Configuring Application profiles
An application profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols.
Application profile usage describes usage for by application profile type, including compatible virtual server types, load balancing methods, persistence methods, and content route types.
Profile | Usage | VS Type | LB Methods | Persistence |
---|---|---|---|---|
FTP |
Use with FTP servers. |
Layer 7, Layer 4, Layer 2 |
Layer 7: Round Robin, Least Connections Layer 4: Same as Layer 7, plus Fastest Response, Dynamic Load Layer 2: Same as Layer 7 |
Source Address, Source Address Hash |
HTTP |
Use for standard, unsecured web server traffic. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash, Dynamic Load Layer 2: Same as Layer 7, plus Destination IP Hash |
Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie, Passive Cookie |
HTTPS |
Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile. |
Layer 7, Layer 2 |
Same as HTTP |
Same as HTTP, plus SSL Session ID |
TURBO HTTP |
Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet. This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets. |
Layer 7 |
Round Robin, Least Connections, Fastest Response |
Source Address |
RADIUS |
Use with RADIUS servers. |
Layer 7 |
Round Robin |
RADIUS attribute |
RDP |
Use with Windows Terminal Service(remote desktop protocol). |
Layer 7 |
Round Robin, Least Connections |
Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie |
SIP
|
Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video. |
Layer 7 |
Round Robin, URI Hash, Full URI Hash |
Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID |
TCP |
Use for other TCP protocols. |
Layer 4, Layer 2 |
Layer 4: Round Robin, Least Connections, Fastest Response Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash |
Source Address, Source Address Hash |
TCPS |
Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections Layer 2: Round Robin, Least Connections, Destination IP Hash |
Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID |
UDP |
Use with UDP servers. |
Layer 4, Layer 2
|
Layer 4: Round Robin, Least Connections, Fastest Response, Dynamic Load Layer 2: Same as Layer 4, plus Destination IP Hash |
Source Address, Source Address Hash
|
IP |
Combines with Layer 2 TCP/UDP/HTTP virtual server to balance the rest of the IP packets passed through FortiADC. When running the IP protocol 0 VS, the traffic always tries to match none protocol 0 VS first. |
Layer 2
|
Round Robin only.
|
Source Address, Source Address Hash
|
DNS |
Use with DNS servers. |
Layer 7 |
Round Robin, Least Connections |
Not supported yet. |
SMTP |
Use with SMTP servers. |
Layer 7 |
Round Robin, Least Connections |
Source Address, Source Address Hash |
RTMP |
A TCP-based protocol used for streaming audio, video, and data over the Internet |
Layer 7 |
Round Robin, Least Connection |
Source Address, Source Address Hash
|
ISO8583 |
Use with ISO8583 servers |
Layer 7 |
Round Robin |
N/A |
RTSP |
A network control protocol used for establishing and controlling media sessions between end points |
Layer 7 |
Round Robin, Least Connection |
Source Address, Source Address Hash |
MySQL |
MySQL network protocol stack (i.e., MySQL-Proxy) which parses and builds MySQL protocol packets |
Layer 7
|
Round Robin, Least Connection
|
N/A |
DIAMETER |
A successor to RADIUS, DIAMETER is the next-generation Authentication, Authorization and Accounting (AAA) protocol widely used in IMS and LTE. | Layer 7 |
Round Robin |
Source Address. DIAMETER Session ID (default) |
MSSQL |
MSSQL network protocol stack, which parses and builds MSSQL protocol packets |
Layer 7 |
Least connection |
N/A |
EXPLICIT_HTTP |
A simple explicit/forward HTTP proxy mode. In this mode, you don’t need to add backend real server pool. The destination IP address of the downstream is specified by the URL or Host field of the client request. |
Layer 7 |
N/A |
N/A |
Predefined profiles shows the default values of the predefined profiles. All values in the predefined profiles are view-only, and cannot be modified. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.
