Fortinet white logo
Fortinet white logo

CLI Reference

config load-balance profile

config load-balance profile

Use this command to configure virtual server profiles. A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols. Virtual server profiles determine settings used in network communication on the client-FortiADC segment, in contrast to real server profiles, which determine the settings used in network communication on the FortiADC-real server segment.

Table 10 describes usage for profile type, including compatible virtual server types, load balancing methods, and persistence methods.

Application profile usage

Profile Usage VS Type LB Methods Persistence

FTP

Use with FTP servers.

Layer 7, Layer 4, Layer 2

Layer 7: Round Robin, Least Connections

Layer 4: Same as Layer 7, plus Fastest Response, Dynamic Load

Layer 2: Same as Layer 7

Source Address, Source Address Hash

HTTP

Use for standard, unsecured web server traffic.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load

Layer 2: Same as Layer 7, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie

HTTPS

Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile.

Layer 7, Layer 2

Same as HTTP

Same as HTTP, plus SSL Session ID

TURBO HTTP

Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet.

This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets.

Layer 7

Round Robin, Least Connections, Fastest Response

Source Address

RADIUS

Use with RADIUS servers.

Layer 7

Round Robin

RADIUS attribute

RDP

Use with Windows Terminal Service(remote desktop protocol).

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie

SIP

Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video.

Layer 7

Round Robin, URI Hash, Full URI Hash

Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID

TCP

Use for other TCP protocols.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response

Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash

Source Address, Source Address Hash

TCPS

Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections

Layer 2: Round Robin, Least Connections, Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID

UDP

Use with UDP servers.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Same as Layer 4, plus Destination IP Hash

Source Address, Source Address Hash

IP

Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first.

Layer 2

Round Robin only.

Source Address, Source Address Hash

DNS

Use with DNS servers.

Layer 7

Round Robin, Least Connections

Not supported yet.

SMTP

Use with SMTP servers.

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash

RTMP

A TCP-based protocol used for streaming audio, video, and data over the Internet

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

ISO8583

Use with ISO8583 servers

Layer 7

Round Robin

N/A

RTSP

A network control protocol used for establishing and controlling media sessions between end points

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

MySQL

MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets

Layer 7

Round Robin, Least Connection

N/A

DIAMETER

A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. Layer 7

Round Robin

Source Address.

DIAMETER Session ID (default)

MSSQL

MSSQL network protocol stack, which parses and builds MSSQL protocol packets

Layer 7

Least Connection

N/A

Table 11 provides a summary of the predefined profiles. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.

Predefined profiles

Profile Defaults

LB_PROF_TCP

Session Timeout —100 seconds

Session Timeout after FIN —100 seconds

IP Reputation—disabled

Geo IP block list—none

LB_PROF_UDP

Session Timeout —100 seconds

IP Reputation—disabled

Geo IP block list—none

LB_PROF_HTTP

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

HTTP Request Timeout—50 seconds

HTTP Keepalive Timeout—50 seconds

Buffer Pool—enabled

Source Address—disabled

X-Forwarded-For—disabled

HTTP Mode—ServerClose

Compression—none

Caching—none

IP Reputation—disabled

Geo IP block list—none

LB_PROF_TURBOHTTP

Session Timeout—100 seconds

Session Timeout after FIN—100 seconds

IP Reputation—disabled

LB_PROF_FTP

Session Timeout—100 seconds

Session Timeout after FIN—100 seconds

IP Reputation—disabled

Geo IP block list—none

Source Address—disabled

LB_PROF_RADIUS

Session Timeout—300 seconds

Dynamic Auth—disabled

LB_PROF_RDP

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

Buffer Pool—enabled

Source Address—disabled

IP Reputation—disabled

Geo IP block list—none

LB_PROF_SIP

SIP Max Size—65535 bytes

Server Keepalive—enabled

Server Keepalive Timeout—30 seconds

Client Keepalive—disabled

Client Protocol—UDP

Server Protocol—unset

Failed Client Type—Drop

Failed Server Type—Drop

Insert Client IP—disabled

Source Address—disabled

Media Address—0.0.0.0

LB_PROF_TCPS

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

Buffer Pool—enabled

Source Address—disabled

IP Reputation—disabled

Geo IP block list—none

SSL Ciphers—none

Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Client SNI Required—disabled

Certificate Group—LOCAL_CERT_GROUP

LB_PROF_HTTPS

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

HTTP Request Timeout—50 seconds

HTTP Keepalive Timeout—50 seconds

Buffer Pool—enabled

Source Address—disabled

X-Forwarded-For—disabled

HTTP Mode—ServerClose

Compression—none

Caching—none

IP Reputation—disabled

Geo IP block list—none

SSL Ciphers—none

Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Client SNI Required—disabled

Certificate Group—LOCAL_CERT_GROUP

LB_PROF_DNS

DNS Cache Flag—Enabled

DNS Cache Ageout Time—3600

DNS Cache Size—10

DNS Cache Entry Size—512

DNS Cache Response Type—All Records

DNS Malform Query Action—Drop

DNA Max Query Length—512

DNS Authentication Flag—Disabled

LB_PROF_IP

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP allow list—None

Timeout IP Session—100

LB_PROF_RTSP

Max-header-size—4096

Client-address —Disable

LB_PROF_RTMP

Client-address —Disable

LB_PROF_HTTP2_H2C HTTP/HTTP2 profile: LB_HTTP2_PROFILE_DEFAULT
LB_PROF_HTTP2_H2 HTTP/HTTP2 profile: LB_HTTP2_PROFILE_DEFAULT

LB_PROF_DIAMETER

server-close-propagation—Disable

Idle-timeout —300

LB_PROF_SMTP

Starttls Active Mode—Required

Customized SSL Ciphers Flag—Disabled

SSL Ciphers—Shows all available SSL Ciphers, with the default ones selected

Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Forbidden Command—expn, turn, vrfy

Local Certificate Group—LOCAL_CERT_GROUP

Before you begin:

  • You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
  • You must have read-write permission for load balance settings.

