Cluster and Match Rule Commands

You are here: Using the CLI > Context Command Summaries > Cluster and Match Rule Commands

Cluster and Match Rule Commands

Each cluster has its own context and the settings available in the cluster’s context depends on the cluster’s proto parameter -- this parameter must be specified first on the command line when creating a cluster. A Layer 7 cluster may have one or more match rules associated with it, each with its own context. Cluster and match rule commands are summarized in the tables below.

Using cluster commands in the global context:

Using Cluster Commands in the Global Context
eqcli > cluster clname req_cmds	:	Create clname (req_cmds = * commands below)
eqcli > cluster clname cmds ...	:	Modify clname (cmds = any commands below)
eqcli > no cluster clname	:	Delete clname
eqcli > show cluster [clname]	:	Display all clusters or clname
eqcli > cluster clname	:	Change to the "cl-clname" context(see below)

Using cluster commands in a cluster specific context:

Using Cluster Commands in a Cluster Specific Context
For all Clusters:
eqcli cl-clname> *ip ip_addr	:	Cluster IP address
eqcli cl-clname> proto {http\|https\|tcp\|udp}*	:	Protocol -- MUST SET proto FIRST
eqcli cl-clname> *port integer	:	Cluster port
eqcli cl-clname> show	:	Show the cluster configuration
eqcli cl-clname> stats	:	Display cluster statistics
For Layer 7Clusters:
eqcli cl-clname> age integer	:	Cookie age in seconds (0 [default] to 31536000 -- one year)
eqcli cl-clname> clientto integer	:	Client connection timeout
eqcli cl-clname> compress_min integer	:	Set the minimum file size for compression in bytes when compression is enabled for Layer HTTP and HTTPS clusters. Valid values range from 0 to 1073741824 bytes. The default is 1024 bytes.
eqcli cl-clname> compress_types string	:	Mime types to compress
eqcli cl-clname> connto integer	:	Server connection timeout
eqcli cl-clname> custhdr string	:	Custom request header
eqcli cl-clname> domain string	:	Cookie domain
eqcli cl-clname> flags	:	Disable and enable flags
For Layer 7 Http Clusters:
{[!]always,[!]compress, [!]disable,[!}allow_utf8 [!]ignore_case,[!]insert_client_ip, [!]no_header_rewrite, [!]once_only, [!]spoof,[!]tcp_mux}
For Layer 7 https clusters: {[!]ics [!]allow_sslv2, [!]allow_sslv3,[!]push_client_cert, [!]require_client_cert,[!]rewrite_redirects, [!]strict_crl_chain,[!]ignore_critical_extns, [!]software_ssl_only,[!]allow_tls10, [!]allow_tls11 [!]allow tls12}
eqcli cl-clname> gen integer	:	Cookie generation (0 to 65535).
eqcli cl-clname> match maname	:	Change to the maname match context
eqcli cl-clname> match cmds	:	Execute match commands
eqcli cl-clname> no match maname	:	Delete match maname
eqcli cl-clname> no {age\|clientto\|connto\|custhdr\|domain \|gen\|path\|resp\|scheme \|serverto\|srvpool}	:	Reset the specified parameter
eqcli cl-clname> path string	:	Cookie path
eqcli cl-clname> range	:	Set the cluster port range.
eqcli cl-clname> resp rname	:	Responder name
eqcli cl-clname> scheme integer	:	Cookie scheme (0,1,2)
eqcli cl-clname> serverto integer	:	Server response timeout
eqcli cl-clname> sni sni-name	:	Server Name Indication name
eqcli cl-clname> sni-name sni_svname servername	:	Add the server name or list of server names in sni.
eqcli cl-clname> srvpool spname	:	Server pool name
eqcli cl-clname> stats	:	Display the statistics for cluster
eqcli cl-clname> staleto	:	Set the stale timeout for a cluster.
eqcli cl-clname> stickyto	:	Set the sticky timeout for a cluster.
eqcli cl-clname> stickynetmask	:	Set the sticky netmask for a cluster.
eqcli cl-clname> cipherspec {url\|edit\|enter}	:	Set the cipherspec for an HTTPS cluster.
eqcli cl-clname> clientca certname	:	Attach a client certificate to an HTTPS cluster.
eqcli cl-clname> clflags {[!]allow_sslv2,[!]allow_sslv3, [!]push_client_cert,[!]require_client_cert, [!]strict_crl_chain}
eqcli cl-clname> crl crlname
eqcli cl-clname> no {cert\|cipherspec \|clientca\|crl\|valdepth}	:	Reset the parameter to its default value
eqcli cl-clname> valdepth}	:	Set validation depth for cluster.
eqcli cl-clname> preferred_peer	:	Set the preferred peer
eqcli cl-clname> persist type {[!]none,[!]source_ip, [!]Fortinet_cookie_0, [!]Fortinet_cookie_1, !]Fortinet_cookie_2	:	Set the persist type
For Layer 7 TCP Clusters (proto = tcp): eqcli cl-clname> flags {[!]disable,[!]spoof, [!]delayed_binding,[!]abort_server, [!]ics
eqcli cl-clname> stickyto	:	Set the sticky timeout for a cluster.
eqcli cl-clname> stickynetmask	:	Set the sticky netmask for a cluster.
eqcli cl-clname> srvpool spname	:	Server pool name
eqcli cl-clname> preferred_peer	:	Set the preferred peer
eqcli cl-clname> clientto integer	:	Client connection timeout
eqcli cl-clname> serverto integer	:	Server response timeout
eqcli cl-clname> connto integer	:	Server connection timeout
For Layer 4 Clusters (proto = tcp or udp):
eqcli cl-clname> eqcli cl-clname> flags {[!]dsr,[!]ics!]spoof, [!]disable}
eqcli cl-clname> idleto integer	:	Set the connection idle timeout
eqcli cl-clname> no {idleto\|stickyto	:	Reset specified parameter to default value
eqcli cl-clname> range integer	:	Upper limit of port range
eqcli cl-clname> stickyto integer	:	Set the connection sticky timeout
eqcli cl-clname> stickynetmask	:	Set the sticky netmask for a cluster.