Profile | Defaults |
---|---|
LB_PROF_DIAMETER |
Identity—Blank Realm—Blank Vendor ID—Blank Product Name—Blank Idle Timeout—300 (seconds) (Note: This refers to the built-in session ID persistence timeout.) Server Close Propagation—OFF (Note: This means that the connection on the client side stays open when the server closes any connection on its side.) |
LB_PROF_TCP |
Timeout TCP Session—100 Timeout TCP Session after FIN—100 IP Reputation—Disabled Customized SSL Ciphers Flag—Disabled Geo IP block list—None Geo IP Whitelist—None |
LB_PROF_UDP |
Timeout UDP Session—100 IP Reputation—Disabled Stateless—Disabled Customized SSL Ciphers Flag—Disabled Geo IP block list—None Geo IP Whitelist—None |
LB_PROF_HTTP |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Buffer Pool—Enabled Source Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—Blank IP Reputation—Disabled HTTP Mode—Keep Alive Customized SSL Ciphers Flag—Disabled Compression—None. Decompression—None Caching—None Geo IP Block List—None Geo IP Whitelist—None Geo IP Redirect URL—http:// |
LB_PROF_HTTP_SERVERCLOSE |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Buffer Pool—Enabled Source Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Server Close Customized SSL Ciphers Flag—Disabled Compression—None Decompression—None Caching—None Geo IP Block List—None Geo IP Whitelist—None Geo IP Redirect URL—http:// |
LB_PROF_TURBOHTTP |
Timeout TCP Session—100 Timeout TCP Session after FIN—100 IP Reputation—Disabled Customized SSL Ciphers Flag—Disabled Geo IP Block List—None Geo IP Whitelist—None |
LB_PROF_FTP |
Timeout TCP Session—100 Timeout TCP Session after FIN—100 IP Reputation—Disabled Customized SSL Ciphers Flag—Disabled Geo IP Block List—None Geo IP Whitelist—None Source Address—Off |
LB_PROF_RADIUS |
Source Address—Off Source Port—Off Dynamic Auth—Disable Session Timeout—300 |
LB_PROF_SIP |
SIP Max Size—65535 Server Keepalive Timeout—30 Server Keepalive—Enabled Client Keepalive—Disabled Client Protocol—UDP Server Protocol—None Failed Client Type—Drop Failed Server Type—Drop Insert Client IP—Disabled Customized SSL Ciphers Flag—Disabled Geo IP Block List—None Geo IP Whitelist—None Source Address—Off Media Address—0.0.0.0 |
LB_PROF_RDP |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 Buffer Pool—Enabled Source Address—Disabled IP Reputation—Disabled Customized SSL Ciphers Flag—Disabled Geo IP Block List—None Geo IP Whitelist—None |
LB_PROF_IP |
IP Reputation—Disabled Customized SSL Ciphers Flag—Disabled Geo IP Block List—None Geo IP Whitelist—None Timeout IP Session—100 |
LB_PROF_DNS |
Source Address—Off DNS Cache Flag—Enabled DNS Cache Ageout Time—3600 DNS Cache Size—10 DNS Cache Entry Size—512 DNS Cache Response Type—All Records DNS Malform Query Action—Drop DNA Max Query Length—512 DNS Authentication Flag—Disabled |
LB_PROF_TCPS |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 Buffer Pool—Enabled Source Address—Disabled IP Reputation—Disabled Dynamic Auth—Disabled Customized SSL Ciphers Flag—Disabled Client SNI Required—Disabled Geo IP block list—None Client SNI Required—disabled Certificate Group—LOCAL_CERT_GROUP Certificate Verify—None |
LB_PROF_HTTPS |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Buffer Pool—Enabled Source Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Keep Alive SSL Proxy Mode—Disabled Customized SSL Ciphers Flag—Disabled Client SNI Required—Disabled Compression—None Decompression—None Caching—None Geo IP Block List—None Geo IP Whitelist—None Geo IP Redirect URL—http:// Certificate Group—LOCAL_CERT_GROUP Certificate Verify—None |