Syntax

config load-balance profile

edit <name>

set type {ftp | http | https | radius | rdp | sip | tcp | tcps | turbohttp | udp | diameter | dns | mssql}

set timeout_tcp_session <integer>

set timeout_tcp_session_after_FIN <integer>

set timeout-radius-session <integer>

set timeout_udp_session <integer>

set buffer-pool {enable|disable}

set caching <datasource>

set cache-response-type {single-answer | round-robin}

set client-address {enable|disable}

set client-timeout <integer>

set compression <datasource>

set connect-timeout <integer>

set deploy-mode {proxy | DSR}

set http-keepalive-timeout <integer>

set http-mode {KeepAlive|OnceOnly|ServerClose}

set http-request-timeout <integer>

set http-x-forwarded-for {enable|disable}

set http-x-forwarded-for-header <string>

set queue-timeout <integer>

set server-timeout <integer>

set tune-bufsize <integer>

set tune-maxrewrite <integer>

set ip-reputation {enable|disable}

set geoip-list <datasource>

set allowlist <datasource>

set geoip-redirect <string>

set client-keepalive {enable|disable}

set client-protocol {tcp|udp}

set failed-client {drop|send}

set failed-client-str <string>

set failed-server {drop|send}

set failed-server-str <string>

set max-size <integer>

set server-age <timeout>

set server-keepalive {enable|disable}

set server-keepalive-timeout <integer>

set server-max-size <number>

set server-protocol {tcp|udp}

set sip-insert-client-ip {enable|disable}

set media-addr <ip address>

set dynamic-auth {enable|disable}

set dynamic-auth-port <integer>

config client-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config client-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config mssql-user-password

edit <No.>

set username <username>

set password <password>

next

end

next

end

The following commands are used to invoke the "LB_PROF_DNS" profile in Layer-7 virtual servers.

config load-balance profile

edit "dns"

set caching {enable|disable}

set client-address {enable|disable}

set deploy-mode {proxy | DSR}

set malform-query-action {drop|forward}

set max-cache-age <integer>

set max-cache-entry-size <integer>

set max-cache-size <integer>

set max-query-length <integer>

set redirect-to-tcp-port {enable|disable}

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile LB_PROF_DNS

next

end

The following commands are used to invoke the "LB_PROF_IP" profile in Layer-2 virtual servers. When the profile of a Layer-2 virtual server is set to "LB_PROF_IP", you must specify the protocol numbers the virtual server can accept.

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session <integer>

set ip-reputation {enable|disable}

set geoip-list <string>

set allowlist <string>

next

end

config load-balance virtual-server

edit "LB_PROF_IP"

set type l2-load-balance

set load-balance-profile LB_PROF_IP

set protocol-numbers <value> protocol range "A-B" or single protocol number "A"

next

end

The following commands are used to configure MySQL load-balancing:

config system health-check

edit <health-check name>

set type mysql

set user <user name>

set password <password>

set dest-addr <ip addr>

set port <port>

next

end

The following commands are used to create a new MySQL profile (basic configuration):

config load-balance profile

edit <name>

config mysql-user-password

edit <id>

set username <username>

set password <password>

next

end

next

end

The following commands are used to configure a MySQL profile in basic single-primary mode:

config load-balance profile

edit <name>

config mysql-rule

edit <rule id>

set type [primary | secondary]

set database <database name> <database name> ...

set user <user name> <user name> ...

set table <table name> <table name> ...

set client-ip <client ip> <client ip> ...

set sql <sql statement> <sql statement> ...

next

end

next

end

The following commands are used to configure a MySQL profile in data-sharding mode:

config load-balance profile

edit <name>

set mysql-mode sharding

config mysql-sharding

edit <id>

set type range

set table <table name>

set key <column name>

set group <group id>:<range> <group id>:<range> ... # such as set groups 0:0-999 1:1000-9999

next

edit <id>

set type hash

set database <database name>

set table <table name>

set key <column name>

set group <group id> <group id>

next

end

next

end

The following commands are used to configure MySQL profile-specific pool members:

config load-balance pool

edit <pool name>

config pool_member

edit 1

set mysql-group-id <group id> #for Data Sharding

set mysql-read-only enable #for Secondary

next

end

next

end

The following commands are used to create an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size <size>

set client-address <enable/disable>

next

The following commands are used to configure an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address <enable/disable>

next

The following commands are used to configure a diameter proxy_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set identity <string>

set realm <string>

set vendor-id <integer>

set product-name <string>

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

The following commands are used to configure a diameter relay_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

type

Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

IP

geoip-list

Specify the Geo IP block list.

ip-reputation

Specify the IP Reputation.

timeout-ip-session

Specify the timeout of the IP session.

allowlist

Specify the Geo IP allow list.

RTSP

max-header-sizet

Specify the maximum size of RTSP packets, which can range from 16 to 65, 536.

client-address

Enable/disable the use of a client IP as the source IP to connect to the real server.

RTMP

client-address

Enable/disable the use of a client IP as the source IP to connect to the real server.

DNS

caching

Enable or disable the cache for the DNS virtual server.

client-address

Enable/disable the use of a client IP as the source IP. Default is disable.

deploy-mode

Specify the deployment mode - proxy or DSR. Default is proxy.

malform-query-action

Specify the reaction for the malformed requests.

max-cache-age

Specify the cache age-out time (in seconds).

max-cache-entry-size

Specify the maximum cache entry size.

max-cache-size

Specify the maximum cache size (in Megabytes).

max-query-length

Specify the maximum query length.

redirect-to-tcp-port

Enable or disable TCP authentication.

FTP

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

client-address Use the original IP address as the source address in the connection to the real server.

HTTP

buffer-pool

Enable to use buffering.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

caching

Specify the name of the caching configuration object.

client-address

Use the original client IP address as the source address in the connection to the real server.