Using match rule commands in the global context:

Using Match Rule Commands in the Global Context
eqcli > cluster clname match maname req_cmds	:	Create maname (req_cmds = * commands below)
eqcli > cluster clname match maname cmd ...	:	Modify maname (cmds = any commands below)
eqcli > no cluster clname match maname	:	Delete match rule maname
eqcli > show cluster [clname]	:	isplay all match rules or maname
eqcli > cluster clname match maname	:	Change context to a match rule context

Using match rule commands in a match rule specific context:

Using Match Rule Commands in a Match Rule Specific Context
eqcli cl-clname-ma-maname> {disable\|enable}	:	Disable match rule
eqcli cl-clname-ma-maname> age integer	:	Cookie age in seconds (0 to 31536000 -- one year)
eqcli cl-clname-ma-maname> compress_min integer	:	Minimum bytes to compress (0 to 1073741824 -- default 1024)
eqcli cl-clname-ma-maname> compress_types string	:	Mime types to compress
eqcli cl-clname-ma-maname> domain string	:	Cookie domain
eqcli cl-clname-ma-maname> expression string	:	Match expression
eqcli cl-clname-ma-maname> flags	:	Enable/disable Flags
[!]abort_server,[!]always, [!]client_ip,[!]compress, [!]ignore_case,[!]no_header_rewrite, [!]once_only,[!]persist, [!]spoof,[!]tcp_mux}	:
eqcli cl-clname-ma-maname> gen integer	:	Cookie generation (0 to 65535)
eqcli cl-clname-ma-maname> nextmatch maname*	:	Next match in list
eqcli cl-clname-ma-maname> no {age\|domain\|expression\|gen\|path\|resp\|scheme\|srvpool}	:	Reset parameter
eqcli cl-clname-ma-maname> path string	:	Cookie path
eqcli cl-clname-ma-maname> resp rname	:	Set Responder name
eqcli cl-clname-ma-maname> scheme integer	:	Cookie scheme (0, 1, 2)
eqcli cl-clname-ma-maname> show	:	Show configuration
eqcli cl-clname-ma-maname> srvpool spname	:	Server Pool name
eqcli cl-clname-ma-maname> stats	:	Display statistics

Cluster and Match Rule Command Notes

When creating a cluster, the list of available parameters depends on the protocol selected for the cluster. As a result, the proto parameter must be specified before any other cluster parameters on the command line.
Layer 7 clusters can have one or more match rules that override the options set on the cluster when the expression specified in the match rule matches an incoming client request. (Layer 4 clusters do not support match rules.)
The cluster flags supported for a particular cluster depend on the setting of the cluster proto parameter, as shown in the table below.