LB_PROF_HTTPS_SERVERCLOSE |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Buffer Pool—Enabled Source Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Server Close SSL Proxy Mode—Disabled Customized SSL Ciphers Flag—Disabled SSL Cipher—Shows all available SSL ciphers, with the default ones selected Allow SSL Versions—SSLv3, TLSv1.0, TLS1.1, TLSv1.2 Client SNI Required—Disabled Compression—None Decompression—None Caching—None Geo IP Block List—None Geo IP Whitelist—None Geo IP Redirect URL—http:// Certificate Group—LOCAL_CERT_GROUP Certificate Verify—None |
LB_PROF_SMTP |
Starttls Active Mode—require Customized SSL Ciphers Flag—Disabled SSL Ciphers—Shows all available SSL Ciphers, with the defaults ones selected Allow SSL Versions —SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 Forbidden Command—expn, turn, vrfy Local Certificate Group—LOCAL_CERT_GROUP |
LB_PROF_RTSP |
Max Header Size—Default is 4096. Valid values range from 2048 to 65536. Source Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool. |
LB_PROF_RTMP |
Source Address—Disabled by default. When enabled, FortiADC will use the client address to connect to the server pool. |
LB_PROF_HTTP2_H2 |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Send Timeout—0 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled IP Reputation—Disabled HTTP Mode—Keep Alive Compression—None Decompression—None HTTP2—LB_HTTP2_PROFILE_DEFAULT Caching—None Geo IP Block List—None Geo IP Allow list—None Geo IP Redirect URL—http:// Tune Buffer Size—17418 Max HTTP Headers—200 Response Half Closed Connection—Disabled |
LB_PROF_HTTP2_H2C |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Send Timeout—0 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled IP Reputation—Disabled HTTP Mode—Keep Alive Compression—None Decompression—None HTTP2—LB_HTTP2_PROFILE_DEFAULT Caching—None Geo IP Block List—None Geo IP Whitelist—None Geo IP Redirect URL—http:// Tune Buffer Size—17418 Max HTTP Headers—200 Response Half Closed Connection--Disabled |
LB_PROF_ISO8583 |
Timeout TCP Session—100 Message Encode Type—ASCII Length Indicator Type—binary Length Indicator Shift—0 Length Indicator Size—2 Optional Header Length—2 Optional Trailer Hex--None |
LB_PROF_EXPLICIT_HTTP |
Client Timeout—50 Server Timeout—50 Connect Timeout—5 Queue Timeout—5 HTTP Send Timeout—5 HTTP Request Timeout—50 HTTP Keepalive Timeout—50 Client Address—Disabled X-Forwarded-For—Disabled X-Forwarded-For Header—None IP Reputation—Disabled HTTP Mode—Keep Alive SSL Proxy Mode—Disabled Customized SSL Ciphers Flag—Disabled Client SNI Required—Disabled Decompression—None Geo IP Block List—None Geo IP Whitelist—None Geo IP Redirect URL—http:// Tune Buffer Size—8030 Max HTTP Headers—100 Response Half Closed Connection—Disabled |
Before you begin:
- You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
- You must have Read-Write permission for Load Balance settings.
To configure custom profiles:
- Go to Server Load Balance > Application Resources. Click the Application Profile tab.
- Click Create New to display the configuration editor.
- Give the profile a name, select a protocol type; then complete the configuration as described in Profile configuration guidelines.
- Save the configuration.
