse Proxy, you enable server-side SNI support using the server policy. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable
|
|
Specify whether to specify the pool member by IP address, domain, or automatically pulled by SDN connector. If your application servers are deployed on AWS or Azure, you can select |
physical
|
|
Select whether you want FortiWeb to get the public or private addresses of your application's VM instances, or select Note: If you are using private IP addresses, ensure that FortiWeb can successfully establish connections with your application's VM instances in order to forward the traffic. Available only if the |
|
|
Select the SDN connector you have created. See system sdn-connector Available only if the |
No default. |
|
Once you select the SDN collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiWeb will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP. AWS
Azure
Available only if the |
No default. |
|
Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket. Note: This option is available only when ssl {enable | disable} is enabled. |
disable |
|
Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver. Note: This option is available only when ssl {enable | disable} is enabled. |
disable |
|
Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by certificate "<certificate_name>". The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni. If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration. If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate "<certificate_name>". Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable
|
|
Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain. The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain. If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead. Available only if sni {enable | disable} is enabled. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable
|
|
Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt. |
disable |
|
Select the Letsencrypt certificate you have created. See system certificate letsencrypt. |
No default. |
|
For Reverse Proxy, Offline Protection, and Transparent Inspection modes, specifies whether connections between FortiWeb and the pool member use SSL/TLS. For True Transparent Proxy and WCCP modes, specifies whether FortiWeb performs SSL/TLS processing for the pool members and connections between FortiWeb and the pool member use SSL/TLS. For Offline Protection and transparent modes, also configure certificate "<certificate_name>". FortiWeb uses the certificate to decrypt and scan connections before passing the encrypted traffic through to the pool members (SSL inspection). For True Transparent Proxy, also configure certificate "<certificate_name>" and additional SSL settings as required. FortiWeb handles SSL negotiations and encryption and decryption, instead of the pool member (SSL offloading). For Reverse Proxy mode, you can configure SSL offloading for all members of a pool using a server policy. For details, see server-policy policy. Note: When this option is enabled, the pool member must be configured to apply SSL. Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb appliance is operating in Transparent Inspection or Offline Protection mode. |
No default. | |
For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member use a medium-security, high-security, or custom set of cipher suites. For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member use a medium-security, high-security, or custom set of cipher suites. If custom, also specify ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}. Do not set to For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is |
medium
|
|
Specify one or more cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES128-CCM DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-RSA-CAMELLIA256-SHA384 DHE-RSA-CAMELLIA256-SHA256 DHE-DSS-CAMELLIA256-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-RSA-CAMELLIA128-SHA256 DHE-RSA-CAMELLIA128-SHA256 DHE-DSS-CAMELLIA128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES256-SHA256 CAMELLIA256-SHA256 AES128-SHA256 CAMELLIA128-SHA256 AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA DHE-RSA-SEED-SHA ECDHE_RSA_DES_CBC3_SHA DES_CBC3_SHA |
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 |
|
Specify one or more TLS 1.3 cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 |
TLS_AES_256_GCM_SHA384 |
|
Enable to apply cipher suites that comply with RFC-9719. |
disable |
|
supported-groups {X25519 | prime256v1 | secp384r1 | secp521r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | ffdhe2048 | ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192} |
Select the RFC-9719 ciphers to be supported. The Supported Group is Elliptic Curve Parameters, while SSL/TLS negotiation could choose different Elliptic Curve algorithms, so please make sure to choose the corresponding ciphers in
The system will return error if any of the above two conditions is not met. Please note RFC7919 does not comply with TLS 1.3, so if you have only enabled |
No default |
Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL. Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server. Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is transparent-servers-for-tp and ssl {enable | disable} is Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
enable
|
|
To specify the status of the pool member, enter one of the following values:
|
enable
|
|
For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.0 cryptographic protocol. For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.0 cryptographic protocol. This must be set to Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is |
enable
|
|
For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.1 cryptographic protocol. For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.1 cryptographic protocol. This must be set to Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is |
enable
|
|
For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.2 cryptographic protocol. For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.2 cryptographic protocol. Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is |
enable
|
|
For Reverse Proxy mode, specifies whether secure connections between FortiWeb and the server pool member can use the TLS 1.3 cryptographic protocol. For True Transparent Proxy and WCCP modes, specifies whether secure connections between clients and FortiWeb and between FortiWeb and the server pool member can use the TLS 1.3 cryptographic protocol. Available only if type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp | transparent-servers-for-wccp} is |
disable | |
Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate. Available only if HTTPS-service "<service_name>" is configured. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
disable | |
Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate. If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate. For details about creating a group, see system certificate urlcert. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Enter the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes. FortiWeb blocks any matching requests that exceed the specified size. This setting prevents a request from exceeding the maximum buffer size. The valid range is 16–128. Note: This option is available only when the protocol {HTTP | FTP | ADFSPIP} is |
No default. | |
Specify the maximum connection rate (per second) while the pool member is starting up. The default is 10 connections per second. The valid range is 1–86,400. The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior. For example, if warm-up <warm-up_int> is
|
10
|
|
Specify for how long (in seconds) FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load. For example, when the pool member begins to respond but startup is not fully complete. The default is The valid range is 0–86,400. |
0
|
|
If the server pool uses the weighted round robin load-balancing algorithm, type the numerical weight of the pool member. Members with a greater weight receive a greater proportion of connections. The valid range is 1–9,999. |
0
|
|
ssl-session-timeout <ssl-session-timeout_int>
|
When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes. | No default. |
ssl-quiet-shutdown {enable | disable}
|
For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN. When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message. |
Disable
|
server-certificate-verify {enable | disable}
|
Enable so that FortiWeb appliance will verify certificates presented by HTTP server. | Disable
|
server-certificate-verify-policy "<policy_name>"
|
Enter the certificate verity policy name. | No default. |
server-certificate-verify-action {alert | alert_deny | redirect}
|
Select which action the FortiWeb appliance will take when it detects a certificate violation. | No default. |
adfs-username <adfs-username_str>
|
Type the username that will be used by FortiWeb to connect with the AD FS server. You should include the domain to which FortiWeb and the AD FS server belong. For example, damain1\administrator. | No default. |
adfs-password <adfs-password_str>
|
Type the password that will be used by FortiWeb to connect with the AD FS server. | No default. |
multi-certificate {enable | disable}
|
Enable this option to allow FortiWeb to use multiple local certificates.
Available when: ssl {enable | disable} is enabled, and FortiWeb is operating in TTP or WCP mode that performs SSL inspection. |
disable
|
certificate-group <certificate-group_str>
|
Select the the multi-certificate file you have created. | No default. |
Enable to establish trust with ADFS servers before building up connections. |
|
Example
This example configures a server pool named server-pool1
. It consists of two physical servers: 192.0.2.10
and 192.0.2.11
.
When both servers are available, FortiWeb forwards connections to the server with the smallest number of connections.
config server-policy server-pool
edit "server-pool1"
set type reverse-proxy
set server-balance enable
set lb-algo least-connections
config pserver-list
edit 1
set status enable
set server-type physical
set ip "192.0.2.10"
set ssl disable
set port 8081
next
edit 2
set status enable
set server-type physical
set ip "192.0.2.11"
set ssl disable
set port 8082
next
end
next
end