Cluster Flags

A flag may be turned off by prefixing with "!".

Cluster 'proto'	Flag	Description
tcp and udp	dsr	Enables “direct server return" -- servers respond directly to clients rather than through FortiADC.
	ics	Enables “inter-cluster sticky” -- Layer 4 persistence is preserved across clusters and server ports.
	spoof	Disables Source NAT (SNAT) -- the client IP address is used as the source IP in packets sent to servers.
http and https	abort_server	Close server connections without waiting.
	always	Always insert a cookie into server responses.
	client_ip	Include the client IP address in headers.
	compress	Compress server responses.
	ignore_case	Do not consider case when evaluating a match rule.
	no_header_rewrite	Do not rewrite Location headers in server responses.
	once_only	Evaluate the first set of headers in a client connection only.
	persist	Insert a cookie in server responses if the server did not.
	spoof	Use the client IP as source IP in packets sent to servers.
	tcp_mux	Enables TCP multiplexing for a cluster. TCP multiplexing must also be enabled on at least one server instance in the server pool assigned to the cluster (or one of its match rules). See the section.
https only	allow_sslv2	Enable SSLv2 for client connections.
	allow_sslv3	Enable SSLv3 for client connections. This option is enabled by default.
	push_client_cert	Send the entire client certificate to the back-end server. This allows the server to confirm that the client connection is authenticated without having to do a complete SSL renegotiation.
	require_client_cert	Require that clients present certificates.
	software_ssl_only	This flag appears only on systems that are equipped with Hardware SSL Acceleration. When enabled, it specifies that all SSL operations will be performed in software, instead of being performed using the SSL accelerator hardware. This flag does not appear on systems that are not equipped with Hardware SSL Acceleration, since on these units SSL operations are always performed in software. This flag is disabled by default. Please note that enabling this option will reduce the processor and memory resources generally available for processing cluster traffic, since performing SSL operations in software requires use of the system CPU and system memory (instead of the dedicated SSL acceleration hardware CPU and memory).
	allow_tls10	This option enables and disables support for the TLSv1.0 protocol. Enabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.
	allow_tls11	This option enables and disables support for the TLSv1.1 protocol. Disabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.
	allow_tls12	This option enables and disables support for the TLSv1.1 protocol. Disabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.
	rewrite_redirects	When enabled, forces FortiADC to pass responses from an HTTPS cluster’s servers without rewriting them. In the typical FortiADC setup, you configure servers in an HTTPS cluster to listen and respond using HTTP; FortiADC communicates with the clients using SSL. If a server sends an HTTP redirect using the Location: header, this URL most likely will not include the https: protocol. FortiADC rewrites responses from the server so that they are HTTPS. You can direct FortiADC to pass responses from the server without rewriting them by enabling this option.
	ignore_critical_extns	Control whether FortiADC will process "CRL Distribution Point" extensions in client certificates. This option only affects the processing of the "CRL Distribution Point" extension in client certificates: When Ignore Critical Extensions is disabled, a client certificate presented to FortiADC that includes any extension will be rejected by FortiADC. This is the behavior in previous releases. When Ignore Critical Extensions is enabled (the default), a client certificate presented to FortiADC that has a CRL Distribution Point extension will be processed and the CRL critical extension will be ignored. Note, however, that if other extensions are present in a client certificate they are not ignored and will cause the client certificate to be rejected by FortiADC.
	strict_crl_chain	Check the validity of all certificates in a certificate chain against the CRL associated with the cluster. If any of the certificates in the chain cannot be validated, return an error. If this option is disabled (the default), only the last certificate in the chain is checked for validity.