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is from 1 to 3,600.

compression

Specify a compression configuration object.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

http-keepalive-timeout

The default is 50 seconds. The valid range is 1 to 3,600.

http-mode

  • KeepAlive. Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.
  • OnceOnly. An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
  • ServerClose. Close the connection to the real server after each HTTP transaction.

http-request-timeout

Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600.

http-x-forwarded-for

Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it.

http-x-forwarded-for-header

Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

tune-maxrewrite

Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

geoip-redirect

For HTTP/HTTPS, if you have configured a Geo IP redirect action, specify a redirect URL.

allowlist

Specify a Geo IP allow list configuration object.

http2-profile

Specify an HTTP2 profile configuration object.

HTTPS - same as HTTP plus the following

allow-ssl-versions

You have the following options:

  • SSLv2
  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2

We recommend retaining the default list. If necessary, you can specify a space-separated list of SSL versions you want to support for this profile.

cert-verify verify

Specify a certificate validation policy.

client-sni-required

Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.

local-cert-group

A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate.

forward-client-certificate

Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.

forward-client-certificate-header

The default is X-Client-Cert, but you can customize it using this command.

ssl-ciphers

Ciphers are listed from strongest to weakest:

ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL

We recommend retaining the default list. If necessary, you can specify a different space-separated list of supported ciphers.

ssl-customize-ciphers-flag

Enable/disable use of user-specified cipher suites.

ssl-customized-ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

ssl-proxy

Enable/disable SSL forward proxy.

MSSQL

client-timeout

Client-side TCP connection timeout. Range: 1 to 3600. Default is 50.

server-age

Range: 1 to 86400. Default is 600 seconds.

server-max-size

Maximum number of server connections. Range: 1 to 30000. Default: 10000

RADIUS

timeout-radius-session

The default is 300 seconds. The valid range is 1 to 3,600.

dynamic-auth

Enable/disable RADIUS dynamic authorization (CoA, Disconnect messages).

dynamic-auth-port

Dynamic auth port.

RDP

buffer-pool

Enable to use buffering.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

client-address

Use the original client IP address as the source address in the connection to the real server.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

TCP

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

TCPS

buffer-pool

Enable to use buffering.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

TurboHTTP

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

UDP

timeout_udp_session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

SIP

client-keepalive

Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default.
client-address Use the original client IP address as the source address in the connection to the real server.
media-addr Change the media address of SIP payload to specified address. 0.0.0.0 is default.

client-protocol

Client-side transport protocol:

  • tcp
  • udp (default)

failed-client

Action when the SIP client cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-client-str

Message string. Use double-quotation marks for strings with spaces.

failed-server

Action when the SIP server cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-server-str

Message string. Use double-quotation marks for strings with spaces. For example:

"404 Not Found"

max-size

Maximum message size. The default is 65535 bytes. The valid range is 1-65535.

server-keepalive

Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default.

server-keepalive-timeout

Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300.

server-protocol

Server-side transport protocol.

  • tcp
  • udp

Default is "unset", so the client-side protocol determines the server-side protocol.

sip-insert-client-ip

Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request.
config client-request-header-erase Configuration to erase headers from client requests. Table setting. Maximum 4 members.

type

  • all—Parse all headers for a match.
  • first—Parse the first header for a match.

string

Header to be erased.
config client-request-header-insert Configuration to insert headers into client requests. Table setting. Maximum 4 members.

type

  • append-always—Append after the last header.
  • append-if-not-exist—Append only if the header is not present.
  • insert-always—Insert before the first header even if the header is already present.
  • insert-if-not-exist—Insert before the first header only if the header is not already present.

string

The header:value pair to be inserted.
config client-response-header-erase Configuration to erase headers from client responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config client-response-header-insert Configuration to insert headers into client responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
config server-request-header-erase Configuration to erase headers from server requests. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config server-request-header-insert Configuration to insert headers into server requests. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
server-response-header-erase Configuration to erase headers from server responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
server-response-header-insert Configuration to insert headers into server responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
Diameter

Identity

Sets the value of Diameter AVP 264. This AVP can be a character string and specifies the identity of the originating host for Diameter messages.

ADC will modify the origin-host avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-host avp on server response with the setting value, then transfer it to the client.

Specify the identity in the following format: vs.realm

The host is a string unique to the client. The realm is the Diameter realm, specified by the Realm option (described below).

If Identity is set with an empty value (nothing), ADC will not change the value of the origin-host in the client or server when it transfer thems

The default is empty value.

Realm

Sets the value of Diameter AVP 296. This AVP can be a character string and specifies the Diameter realm from which Diameter messages, including requests, are originated.

ADC will modify the origin-realm avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-realm avp on server response with the setting value, then transfer it to the client.

If Realm is set with an empty value(nothing),ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

product-name

Sets the value of Diameter AVP 269. This AVP can be a character string and specifies the product; for example, “fortiadc”.

ADC will modify the Product-Name avp on client request with the setting value, then transfer it to RS.

ADC will modify the Product-Name avp on server response with the setting value, then transfer it to the client.

If product-name is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

Vendor-id

Sets the value of Diameter AVP 266. This AVP can be a character string and specifies the vendor; for example, “156”.

ADC will modify the vendor-id avp on client request with the setting value, then transfer it to RS.

ADC will modify the vendor-id avp on server response with the setting value, then transfer it to the client.

If vendor-ide is set to 0, ADC will not change the value of vendor-id in the client or server when it transfers them.

The default is 0.The valid range is 0-4294967295.

Idle-timeout

Default, for different requests with the same session_id avp, if their interval is less than idle-timeout, ADC will dispatch them to the same RS.

The default is 300 seconds. The valid range is 1-86400.

When this parameter is set, ADC will act in proxy mode.

server-close-propagation

When transfering diameter traffic with server-close-propagation enabled, if one of the servers resets or sends DPR to ADC, ADC will close connection with the client and other servers at the same time.

