Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 7.6.1 CLI Reference
    7.6.1
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config load-balance http2-profile

    config load-balance http2-profile

    This command is used by HTTP or HTTPS profiles. You must enable the HTTP/2 gateway function to use this profile.

    Profile Description
    LB_HTTP2_PROFILE_DEFAULT

    priority-mode — best-effort

    upgrade-mode — upgradeable

    max-concurrent-stream — 5

    max-receive-window — 65535

    max-frame-size — 16384

    header-table-size — 4096

    max-header-list-size — 65536

    ssl-constraint — enable

    backend-http2 — disable

    LB_HTTP2_PROFILE_END2END_H2

    priority-mode — best-effort

    upgrade-mode — upgradeable

    max-concurrent-stream — 5

    max-receive-window — 65535

    max-frame-size — 16384

    header-table-size — 4096

    max-header-list-size — 65536

    ssl-constraint — enable

    backend-http2 — enable

    backend-http2-max-receive-window — 65535

    backend-http2-max-concurrent-stream — 5

    backend-http2-protocol-mode-https — alpn

    backend-http2-protocol-mode-http — force-h1

    backend-multiplexing-mode — multi-connection

    Syntax

    config load-balance http2-profile

    edit <profile name>

    set priority-mode best-effort

    set upgrade-mode upgradeable

    set max-concurrent-stream <integer>

    set max-receive-window <integer>

    set max-frame-size <integer>

    set header-table-size <integer>

    set max-header-list-size <integer>

    set ssl-constraint {disable|enable}

    set backend-http2 {enable|disable}

    set backend-http2-max-receive-window <integer>

    set backend-http2-max-concurrent-stream <integer>

    set backend-http2-protocol-mode-https {alpn|force-h1|force-h2}

    set backend-http2-protocol-mode-http {force-h1|force-h2}

    set backend-multiplexing-mode {single-connection|multi-connection}

    next

    end

    priority-mode

    Set to best-effort. Not configurable.

    upgrade-mode

    		 Set to upgradeable. Not configurable.

    max-concurrent-stream

    		 Specify the maximum number of concurrent streams available at one time. The default number is 5, and the valid range is 1-200.

    max-receive-window

    		 Specify the maximum number of bytes that can be received without sending an acknowledgment response. The default value is 65535 bytes, and the valid range is 16384-524288.

    max-frame-size

    Specify the max size of the data frames, in bytes that the HTTP2 protocol sends to the client. Setting a large frame size improves network utilization, but it can also affect concurrency. The default value is 16384 bytes, and the valid range is 16384-131072.

    Note: When backend-http2 is enabled, the max-frame-size is not supported, as this cannot be set independently for the frontend and backend. Instead, the HTTP2 Profile max-frame-size will override the tune-bufsize in the Application Profile.

    header-table-size

    		 Specify the size of the header table, in KB. A larger table size allows for better HTTP header compression, but it requires more memory. The default value is 4096, and the valid range is 4096-65536.

    max-header-list-size

    		 Specify the size of the name value length , in bytes, that the HTTP2 protocol sends in a single header frame. The default value is 65536, and the valid range is 4096-262144.

    ssl-constraint

    Enable or disable SSL constraint. If enabled, the following conditions must be met:

    • The TLS implementation supports Server Name Indication.
    • The TLS implementation disables compression.
    • The TLS implementation disables renegotiation.
    • Renegotiation takes place before the connection preface is sent.
    • HTTP/2 uses cipher suites with ephemeral key exchange.
    • Ephemeral key exchange has a size of at least 2048 bits (for DHE) or a security level of at least 128 bits (for ECDHE).
    • Clients accept DHE no smaller than 4096 bits.
    • Stream or block ciphers are not used with HTTP.

    backend-http2

    Enable/disable support for the backend HTTP/2 functionality.

    When enabled, the related virtual server will switch to httproxy3 for support.

    This is disabled by default.

    Note: The backend HTTP/2 implementation is built on HTTP/3, which introduces specific limitations. For details, see config load-balance http3-profile.

    backend-http2-max-receive-window

    The backend-http2-max-receive-window option is available if backend-http2 is enabled.