You can clone a predefined configuration object to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page. |
Type | Profile Configuration Guidelines |
---|---|
TCP |
|
Timeout TCP Session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
Timeout TCP Session after FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
IP |
|
IP Reputation |
Enable to apply FortiGuard IP reputation service. IP reputation. See Managing IP Reputation policy settings. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
Timeout IP Session |
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
DNS |
|
DNS Cache Flag |
Enable/Disable DNS cache flag. |
DNS Cache Ageout Time |
Enter a value from 0 to 65,535. The default is 3,600. |
DNS Cache Size |
Enter a value from 1 to 100. The default is 10. |
DNS Cache Entry Size |
Enter a value from 256 to 4,096. The default is 512. |
DNS Cache Response Type |
Choose either of the following:
|
DNS Malform Query Action |
Choose either of the following:
|
DNS Max Query Length |
Enter a value from 256 to 4.096. The default is 512. |
DNS Authentication Flag |
Enable or disable DNS authentication flag. |
Special Note |
With the 4.8.1 release. FortiADC supports DNS zone transfer, i.e., DNS traffic over TCP from servers and server-oriented requests from inside the server cluster. |
UDP |
|
Stateless |
Enable to apply UDP stateless function. |
Timeout UDP Session |
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
HTTP |
|
Client Timeout |
This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. |
Server Timeout |
This timeout is counted as the amount of time when the server did not send a complete response HTTP header to the FortiADC after the FortiADC sent a request to server. If this timeout expires, FortiADC will close the server side connection and send a 503 message to the client and close the connection to the client. |
Connect Timeout |
This timeout is counted as the amount of time during which FortiADC tried to connect to the server with TCP SYN. After this timeout, if TCP connection is not established, FortiADC will drop this current connection to server and respond with a 503 message to client side and close the connection to the client. |
Queue Timeout |
This timeout is counted as the amount of time during which the request is queued in the dispatched queue. When the request cannot be dispatched to a server by a load balance method (for example, the server's connection limited is reached), it will be put into a queue. If this timeout expires, the request in the queue will be dropped and FortiADC will respond with a 503 message to client side and close the connection to the client. |
HTTP Send Timeout |
This timeout is counted as the amount of time it took FortiADC to send a response body data (not including the header); the time is counted starting from when the body is transferred. If this timeout expires, FortiADC will close the connection of both side. |
HTTP Request Timeout |
This timeout is counted as the amount of time the client did not send a complete request (including both HTTP header and request body) to FortiADC after the client connected to FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. |
HTTP Keepalive Timeout |
This timeout is counted as the time FortiADC can wait for a new request after the previous transaction is completed. This is an idle timeout if the client does not send anything in this period. If this timeout expires, FortiADC will close the connection to the client. |
Source Address |
Use the original client IP address as the source address when connecting to the real server. |
X-Forwarded-For |
Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it. If you only enable http-x-forwarded-for and do not configure http-x-forwarded-for-header, the default is to add such a header: X-Forwarded-For: <client's ip> |
X-Forwarded-For Header |
Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Examples: Forwarded-For, Real-IP, or True-IP. If http-x-forwarded-for-header <string> is configured, the added header is: <string>: <client's ip>, |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
IP Reputation Redirect URL |
Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if the request violates the IP reputation policy. |
HTTP Mode |
|
Compression |
Select a compression configuration object. See Configuring compression rules. |
Caching |
Select a caching configuration object. See Using caching features. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
Geo IP Redirect URL |
For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL. |
Tune Buffer Size |
Adjust the value of the HTTP/HTTPS VS's connection buffer size.
|
Max HTTP Headers |
Adjust the max header number that HTTP/HTTPS VS can process for every request or response. If a request or response has a header over this limit, it will be dropped, and return error message 400.
|
FTP |
|
Timeout TCP Session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
Timeout TCP Session after FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
Client Address |
Use the original client IP address as the source address when connecting to the real server. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
RADIUS |
|
Client Address |
Use the original client IP address as the source address when connecting to the real server. |
Source Port |
Use the original client port as the source port when connecting to the real server. |
Timeout RADIUS Session |
The default is 300 seconds. The valid range is 1 to 3,600. |
Dynamic Auth |
Enable or disable Dynamic Authorization for RADIUS Change of Authorization(CoA) |
Dynamic Auth Port |
