Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

server-policy setting

Use this command to configure the server policy settings.

Syntax

config server-policy setting

set core-file-count <core-file-count_int>

set enable-core-file {enable | disable}

set enable-session-statistics {enable | disable}

set enable-single-worker {enable | disable}

set hsm {enable | disable}

set no-session-limit {enable | disable}

set no-ssl-encrypt-then-mac {enable | disable}

set offline-session-timeout {seconds_int}

set use-first-ack-mac {enable | disable}

set dpdk {enable | disable}

set high-compatibility-mode {enable | disable}

set graceful-shutdown {enable | disable}

set server-pool-connection-limit-log {enable | disable}

set tls13-early-data-mode {enable | disable}

set record-content-routing-error-log {enable | disable}

set server-invalid-no-reponse {enable | disable}

set using-dns-proxy {enable | disable}

set df-flag {enable | disable}

end

Variable Description Default

core-file-count <core-file-count_int>

The maximum core dump file number. The valid values are 3 and 5.

No default

enable-core-file {enable | disable}

Enable/disable generating the core dump files. No default

enable-session-statistics {enable | disable}

Enable/disable session statistics for FortiView. No default

enable-single-worker {enable | disable}

Enable/disable single worker mode. If enabled, there will be only one worker thread to handle the traffic. It's usually used for diagnose only. No default

hsm {enable | disable}

Specifies whether the settings you use to integrate FortiWeb with an HSM (hardware security module) are displayed in the web UI. No default

no-session-limit {enable | disable}

Enable not to limit the maximum concurrency sessions of FortiWeb-VM.

If this option is disabled, the maximum concurrent sessions for all the policies on a VM is 20,000 (2vCPUs), 50,000 (4vCPUs), or 100,000 (8vCPUs); For each policy, the number is 8,000 (2vCPUs), 15,000 (4vCPUs), or 50,000 (8vCPUs).

No default

no-ssl-encrypt-then-mac {enable | disable}

Disable to include the encrypt-then-mac extension in the packets sent by the client. disable

use-first-ack-mac {enable | disable}

Once enabled, machine learning only observes the source MAC of two ACK packets for a URL at Three-way handshake.
If disabled, machine leaning observes all ACK packets, which continues refreshing MAC, with the performance affected.
enable

dpdk {enable | disable}

Enable/disable DPDK for packet processing. No default

high-compatibility-mode {enable | disable}

Enable to accelerate SSL transport.

The setting works on certain hardware platforms which have SSL accelerate card. When enabled, the SSL accelerate card will do SSL traffic acceleration for SSL encryption and decryption.

disable

offline-session-timeout {seconds_int}

This setting only works in Offline Protection mode.

It's a session optimization option. FortiWeb's resources will be unnecessarily consumed if the connection always keeps on. With this option, you can configure the session timeout value to avoid them staying on for too long.

The valid range is seconds 30–1200 seconds.

No default
graceful-shutdown {enable | disable} If disabled, the peer TCP connections are reset during system shutdown. enable
server-pool-connection-limit-log {enable | disable} Enable to send a warning level event log when the connection number of each real server reaches the limitation. disable
tls13-early-data-mode {enable | disable} Enable O-RTT in TLS 1.3. disable
record-content-routing-error-log {enable | disable}

If enabled, the reason of the content routing failure will be recorded in event log.

disable

server-invalid-no-reponse {enable | disable}

Enable this option so that closes the client connection when all the servers in the server pool are unresponsive.

disable

using-dns-proxy {enable | disable}

This option is enabled by default. If it is disabled, the system uses getaddrinfo to resolve the domain name.

enable

df-flag {enable | disable}

Enable to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.

disable

Related topics

server-policy setting

Use this command to configure the server policy settings.

Syntax

config server-policy setting

set core-file-count <core-file-count_int>

set enable-core-file {enable | disable}

set enable-session-statistics {enable | disable}

set enable-single-worker {enable | disable}

set hsm {enable | disable}

set no-session-limit {enable | disable}

set no-ssl-encrypt-then-mac {enable | disable}

set offline-session-timeout {seconds_int}

set use-first-ack-mac {enable | disable}

set dpdk {enable | disable}

set high-compatibility-mode {enable | disable}

set graceful-shutdown {enable | disable}

set server-pool-connection-limit-log {enable | disable}

set tls13-early-data-mode {enable | disable}

set record-content-routing-error-log {enable | disable}

set server-invalid-no-reponse {enable | disable}

set using-dns-proxy {enable | disable}

set df-flag {enable | disable}

end

Variable Description Default

core-file-count <core-file-count_int>

The maximum core dump file number. The valid values are 3 and 5.

No default

enable-core-file {enable | disable}

Enable/disable generating the core dump files. No default

enable-session-statistics {enable | disable}

Enable/disable session statistics for FortiView. No default

enable-single-worker {enable | disable}

Enable/disable single worker mode. If enabled, there will be only one worker thread to handle the traffic. It's usually used for diagnose only. No default

hsm {enable | disable}

Specifies whether the settings you use to integrate FortiWeb with an HSM (hardware security module) are displayed in the web UI. No default

no-session-limit {enable | disable}

Enable not to limit the maximum concurrency sessions of FortiWeb-VM.

If this option is disabled, the maximum concurrent sessions for all the policies on a VM is 20,000 (2vCPUs), 50,000 (4vCPUs), or 100,000 (8vCPUs); For each policy, the number is 8,000 (2vCPUs), 15,000 (4vCPUs), or 50,000 (8vCPUs).

No default

no-ssl-encrypt-then-mac {enable | disable}

Disable to include the encrypt-then-mac extension in the packets sent by the client. disable

use-first-ack-mac {enable | disable}

Once enabled, machine learning only observes the source MAC of two ACK packets for a URL at Three-way handshake.
If disabled, machine leaning observes all ACK packets, which continues refreshing MAC, with the performance affected.
enable

dpdk {enable | disable}

Enable/disable DPDK for packet processing. No default

high-compatibility-mode {enable | disable}

Enable to accelerate SSL transport.

The setting works on certain hardware platforms which have SSL accelerate card. When enabled, the SSL accelerate card will do SSL traffic acceleration for SSL encryption and decryption.

disable

offline-session-timeout {seconds_int}

This setting only works in Offline Protection mode.

It's a session optimization option. FortiWeb's resources will be unnecessarily consumed if the connection always keeps on. With this option, you can configure the session timeout value to avoid them staying on for too long.

The valid range is seconds 30–1200 seconds.

No default
graceful-shutdown {enable | disable} If disabled, the peer TCP connections are reset during system shutdown. enable
server-pool-connection-limit-log {enable | disable} Enable to send a warning level event log when the connection number of each real server reaches the limitation. disable
tls13-early-data-mode {enable | disable} Enable O-RTT in TLS 1.3. disable
record-content-routing-error-log {enable | disable}

If enabled, the reason of the content routing failure will be recorded in event log.

disable

server-invalid-no-reponse {enable | disable}

Enable this option so that closes the client connection when all the servers in the server pool are unresponsive.

disable

using-dns-proxy {enable | disable}

This option is enabled by default. If it is disabled, the system uses getaddrinfo to resolve the domain name.

enable

df-flag {enable | disable}

Enable to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.

disable

Related topics