When transfering diameter traffic with server-close-propagation disabled, if one of the servers resets or sends DPR to ADC, ADC will transfer the requests from the client to the other servers.

Disabled by default.

Example

The following example shows the list of predefined profiles:

FortiADC-VM # get load-balance profile

== [ LB_PROF_TCP ]

== [ LB_PROF_UDP ]

== [ LB_PROF_HTTP ]

== [ LB_PROF_TURBOHTTP ]

== [ LB_PROF_FTP ]

== [ LB_PROF_RADIUS ]

== [ LB_PROF_SIP ]

== [ LB_PROF_TCPS ]

== [ LB_PROF_HTTPS ]

== [ LB_PROF_HTTP2_H2C]

== [ LB_PROF_HTTP2_H2 ]

== [ LB_PROF_SMTP ]

== [ LB_PROF_RTSP ]

== [ LB_PROF_RTMP ]

== [ LB_PROF_DIAMETER ]

== [ LB_PROF_IP ]

== [ LB_PROF_RDP ]

== [ LB_PROF_HTTP_SERVERCLOSE ]

== [ LB_PROF_HTTPS-SERVERCLOSE ]

== [ LB_PROF_DNS ]

The following example shows the details of the predefined HTTPS profile:

FortiADC-VM (profile) # get load-balance profile LB_PROF_HTTPS

type : https

tune-bufsize : 8030

tune-maxrewrite : 1024

client-timeout : 50

server-timeout : 50

connect-timeout : 5

queue-timeout : 5

http-request-timeout : 50

http-keepalive-timeout : 50

buffer-pool : enable

client-address : disable

http-x-forwarded-for : disable

http-x-forwarded-for-header :

http-mode : ServerClose

compression :

caching :

ip-reputation : disable

geoip-list :

allowlist :

geoip-redirect : http://

The following example creates a user-defined SIP profile:

FortiADC-VM # config load-balance profile

FortiADC-VM (profile) # edit sip-profile

Add new entry 'sip-profile' for node 1643

FortiADC-VM (sip-profile) # set type sip

FortiADC-VM (sip-profile) # get

type : sip

max-size : 65535

server-keepalive-timeout : 30

server-keepalive : enable

client-keepalive : disable

client-protocol : udp

server-protocol :

sip-insert-client-ip : disable

failed-client : drop

failed-server : drop

FortiADC-VM (sip-profile) # set timeout 120

FortiADC-VM (sip-profile) # set max-size 2048

FortiADC-VM (sip-profile) # set server-keepalive-timeout 180

FortiADC-VM (sip-profile) # set failed-server send

FortiADC-VM (sip-profile) # set fail-server-str "404 Not Found"

FortiADC-VM (sip-profile) # config ?

client-request-header-erase erase header from client request

client-request-header-insert insert header into client request

client-response-header-erase erase header from client response

client-response-header-insert insert header into client response

server-request-header-erase erase header from server request

server-request-header-insert insert header into server request

server-response-header-erase erase header from server response

server-response-header-insert insert header into server response

FortiADC-VM (sip-profile) # config client-request-header-insert

FortiADC-VM (client-request~h) # edit 1

Add new entry '1' for node 4554

FortiADC-VM (1) # set type insert-if-not-exist

FortiADC-VM (1) # set string "Via: SIP/2.0/UDP 1.1.1.100:5060"

FortiADC-VM (1) # end

FortiADC-VM (sip-profile) # end

FortiADC-VM #

The following example creates a DNS profile:

config load-balance profile

edit "dns"

set type dns

set malform-query-action drop

set redirect-to-tcp-port disable

set caching enable

set max-query-length 512

set max-cache-age 3600

set max-cache-entry-size 512

set max-cache-size 10

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile dns

next

end

The following example creates an IP profile:

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session 100

next

end

config load-balance virtual-server

edit "vs2"

set type l2-load-balance

set protocol-numbers 0 1

set load-balance-profile ip

next

end

The following example creates a MySQL profile:

config system health-check

edit mysql

set type mysql

set user root

set password fortinet

set port 3306

next

end

config load-balance real-server

edit "rs1"

set ip 192.168.1.1

next

end

config load-balance pool

edit "pool_mysql"

set health-check-ctrl enable

set health-check-list icmp

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server rs1

next

end

next

end

config load-balance virtual-server

edit "mysql"

set type l7-load-balance

set interface port2

set ip 10.1.1.1

set port 3306

set load-balance-profile mysql

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool pool_mysql

next

end

The following example creates an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size 2048

set client-address enable

next

The following example creates an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address enable

next

config load-balance profile

config load-balance profile

Use this command to configure virtual server profiles. A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols. Virtual server profiles determine settings used in network communication on the client-FortiADC segment, in contrast to real server profiles, which determine the settings used in network communication on the FortiADC-real server segment.

Table 10 describes usage for profile type, including compatible virtual server types, load balancing methods, and persistence methods.

Application profile usage

Profile Usage VS Type LB Methods Persistence

FTP

Use with FTP servers.

Layer 7, Layer 4, Layer 2

Layer 7: Round Robin, Least Connections

Layer 4: Same as Layer 7, plus Fastest Response, Dynamic Load

Layer 2: Same as Layer 7

Source Address, Source Address Hash

HTTP

Use for standard, unsecured web server traffic.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load

Layer 2: Same as Layer 7, plus Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie

HTTPS

Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile.

Layer 7, Layer 2

Same as HTTP

Same as HTTP, plus SSL Session ID

TURBO HTTP

Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet.

This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets.

Layer 7

Round Robin, Least Connections, Fastest Response

Source Address

RADIUS

Use with RADIUS servers.

Layer 7

Round Robin

RADIUS attribute

RDP

Use with Windows Terminal Service(remote desktop protocol).

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie

SIP

Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video.

