Profile | Usage | VS Type | LB Methods | Persistence |
FTP | Use with FTP servers. | Layer 4 | Round Robin, Least Connections, Fastest Response | Source Address, Source Address Hash |
HTTP | Use for standard, unsecured web server traffic. | Layer 7, Layer 2 | Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash Layer 2: Round Robin, Least Connections, Destination IP Hash | Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie |
HTTPS | Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile. | Layer 7, Layer 2 | Same as HTTP | Same as HTTP, plus SSL Session ID |
HTTP Turbo | Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet. This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets. | Layer 7 | Round Robin, Least Connections, Fastest Response | Source Address |
RADIUS | Use with RADIUS servers. | Layer 7 | Round Robin | RADIUS attribute |
TCP | Use for other TCP protocols. | Layer 4, Layer 2 | Layer 4: Round Robin, Least Connections, Fastest Response Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash | Source Address, Source Address Hash |
TCPS | Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile. | Layer 7, Layer 2 | Layer 7: Round Robin, Least Connections Layer 2: Round Robin, Least Connections, Destination IP Hash | Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID |
UDP | Use for other UDP protocols. | Layer 4 | Round Robin, Least Connections, Fastest Response | Source Address, Source Address Hash |
Profile | Defaults |
LB_PROF_TCP | • Session Timeout —100 seconds • Session Timeout after FIN —100 seconds • IP Reputation—disabled |
LB_PROF_UDP | • Session Timeout —100 seconds • IP Reputation—disabled |
LB_PROF_HTTP | • Client Timeout—50 seconds • Connect Timeout—5 seconds • Keep-alive Timeout—50 seconds • Request Timeout—50 seconds • Queue Timeout—5 seconds • Server Timeout—50 seconds • Compression—disabled • Caching—disabled • X-Forwarded-For—disabled • Source Address—disabled • IP Reputation— disabled |
LB_PROF_TURBOHTTP | • Session Timeout —100 seconds • Session Timeout after FIN —100 seconds • IP Reputation—disabled |
LB_PROF_FTP | • Session Timeout —100 seconds • Session Timeout after FIN —100 seconds • IP Reputation—disabled |
LB_PROF_RADIUS | • Session Timeout—300 seconds |
LB_PROF_TCPS | • Client Timeout—50 seconds • Connect Timeout—5 seconds • Queue Timeout—5 seconds • Server Timeout—50 seconds • Source Address—disabled • IP Reputation—disabled • Certificate—Factory |
LB_PROF_HTTPS | • Client Timeout—50 seconds • Connect Timeout—5 seconds • Keep-alive Timeout—50 seconds • Request Timeout—50 seconds • Queue Timeout—5 seconds • Server Timeout—50 seconds • Compression—disabled • Caching—disabled • X-Forwarded-For—disabled • Source Address—disabled • IP Reputation—disabled • Certificate—Factory |
type | Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table. |
ip-reputation | Enable to apply the FortiGuard IP reputation service. |
timeout_tcp_session | Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
timeout_tcp_session_after_FIN | Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
timeout-radius-session | The default is 300 seconds. The valid range is 1 to 3,600. |
timeout_udp_session | Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
buffer-pool | Enable to use buffering. |
caching | Specify the name of the caching configuration object. |
client-address | Use the original client IP address as the source address in the connection to the real server. |
client-timeout | Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
compression | Specify a compression configuration object. |
connect-timeout | Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
http-keepalive-timeout | The default is 50 seconds. The valid range is 1 to 3,600. |
http-request-timeout | Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
http-x-forwarded-for | Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it. |
http-x-forwarded-for-header | Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP. |
once-only | When there is an initial HTTP request, use the load balancing algorithm to select the destination server; forward subsequent traffic for the same connection to the server that was selected to process the initial request. |
queue-timeout | Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
server-timeout | Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
tune-bufsize | Specify the buffer size for a session. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647. |
tune-maxrewrite | Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647. |
allow-ssl-versions | We recommend TLSv1.2 or TLSv1.1. You have the following options: • SSLv2 • SSLv3 • TLSv1.0 • TLSv1.1 • TLSv1.2 |
cert-verify | Specify a certificate validation policy. |
client-sni-required | Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
local-cert-group | A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate. |
ssl-ciphers | We recommend retaining the default list: AES256-SHA256:AES128-SHA256:AES256-SHA:RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA If necessary, you can edit the colon-separated list so that it includes the algorithms you require for this profile. |