    Specify the init-windows-size configuration for the backend HTTP/2 connection. The default value is 65535, and the valid range is 16384-524288.

    backend-http2-max-concurrent-stream

    The backend-http2-max-concurrent-stream option is available if backend-http2 is enabled.

    Specify the maximum limit for concurrent streams that the backend server can handle to ensure optimal performance and prevent overloading. The default value is 5, and the valid range is 1-200.

    backend-http2-protocol-mode-https

    The backend-http2-protocol-mode-https option is available if backend-http2 is enabled.

    Select the HTTPS server backend HTTP/2 protocol mode.

    • alpn — Use Application-Layer Protocol Negotiation (ALPN).

    • force-h1 — Enforce HTTP/1.

    • force-h2 — Enforce HTTP/2.

    The default is alpn.

    backend-http2-protocol-mode-http

    The backend-http2-protocol-mode-http option is available if backend-http2 is enabled.

    Select the HTTP server backend HTTP/2 protocol mode.

    • force-h1 — Enforce HTTP/1.

    • force-h2 — Enforce HTTP/2.

    The default is force-h1.

    backend-multiplexing-mode

    The backend-multiplexing-mode option is available if backend-http2 is enabled.

    Select the backend multiplexing mode.

    • multi-connection — Multiple streams from the frontend are mapped to multiple backend connections.

    • single-connection — All requests from multiple frontend connections are sent through a single backend connection.

    The default is multi-connection.

    Example

    config load-balance http2-profile

    edit "http2"

    set priority-mode best-effort

    set upgrade-mode upgradeable

    set max-concurrent-stream 5

    set max-receive-window 65535

    set max-frame-size 16384

    set header-table-size 4096

    set max-header-list-size 65536

    set ssl-constraint disable

    set backend-http2 enable

    set backend-http2-max-receive-window 65535

    set backend-http2-max-concurrent-stream 5

    set backend-http2-protocol-mode-https alpn

    set backend-http2-protocol-mode-http force-h1

    set backend-multiplexing-mode multi-connection

    next

    end

    Previous
    Next

    config load-balance http2-profile

    config load-balance http2-profile

    This command is used by HTTP or HTTPS profiles. You must enable the HTTP/2 gateway function to use this profile.

    Profile Description
    LB_HTTP2_PROFILE_DEFAULT

    priority-mode — best-effort

    upgrade-mode — upgradeable

    max-concurrent-stream — 5

    max-receive-window — 65535

    max-frame-size — 16384

    header-table-size — 4096

    max-header-list-size — 65536

    ssl-constraint — enable

    backend-http2 — disable

    LB_HTTP2_PROFILE_END2END_H2

    priority-mode — best-effort

    upgrade-mode — upgradeable

    max-concurrent-stream — 5

    max-receive-window — 65535

    max-frame-size — 16384

    header-table-size — 4096

    max-header-list-size — 65536

    ssl-constraint — enable

    backend-http2 — enable

    backend-http2-max-receive-window — 65535

    backend-http2-max-concurrent-stream — 5

    backend-http2-protocol-mode-https — alpn

    backend-http2-protocol-mode-http — force-h1

    backend-multiplexing-mode — multi-connection

    Syntax

    config load-balance http2-profile

    edit <profile name>

    set priority-mode best-effort

    set upgrade-mode upgradeable

    set max-concurrent-stream <integer>

    set max-receive-window <integer>

    set max-frame-size <integer>

    set header-table-size <integer>

    set max-header-list-size <integer>

    set ssl-constraint {disable|enable}

    set backend-http2 {enable|disable}

    set backend-http2-max-receive-window <integer>

    set backend-http2-max-concurrent-stream <integer>

    set backend-http2-protocol-mode-https {alpn|force-h1|force-h2}

    set backend-http2-protocol-mode-http {force-h1|force-h2}

    set backend-multiplexing-mode {single-connection|multi-connection}

    next

    end

    priority-mode

    Set to best-effort. Not configurable.

    upgrade-mode

    		 Set to upgradeable. Not configurable.

    max-concurrent-stream

    		 Specify the maximum number of concurrent streams available at one time. The default number is 5, and the valid range is 1-200.

    max-receive-window

    		 Specify the maximum number of bytes that can be received without sending an acknowledgment response. The default value is 65535 bytes, and the valid range is 16384-524288.

    max-frame-size

    Specify the max size of the data frames, in bytes that the HTTP2 protocol sends to the client. Setting a large frame size improves network utilization, but it can also affect concurrency. The default value is 16384 bytes, and the valid range is 16384-131072.