Layer 7

Round Robin, URI Hash, Full URI Hash

Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID

TCP

Use for other TCP protocols.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response

Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash

Source Address, Source Address Hash

TCPS

Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile.

Layer 7, Layer 2

Layer 7: Round Robin, Least Connections

Layer 2: Round Robin, Least Connections, Destination IP Hash

Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID

UDP

Use with UDP servers.

Layer 4, Layer 2

Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load

Layer 2: Same as Layer 4, plus Destination IP Hash

Source Address, Source Address Hash

IP

Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first.

Layer 2

Round Robin only.

Source Address, Source Address Hash

DNS

Use with DNS servers.

Layer 7

Round Robin, Least Connections

Not supported yet.

SMTP

Use with SMTP servers.

Layer 7

Round Robin, Least Connections

Source Address, Source Address Hash

RTMP

A TCP-based protocol used for streaming audio, video, and data over the Internet

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

ISO8583

Use with ISO8583 servers

Layer 7

Round Robin

N/A

RTSP

A network control protocol used for establishing and controlling media sessions between end points

Layer 7

Round Robin, Least Connection

Source Address, Source Address Hash

MySQL

MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets

Layer 7

Round Robin, Least Connection

N/A

DIAMETER

A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. Layer 7

Round Robin

Source Address.

DIAMETER Session ID (default)

MSSQL

MSSQL network protocol stack, which parses and builds MSSQL protocol packets

Layer 7

Least Connection

N/A

Table 11 provides a summary of the predefined profiles. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.

Predefined profiles

Profile Defaults

LB_PROF_TCP

Session Timeout —100 seconds

Session Timeout after FIN —100 seconds

IP Reputation—disabled

Geo IP block list—none

LB_PROF_UDP

Session Timeout —100 seconds

IP Reputation—disabled

Geo IP block list—none

LB_PROF_HTTP

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

HTTP Request Timeout—50 seconds

HTTP Keepalive Timeout—50 seconds

Buffer Pool—enabled

Source Address—disabled

X-Forwarded-For—disabled

HTTP Mode—ServerClose

Compression—none

Caching—none

IP Reputation—disabled

Geo IP block list—none

LB_PROF_TURBOHTTP

Session Timeout—100 seconds

Session Timeout after FIN—100 seconds

IP Reputation—disabled

LB_PROF_FTP

Session Timeout—100 seconds

Session Timeout after FIN—100 seconds

IP Reputation—disabled

Geo IP block list—none

Source Address—disabled

LB_PROF_RADIUS

Session Timeout—300 seconds

Dynamic Auth—disabled

LB_PROF_RDP

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

Buffer Pool—enabled

Source Address—disabled

IP Reputation—disabled

Geo IP block list—none

LB_PROF_SIP

SIP Max Size—65535 bytes

Server Keepalive—enabled

Server Keepalive Timeout—30 seconds

Client Keepalive—disabled

Client Protocol—UDP

Server Protocol—unset

Failed Client Type—Drop

Failed Server Type—Drop

Insert Client IP—disabled

Source Address—disabled

Media Address—0.0.0.0

LB_PROF_TCPS

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

Buffer Pool—enabled

Source Address—disabled

IP Reputation—disabled

Geo IP block list—none

SSL Ciphers—none

Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Client SNI Required—disabled

Certificate Group—LOCAL_CERT_GROUP

LB_PROF_HTTPS

Client Timeout—50 seconds

Server Timeout—50 seconds

Connect Timeout—5 seconds

Queue Timeout—5 seconds

HTTP Request Timeout—50 seconds

HTTP Keepalive Timeout—50 seconds

Buffer Pool—enabled

Source Address—disabled

X-Forwarded-For—disabled

HTTP Mode—ServerClose

Compression—none

Caching—none

IP Reputation—disabled

Geo IP block list—none

SSL Ciphers—none

Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Client SNI Required—disabled

Certificate Group—LOCAL_CERT_GROUP

LB_PROF_DNS

DNS Cache Flag—Enabled

DNS Cache Ageout Time—3600

DNS Cache Size—10

DNS Cache Entry Size—512

DNS Cache Response Type—All Records

DNS Malform Query Action—Drop

DNA Max Query Length—512

DNS Authentication Flag—Disabled

LB_PROF_IP

IP Reputation—Disabled

Customized SSL Ciphers Flag—Disabled

Geo IP Block List—None

Geo IP allow list—None

Timeout IP Session—100

LB_PROF_RTSP

Max-header-size—4096

Client-address —Disable

LB_PROF_RTMP

Client-address —Disable

LB_PROF_HTTP2_H2C HTTP/HTTP2 profile: LB_HTTP2_PROFILE_DEFAULT
LB_PROF_HTTP2_H2 HTTP/HTTP2 profile: LB_HTTP2_PROFILE_DEFAULT

LB_PROF_DIAMETER

server-close-propagation—Disable

Idle-timeout —300

LB_PROF_SMTP

Starttls Active Mode—Required

Customized SSL Ciphers Flag—Disabled

SSL Ciphers—Shows all available SSL Ciphers, with the default ones selected

Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Forbidden Command—expn, turn, vrfy

Local Certificate Group—LOCAL_CERT_GROUP

Before you begin:

  • You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
  • You must have read-write permission for load balance settings.