Configures the UDP port for CoA requests. The default is 3799. |
RDP |
|
Client Timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Server Timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Connect Timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
Queue Timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
Buffer Pool |
Enable or disable buffering. |
Source Address |
Use the original client IP address as the source address in the connection to the real server. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
Customized SSL Ciphers Flag |
Enable or disable the Customized SSL Ciphers Flag. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
TCPS |
|
Client Timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Server Timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Connect Timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
Queue Timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, the system drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
Buffer Pool |
Enable or disable buffering. |
Source Address |
Use the original client IP address as the source address in the connection to the real server. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
Customized SSL Ciphers Flag |
Enable or disable the use of user-specified cipher suites. |
Customized SSL Ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. |
SSL Ciphers |
Ciphers are listed from strongest to weakest:
We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support. |
Allow SSL Versions |
You have the following options:
We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. |
Client SNI Required |
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
Local Certificate Group |
A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate. See Manage certificates. |
Certificate Verify |
Select a certificate validation policy. See Manage and validate certificates. |
HTTPS |
|
HTTPS |
Same as HTTP, plus the certificate settings listed next. See Chapter 17: SSL Transactions for an overview of HTTPS features. |
SSL Proxy Mode |
Enable or disable SSL forward proxy. |
Customized SSL Ciphers Flag |
Enable or disable use of user-specified cipher suites. |
Customized SSL Ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. |
SSL Ciphers |
We recommend retaining the default list. If necessary, you can deselect ciphers you do not want to support. |
Allow SSL Versions |
We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. |
Client SNI Required |
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
Local Certificate Group |
A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage certificates. |
Certificate Verify |
Select a certificate validation policy. See Manage and validate certificates. |
TURBO HTTP |
|
Timeout TCP Session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
Timeout TCP Session after FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is from 1 to 86,400. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. |
Customized SSL Ciphers Flag |
Enable or disable the Customized SSL Ciphers Flag. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
SIP |
|
SIP Max Size |
Maximum message size. The default is 65535 bytes. The valid range is from 1 to 65,535. |
Server Keepalive Timeout |
Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300. |
Server Keepalive |
Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default. |
Client Keepalive |
Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default. |
Client Protocol |
Client-side transport protocol:
|
Server Protocol |
Server-side transport protocol.
Default is "unset", so the client-side protocol determines the server-side protocol. |
Failed Client Type |
Action when the SIP client cannot be reached:
|
Failed Server Type |
Action when the SIP server cannot be reached:
|
Insert Client IP |
Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request. |
Client-Request-Header-Insert (maximum 4 members) |
|
Type |
|
HeaderName:Value |
The header:value pair to be inserted. |
Client-Request-Header-Erase (maximum 4 members) |
|
Type |
|
HeaderName |
Header to be erased. |
Client-Response-Header-Insert (maximum 4 members) |
|
Type |
|
HeaderName:Value |
The header:value pair to be inserted. |
Client-Response-Header-Erase (maximum 4 members) |
|
Type |
|
HeaderName |
Header to be erased. |
Server-Request-Header-Insert (maximum 4 members) |
|
Type |
|
HeaderName:Value |
The header:value pair to be inserted. |
Server-Request-Header-Erase (maximum 4 members) |
|
Type |
|
HeaderName |
Header to be erased. |
Server-Response-Header-Insert (maximum 4 members) |
|
Type |
|
HeaderName:Value |
The header:value pair to be inserted. |
Server-Response-Header-Erase (maximum 4 members) |
|
Type |
|
HeaderName |
Header to be erased. |
SMTP |
|
Starttls Active Mode |
Select one of the following:
|
Forbidden Command |
Select any, all, or none of the commands (i.e., expn, turn, vrfy). If selected, the command or commands will be rejected by FortiADC; otherwise, the command or commands will be accepted and forwarded to the back end. |
Domain Name |
Specify the domain name. |
Local Certificate Group |
LOCAL_CERT_GROUP. |
Certificate Verify |
Specify the certificate verify configuration object. |
RTMP |
|
Source Address |
When enabled, specify the client address to be used to connect to the server pool. |
RTSP |
|
Max Header Size |
Specify the maximum size of the RTSP header. |
Source Address |
When enabled, specify the client address to be used to connect to the server pool. |
MySQL |
Note: The system does not provide default MyQSL profiles as it does with the other protocols. |
Single Primary |