    Note: When backend-http2 is enabled, the max-frame-size is not supported, as this cannot be set independently for the frontend and backend. Instead, the HTTP2 Profile max-frame-size will override the tune-bufsize in the Application Profile.

    header-table-size

    		 Specify the size of the header table, in KB. A larger table size allows for better HTTP header compression, but it requires more memory. The default value is 4096, and the valid range is 4096-65536.

    max-header-list-size

    		 Specify the size of the name value length , in bytes, that the HTTP2 protocol sends in a single header frame. The default value is 65536, and the valid range is 4096-262144.

    ssl-constraint

    Enable or disable SSL constraint. If enabled, the following conditions must be met:

    • The TLS implementation supports Server Name Indication.
    • The TLS implementation disables compression.
    • The TLS implementation disables renegotiation.
    • Renegotiation takes place before the connection preface is sent.
    • HTTP/2 uses cipher suites with ephemeral key exchange.
    • Ephemeral key exchange has a size of at least 2048 bits (for DHE) or a security level of at least 128 bits (for ECDHE).
    • Clients accept DHE no smaller than 4096 bits.
    • Stream or block ciphers are not used with HTTP.

    backend-http2

    Enable/disable support for the backend HTTP/2 functionality.

    When enabled, the related virtual server will switch to httproxy3 for support.

    This is disabled by default.

    Note: The backend HTTP/2 implementation is built on HTTP/3, which introduces specific limitations. For details, see config load-balance http3-profile.

    backend-http2-max-receive-window

    The backend-http2-max-receive-window option is available if backend-http2 is enabled.

    Specify the init-windows-size configuration for the backend HTTP/2 connection. The default value is 65535, and the valid range is 16384-524288.

    backend-http2-max-concurrent-stream

    The backend-http2-max-concurrent-stream option is available if backend-http2 is enabled.

    Specify the maximum limit for concurrent streams that the backend server can handle to ensure optimal performance and prevent overloading. The default value is 5, and the valid range is 1-200.

    backend-http2-protocol-mode-https

    The backend-http2-protocol-mode-https option is available if backend-http2 is enabled.

    Select the HTTPS server backend HTTP/2 protocol mode.

    • alpn — Use Application-Layer Protocol Negotiation (ALPN).

    • force-h1 — Enforce HTTP/1.

    • force-h2 — Enforce HTTP/2.

    The default is alpn.

    backend-http2-protocol-mode-http

    The backend-http2-protocol-mode-http option is available if backend-http2 is enabled.

    Select the HTTP server backend HTTP/2 protocol mode.

    • force-h1 — Enforce HTTP/1.

    • force-h2 — Enforce HTTP/2.

    The default is force-h1.

    backend-multiplexing-mode

    The backend-multiplexing-mode option is available if backend-http2 is enabled.

    Select the backend multiplexing mode.

    • multi-connection — Multiple streams from the frontend are mapped to multiple backend connections.

    • single-connection — All requests from multiple frontend connections are sent through a single backend connection.

    The default is multi-connection.

    Example

    config load-balance http2-profile

    edit "http2"

    set priority-mode best-effort

    set upgrade-mode upgradeable

    set max-concurrent-stream 5

    set max-receive-window 65535

    set max-frame-size 16384

    set header-table-size 4096

    set max-header-list-size 65536

    set ssl-constraint disable

    set backend-http2 enable

    set backend-http2-max-receive-window 65535

    set backend-http2-max-concurrent-stream 5

    set backend-http2-protocol-mode-https alpn

    set backend-http2-protocol-mode-http force-h1

    set backend-multiplexing-mode multi-connection

    next

    end

    Previous
    Next