Syntax

config load-balance profile

edit <name>

set type {ftp | http | https | radius | rdp | sip | tcp | tcps | turbohttp | udp | diameter | dns | mssql}

set timeout_tcp_session <integer>

set timeout_tcp_session_after_FIN <integer>

set timeout-radius-session <integer>

set timeout_udp_session <integer>

set buffer-pool {enable|disable}

set caching <datasource>

set cache-response-type {single-answer | round-robin}

set client-address {enable|disable}

set client-timeout <integer>

set compression <datasource>

set connect-timeout <integer>

set deploy-mode {proxy | DSR}

set http-keepalive-timeout <integer>

set http-mode {KeepAlive|OnceOnly|ServerClose}

set http-request-timeout <integer>

set http-x-forwarded-for {enable|disable}

set http-x-forwarded-for-header <string>

set queue-timeout <integer>

set server-timeout <integer>

set tune-bufsize <integer>

set tune-maxrewrite <integer>

set ip-reputation {enable|disable}

set geoip-list <datasource>

set allowlist <datasource>

set geoip-redirect <string>

set client-keepalive {enable|disable}

set client-protocol {tcp|udp}

set failed-client {drop|send}

set failed-client-str <string>

set failed-server {drop|send}

set failed-server-str <string>

set max-size <integer>

set server-age <timeout>

set server-keepalive {enable|disable}

set server-keepalive-timeout <integer>

set server-max-size <number>

set server-protocol {tcp|udp}

set sip-insert-client-ip {enable|disable}

set media-addr <ip address>

set dynamic-auth {enable|disable}

set dynamic-auth-port <integer>

config client-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config client-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config client-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-request-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-request-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config server-response-header-erase

edit <No.>

set type {all|first}

set string <string>

next

end

config server-response-header-insert

edit <No.>

set type {append-always | append-if-not-exist | insert-always insert-if-not-exist}

set string <string>

next

end

config mssql-user-password

edit <No.>

set username <username>

set password <password>

next

end

next

end

The following commands are used to invoke the "LB_PROF_DNS" profile in Layer-7 virtual servers.

config load-balance profile

edit "dns"

set caching {enable|disable}

set client-address {enable|disable}

set deploy-mode {proxy | DSR}

set malform-query-action {drop|forward}

set max-cache-age <integer>

set max-cache-entry-size <integer>

set max-cache-size <integer>

set max-query-length <integer>

set redirect-to-tcp-port {enable|disable}

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile LB_PROF_DNS

next

end

The following commands are used to invoke the "LB_PROF_IP" profile in Layer-2 virtual servers. When the profile of a Layer-2 virtual server is set to "LB_PROF_IP", you must specify the protocol numbers the virtual server can accept.

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session <integer>

set ip-reputation {enable|disable}

set geoip-list <string>

set allowlist <string>

next

end

config load-balance virtual-server

edit "LB_PROF_IP"

set type l2-load-balance

set load-balance-profile LB_PROF_IP

set protocol-numbers <value> protocol range "A-B" or single protocol number "A"

next

end

The following commands are used to configure MySQL load-balancing:

config system health-check

edit <health-check name>

set type mysql

set user <user name>

set password <password>

set dest-addr <ip addr>

set port <port>

next

end

The following commands are used to create a new MySQL profile (basic configuration):

config load-balance profile

edit <name>

config mysql-user-password

edit <id>

set username <username>

set password <password>

next

end

next

end

The following commands are used to configure a MySQL profile in basic single-primary mode:

config load-balance profile

edit <name>

config mysql-rule

edit <rule id>

set type [primary | secondary]

set database <database name> <database name> ...

set user <user name> <user name> ...

set table <table name> <table name> ...

set client-ip <client ip> <client ip> ...

set sql <sql statement> <sql statement> ...

next

end

next

end

The following commands are used to configure a MySQL profile in data-sharding mode:

config load-balance profile

edit <name>

set mysql-mode sharding

config mysql-sharding

edit <id>

set type range

set table <table name>

set key <column name>

set group <group id>:<range> <group id>:<range> ... # such as set groups 0:0-999 1:1000-9999

next

edit <id>

set type hash

set database <database name>

set table <table name>

set key <column name>

set group <group id> <group id>

next

end

next

end

The following commands are used to configure MySQL profile-specific pool members:

config load-balance pool

edit <pool name>

config pool_member

edit 1

set mysql-group-id <group id> #for Data Sharding

set mysql-read-only enable #for Secondary

next

end

next

end

The following commands are used to create an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size <size>

set client-address <enable/disable>

next

The following commands are used to configure an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address <enable/disable>

next

The following commands are used to configure a diameter proxy_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set identity <string>

set realm <string>

set vendor-id <integer>

set product-name <string>

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

The following commands are used to configure a diameter relay_mode profile:

config load-balance profile

edit "diameter_proxy"

set type diameter

set idle-timeout <integer>

set server-close-propagation <enable/disable>

next

end

type

Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

IP

geoip-list

Specify the Geo IP block list.

ip-reputation

Specify the IP Reputation.

timeout-ip-session

Specify the timeout of the IP session.

allowlist

Specify the Geo IP allow list.

RTSP

max-header-sizet

Specify the maximum size of RTSP packets, which can range from 16 to 65, 536.

client-address

Enable/disable the use of a client IP as the source IP to connect to the real server.

RTMP

client-address

Enable/disable the use of a client IP as the source IP to connect to the real server.

DNS

caching

Enable or disable the cache for the DNS virtual server.

client-address

Enable/disable the use of a client IP as the source IP. Default is disable.

deploy-mode

Specify the deployment mode - proxy or DSR. Default is proxy.

malform-query-action

Specify the reaction for the malformed requests.

max-cache-age

Specify the cache age-out time (in seconds).

max-cache-entry-size

Specify the maximum cache entry size.

max-cache-size

Specify the maximum cache size (in Megabytes).

max-query-length

Specify the maximum query length.

redirect-to-tcp-port

Enable or disable TCP authentication.

FTP

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

client-address Use the original IP address as the source address in the connection to the real server.

HTTP

buffer-pool

Enable to use buffering.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

caching

Specify the name of the caching configuration object.

client-address

Use the original client IP address as the source address in the connection to the real server.