If selected, the profile will use the single-primary mode. You will then need to specify and configure the primary server and secondary servers. |
Sharding |
If selected, the profile will use the sharding mode to load-balance MySQL traffic. |
DIAMETER |
FortiADC comes with a default load-balancing profile titled "LB_PROF_DIAMETER". If it is selected, FortiADC will not change Diameter packets except the host IP address AVP, which means that FortiADC functions as a relay agent. |
Identity |
Leave blank. If defined, FortiADC will change the Origin-Host AVP of the Diameter packet. |
Realm |
Leave blank. If defined, FortiADC will change the Origin-Realm AVP of the Diameter packet. |
Vendor ID |
Leave blank. If defined, FortiADC will change the Vendor-ID AVP of the Diameter packet. |
Product Name |
Leave blank. If defined, FortiADC will change the Product-Name AVP of the Diameter packet. |
Idle Timeout |
300 (seconds) by default. Valid values range from 1 to 86,400. |
Server Close Propagation |
OFF by default, which means that the connection on the client side stays open when the server closes the connection on its side. |
ISO8583 |
|
Message Encode Type |
Specify the encode type for protocol message, default ASCII. |
Length Indicator Type |
Specify the encode type of length indicator, default binary. |
Length Indicator Shift |
Specify bytes to shift from the beginning of payload to read length value, range 0-32. |
Length Indicator Size |
Specify total bytes reading to calculate length, range 0-8. |
Optional Header Length |
Specify length of optional header before MTI, including the length-indicator, range 0-32. |
Optional Trailer Hex |
Specify hex string of optional trailer, maximum length 16, i.e. 8 bytes in binary |
MSSQL |
|
Server Age |
Specify the maximum inactivity time for MS SQL server on the server side. |
Server Max Size |
Specify the maximum connections that can connect to the MS SQL server on the server side. |
EXPLICIT_HTTP |
|
Client Timeout |
This timeout is counted as the amount of time when the client did not send a complete request HTTP header to the FortiADC after the client connected to the FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. |
Server Timeout |
This timeout is counted as the amount of time when the server did not send a complete response HTTP header to the FortiADC after the FortiADC sent a request to server. If this timeout expires, FortiADC will close the server side connection and send a 503 message to the client and close the connection to the client. |
Connect Timeout |
This timeout is counted as the amount of time during which FortiADC tried to connect to the server with TCP SYN. After this timeout, if TCP connection is not established, FortiADC will drop this current connection to server and respond with a 503 message to client side and close the connection to the client. |
Queue Timeout |
This timeout is counted as the amount of time during which the request is queued in the dispatched queue. When the request cannot be dispatched to a server by a load balance method (for example, the server's connection limited is reached), it will be put into a queue. If this timeout expires, the request in the queue will be dropped and FortiADC will respond with a 503 message to client side and close the connection to the client. |
HTTP Send Timeout |
This timeout is counted as the amount of time it took FortiADC to send a response body data (not including the header); the time is counted starting from when the body is transferred. If this timeout expires, FortiADC will close the connection of both side. |
HTTP Request Timeout |
This timeout is counted as the amount of time the client did not send a complete request (including both HTTP header and request body) to FortiADC after the client connected to FortiADC. If this timeout expires, FortiADC will send a 408 message to client and close the connection to the client. |
HTTP Keepalive Timeout |
This timeout is counted as the time FortiADC can wait for a new request after the previous transaction is completed. This is an idle timeout if the client does not send anything in this period. If this timeout expires, FortiADC will close the connection to the client. |
Client Address |
Use the original client IP address as the source address when connecting to the real server. |
X-Forwarded-For |
Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it. If you only enable http-x-forwarded-for and do not configure http-x-forwarded-for-header, the default is to add such a header: X-Forwarded-For: <client's ip> |
X-Forwarded-For Header |
Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Examples: Forwarded-For, Real-IP, or True-IP. If http-x-forwarded-for-header <string> is configured, the added header is: <string>: <client's ip>, |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
IP Reputation Redirect URL |
Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if the request violates the IP reputation policy. |
Compression |
Select a compression configuration object. See Configuring compression rules. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a allowlist configuration object. See Using the Geo IP allowlist. |
Geo IP Redirect URL |
For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL. |
Tune Buffer Size |
Adjust the value of the HTTP/HTTPS VS's connection buffer size.
|
Max HTTP Headers |
Adjust the max header number that HTTP/HTTPS VS can process for every request or response. If a request or response has a header over this limit, it will be dropped, and error message 400 will be returned.
|
Response Half Closed Connection |
Continue to response to the half-closed connections. |