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is from 1 to 3,600.

compression

Specify a compression configuration object.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

http-keepalive-timeout

The default is 50 seconds. The valid range is 1 to 3,600.

http-mode

  • KeepAlive. Do not close the connection to the real server after each HTTP transaction. Instead, keep the connection between FortiADC and the real server open until the client-side connection is closed. This option is required for applications like Microsoft SharePoint.
  • OnceOnly. An HTTP transaction can consist of multiple HTTP requests (separate requests for an HTML page and the images contained therein, for example). To improve performance, the "once only" flag instructs the FortiADC to evaluate only the first set of headers in a connection. Subsequent requests belonging to the connection are not load balanced, but sent to the same server as the first request.
  • ServerClose. Close the connection to the real server after each HTTP transaction.

http-request-timeout

Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600.

http-x-forwarded-for

Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it.

http-x-forwarded-for-header

Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP.

queue-timeout

Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

tune-maxrewrite

Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

geoip-redirect

For HTTP/HTTPS, if you have configured a Geo IP redirect action, specify a redirect URL.

allowlist

Specify a Geo IP allow list configuration object.

http2-profile

Specify an HTTP2 profile configuration object.

HTTPS - same as HTTP plus the following

allow-ssl-versions

You have the following options:

  • SSLv2
  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2

We recommend retaining the default list. If necessary, you can specify a space-separated list of SSL versions you want to support for this profile.

cert-verify verify

Specify a certificate validation policy.

client-sni-required

Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.

local-cert-group

A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate.

forward-client-certificate

Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.

forward-client-certificate-header

The default is X-Client-Cert, but you can customize it using this command.

ssl-ciphers

Ciphers are listed from strongest to weakest:

ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL

We recommend retaining the default list. If necessary, you can specify a different space-separated list of supported ciphers.

ssl-customize-ciphers-flag

Enable/disable use of user-specified cipher suites.

ssl-customized-ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

ssl-proxy

Enable/disable SSL forward proxy.

MSSQL

client-timeout

Client-side TCP connection timeout. Range: 1 to 3600. Default is 50.

server-age

Range: 1 to 86400. Default is 600 seconds.

server-max-size

Maximum number of server connections. Range: 1 to 30000. Default: 10000

RADIUS

timeout-radius-session

The default is 300 seconds. The valid range is 1 to 3,600.

dynamic-auth

Enable/disable RADIUS dynamic authorization (CoA, Disconnect messages).

dynamic-auth-port

Dynamic auth port.

RDP

buffer-pool

Enable to use buffering.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

client-address

Use the original client IP address as the source address in the connection to the real server.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

TCP

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

TCPS

buffer-pool

Enable to use buffering.

tune-bufsize

Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.

client-timeout

Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.

server-timeout

Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.

connect-timeout

Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.

TurboHTTP

timeout_tcp_session

Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.

timeout_tcp_session_after_FIN

Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

UDP

timeout_udp_session

Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.

ip-reputation

Enable to apply the FortiGuard IP reputation service.

geoip-list

Specify a Geo IP block list configuration object.

allowlist

Specify a Geo IP allow list configuration object.

SIP

client-keepalive

Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default.
client-address Use the original client IP address as the source address in the connection to the real server.
media-addr Change the media address of SIP payload to specified address. 0.0.0.0 is default.

client-protocol

Client-side transport protocol:

  • tcp
  • udp (default)

failed-client

Action when the SIP client cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-client-str

Message string. Use double-quotation marks for strings with spaces.

failed-server

Action when the SIP server cannot be reached:

  • drop—Drop the connection.
  • send—Drop the connection and send a message, for example, a status code and error message.

fail-server-str

Message string. Use double-quotation marks for strings with spaces. For example:

"404 Not Found"

max-size

Maximum message size. The default is 65535 bytes. The valid range is 1-65535.

server-keepalive

Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default.

server-keepalive-timeout

Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300.

server-protocol

Server-side transport protocol.

  • tcp
  • udp

Default is "unset", so the client-side protocol determines the server-side protocol.

sip-insert-client-ip

Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request.
config client-request-header-erase Configuration to erase headers from client requests. Table setting. Maximum 4 members.

type

  • all—Parse all headers for a match.
  • first—Parse the first header for a match.

string

Header to be erased.
config client-request-header-insert Configuration to insert headers into client requests. Table setting. Maximum 4 members.

type

  • append-always—Append after the last header.
  • append-if-not-exist—Append only if the header is not present.
  • insert-always—Insert before the first header even if the header is already present.
  • insert-if-not-exist—Insert before the first header only if the header is not already present.

string

The header:value pair to be inserted.
config client-response-header-erase Configuration to erase headers from client responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config client-response-header-insert Configuration to insert headers into client responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
config server-request-header-erase Configuration to erase headers from server requests. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
config server-request-header-insert Configuration to insert headers into server requests. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
server-response-header-erase Configuration to erase headers from server responses. Table setting. Maximum 4 members.

type

  • all
  • first

string

Header to be erased.
server-response-header-insert Configuration to insert headers into server responses. Table setting. Maximum 4 members.

type

  • append-always
  • append-if-not-exist
  • insert-always
  • insert-if-not-exist

string

The header:value pair to be inserted.
Diameter

Identity

Sets the value of Diameter AVP 264. This AVP can be a character string and specifies the identity of the originating host for Diameter messages.

ADC will modify the origin-host avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-host avp on server response with the setting value, then transfer it to the client.

Specify the identity in the following format: vs.realm

The host is a string unique to the client. The realm is the Diameter realm, specified by the Realm option (described below).

If Identity is set with an empty value (nothing), ADC will not change the value of the origin-host in the client or server when it transfer thems

The default is empty value.

Realm

Sets the value of Diameter AVP 296. This AVP can be a character string and specifies the Diameter realm from which Diameter messages, including requests, are originated.

ADC will modify the origin-realm avp on client request with the setting value, then transfer it to RS.

ADC will modify the origin-realm avp on server response with the setting value, then transfer it to the client.

If Realm is set with an empty value(nothing),ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

product-name

Sets the value of Diameter AVP 269. This AVP can be a character string and specifies the product; for example, “fortiadc”.

ADC will modify the Product-Name avp on client request with the setting value, then transfer it to RS.

ADC will modify the Product-Name avp on server response with the setting value, then transfer it to the client.

If product-name is set with an empty value(nothing), ADC will not change the value of the origin-realm in the client or server when it transfers them.

The default is empty value.

Vendor-id

Sets the value of Diameter AVP 266. This AVP can be a character string and specifies the vendor; for example, “156”.

ADC will modify the vendor-id avp on client request with the setting value, then transfer it to RS.

ADC will modify the vendor-id avp on server response with the setting value, then transfer it to the client.

If vendor-ide is set to 0, ADC will not change the value of vendor-id in the client or server when it transfers them.

The default is 0.The valid range is 0-4294967295.

Idle-timeout

Default, for different requests with the same session_id avp, if their interval is less than idle-timeout, ADC will dispatch them to the same RS.

The default is 300 seconds. The valid range is 1-86400.

When this parameter is set, ADC will act in proxy mode.

server-close-propagation

When transfering diameter traffic with server-close-propagation enabled, if one of the servers resets or sends DPR to ADC, ADC will close connection with the client and other servers at the same time.

When transfering diameter traffic with server-close-propagation disabled, if one of the servers resets or sends DPR to ADC, ADC will transfer the requests from the client to the other servers.

Disabled by default.

Example

The following example shows the list of predefined profiles:

FortiADC-VM # get load-balance profile

== [ LB_PROF_TCP ]

== [ LB_PROF_UDP ]

== [ LB_PROF_HTTP ]

== [ LB_PROF_TURBOHTTP ]

== [ LB_PROF_FTP ]

== [ LB_PROF_RADIUS ]

== [ LB_PROF_SIP ]

== [ LB_PROF_TCPS ]

== [ LB_PROF_HTTPS ]

== [ LB_PROF_HTTP2_H2C]

== [ LB_PROF_HTTP2_H2 ]

== [ LB_PROF_SMTP ]

== [ LB_PROF_RTSP ]

== [ LB_PROF_RTMP ]

== [ LB_PROF_DIAMETER ]

== [ LB_PROF_IP ]

== [ LB_PROF_RDP ]

== [ LB_PROF_HTTP_SERVERCLOSE ]

== [ LB_PROF_HTTPS-SERVERCLOSE ]

== [ LB_PROF_DNS ]

The following example shows the details of the predefined HTTPS profile:

FortiADC-VM (profile) # get load-balance profile LB_PROF_HTTPS

type : https

tune-bufsize : 8030

tune-maxrewrite : 1024

client-timeout : 50

server-timeout : 50

connect-timeout : 5

queue-timeout : 5

http-request-timeout : 50

http-keepalive-timeout : 50

buffer-pool : enable

client-address : disable

http-x-forwarded-for : disable

http-x-forwarded-for-header :

http-mode : ServerClose

compression :

caching :

ip-reputation : disable

geoip-list :

allowlist :

geoip-redirect : http://

The following example creates a user-defined SIP profile:

FortiADC-VM # config load-balance profile

FortiADC-VM (profile) # edit sip-profile

Add new entry 'sip-profile' for node 1643

FortiADC-VM (sip-profile) # set type sip

FortiADC-VM (sip-profile) # get

type : sip

max-size : 65535

server-keepalive-timeout : 30

server-keepalive : enable

client-keepalive : disable

client-protocol : udp

server-protocol :

sip-insert-client-ip : disable

failed-client : drop

failed-server : drop

FortiADC-VM (sip-profile) # set timeout 120

FortiADC-VM (sip-profile) # set max-size 2048

FortiADC-VM (sip-profile) # set server-keepalive-timeout 180

FortiADC-VM (sip-profile) # set failed-server send

FortiADC-VM (sip-profile) # set fail-server-str "404 Not Found"

FortiADC-VM (sip-profile) # config ?

client-request-header-erase erase header from client request

client-request-header-insert insert header into client request

client-response-header-erase erase header from client response

client-response-header-insert insert header into client response

server-request-header-erase erase header from server request

server-request-header-insert insert header into server request

server-response-header-erase erase header from server response

server-response-header-insert insert header into server response

FortiADC-VM (sip-profile) # config client-request-header-insert

FortiADC-VM (client-request~h) # edit 1

Add new entry '1' for node 4554

FortiADC-VM (1) # set type insert-if-not-exist

FortiADC-VM (1) # set string "Via: SIP/2.0/UDP 1.1.1.100:5060"

FortiADC-VM (1) # end

FortiADC-VM (sip-profile) # end

FortiADC-VM #

The following example creates a DNS profile:

config load-balance profile

edit "dns"

set type dns

set malform-query-action drop

set redirect-to-tcp-port disable

set caching enable

set max-query-length 512

set max-cache-age 3600

set max-cache-entry-size 512

set max-cache-size 10

next

end

config load-balance virtual-server

edit "vs1"

set load-balance-profile dns

next

end

The following example creates an IP profile:

config load-balance profile

edit "ip"

set type ip

set timeout-ip-session 100

next

end

config load-balance virtual-server

edit "vs2"

set type l2-load-balance

set protocol-numbers 0 1

set load-balance-profile ip

next

end

The following example creates a MySQL profile:

config system health-check

edit mysql

set type mysql

set user root

set password fortinet

set port 3306

next

end

config load-balance real-server

edit "rs1"

set ip 192.168.1.1

next

end

config load-balance pool

edit "pool_mysql"

set health-check-ctrl enable

set health-check-list icmp

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server rs1

next

end

next

end

config load-balance virtual-server

edit "mysql"

set type l7-load-balance

set interface port2

set ip 10.1.1.1

set port 3306

set load-balance-profile mysql

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool pool_mysql

next

end

The following example creates an RTSP profile:

config load-balance profile

edit "RTSP"

set type rtsp

set max-header-size 2048

set client-address enable

next

The following example creates an RTMP profile:

config load-balance profile

edit "RTMP"

set type rtmp

set client-address enable

next