config load-balance : config load-balance profile
 
config load-balance profile
Use this command to configure server profiles.
A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols.
Table 10 describes usage for profile type, including compatible virtual server types, load balancing methods, and persistence methods.
Table 10: Profile usage
Profile
Usage
VS Type
LB Methods
Persistence
FTP
Use with FTP servers.
Layer 4
Round Robin, Least Connections, Fastest Response
Source Address, Source Address Hash
HTTP
Use for standard, unsecured web server traffic.
Layer 7, Layer 2
Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash
 
Layer 2: Same as Layer 7, plus Destination IP Hash
Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie
HTTPS
Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile.
Layer 7, Layer 2
Same as HTTP
Same as HTTP, plus SSL Session ID
HTTP Turbo
Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet.
This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets.
Layer 7
Round Robin, Least Connections, Fastest Response
Source Address
RADIUS
Use with RADIUS servers.
Layer 7
Round Robin
RADIUS attribute
TCP
Use for other TCP protocols.
Layer 4, Layer 2
Layer 4: Round Robin, Least Connections, Fastest Response
Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash
Source Address, Source Address Hash
TCPS
Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile.
Layer 7, Layer 2
Layer 7: Round Robin, Least Connections
Layer 2: Round Robin, Least Connections, Destination IP Hash
Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID
UDP
Use for other UDP protocols.
Layer 4
Round Robin, Least Connections, Fastest Response
Source Address, Source Address Hash
Table 11 provides a summary of the predefined profiles. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.
Table 11: Predefined profiles
Profile
Defaults
LB_PROF_TCP
Session Timeout —100 seconds
Session Timeout after FIN —100 seconds
IP Reputation—disabled
LB_PROF_UDP
Session Timeout —100 seconds
IP Reputation—disabled
LB_PROF_HTTP
Client Timeout—50 seconds
Server Timeout—50 seconds
Connect Timeout—5 seconds
Queue Timeout—5 seconds
Request Timeout—50 seconds
Keep-alive Timeout—50 seconds
Compression—disabled
Caching—disabled
X-Forwarded-For—disabled
Source Address—disabled
IP Reputation— disabled
Geo IP block list— disabled
LB_PROF_TURBOHTTP
Session Timeout —100 seconds
Session Timeout after FIN —100 seconds
IP Reputation—disabled
LB_PROF_FTP
Session Timeout —100 seconds
Session Timeout after FIN —100 seconds
IP Reputation—disabled
Geo IP block list— disabled
LB_PROF_RADIUS
Session Timeout—300 seconds
LB_PROF_TCPS
Client Timeout—50 seconds
Server Timeout—50 seconds
Connect Timeout—5 seconds
Queue Timeout—5 seconds
Source Address—disabled
IP Reputation—disabled
Geo IP block list— disabled
Certificate—Factory
LB_PROF_HTTPS
Client Timeout—50 seconds
Server Timeout—50 seconds
Connect Timeout—5 seconds
Queue Timeout—5 seconds
Request Timeout—50 seconds
Keep-alive Timeout—50 seconds
Compression—disabled
Caching—disabled
X-Forwarded-For—disabled
Source Address—disabled
IP Reputation—disabled
Geo IP block list— disabled
Certificate—Factory
Before you begin:
You must have already created configuration objects for certificates, caching, and compression if you want the profile to use them.
You must have read-write permission for load balance settings.
Syntax
config load-balance profile
edit <name>
set type {ftp | http | https | radius | tcp | tcps | turbohttp | udp}
set timeout_tcp_session <integer>
set timeout_tcp_session_after_FIN <integer>
set timeout-radius-session <integer>
set timeout_udp_session <integer>
set buffer-pool {enable|disable}
set caching <datasource>
set client-address {enable|disable}
set client-timeout <integer>
set compression <datasource>
set connect-timeout <integer>
set http-keepalive-timeout <integer>
set http-request-timeout <integer>
set http-x-forwarded-for {enable|disable}
set http-x-forwarded-for-header <string>
set once-only {enable|disable}
set queue-timeout <integer>
set server-timeout <integer>
set tune-bufsize <integer>
set tune-maxrewrite <integer>
set allow-ssl-versions {sslv2 sslv3 tlsv1.0 tslv1.1 tlsv1.2}
set cert-verify <datasource>
set client-sni-required {enable|disable}
set local-cert-group <datasource>
set ssl-ciphers <string>
set ip-reputation {enable|disable}
set geoip-list <datasource>
set whitelist <datasource>
set geoip-redirect <string>
next
end
type
Specify the profile type. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.
FTP
timeout_tcp_session
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.
timeout_tcp_session_after_FIN
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.
ip-reputation
Enable to apply the FortiGuard IP reputation service.
geoip-list
Specify a Geo IP block list configuration object.
whitelist
Specify a Geo IP whitelist configuration object.
HTTP
buffer-pool
Enable to use buffering.
tune-bufsize
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.
caching
Specify the name of the caching configuration object.
client-address
Use the original client IP address as the source address in the connection to the real server.
client-timeout
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.
compression
Specify a compression configuration object.
connect-timeout
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.
http-keepalive-timeout
The default is 50 seconds. The valid range is 1 to 3,600.
http-request-timeout
Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600.
http-x-forwarded-for
Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it.
http-x-forwarded-for-header
Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP.
once-only
When there is an initial HTTP request, use the load balancing algorithm to select the destination server; forward subsequent traffic for the same connection to the server that was selected to process the initial request.
queue-timeout
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.
server-timeout
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.
tune-maxrewrite
Specify the buffer space reserved for content rewriting. The default is 1,024 bytes. The valid range is 128 to 2,147,483,647.
ip-reputation
Enable to apply the FortiGuard IP reputation service.
geoip-list
Specify a Geo IP block list configuration object.
geoip-redirect
For HTTP/HTTPS, if you have configured a Geo IP redirect action, specify a redirect URL.
whitelist
Specify a Geo IP whitelist configuration object.
HTTPS - same as HTTP plus the following
allow-ssl-versions
You have the following options:
SSLv2
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
We recommend retaining the default list. If necessary, you can specify a space-separated list of SSL versions you want to support for this profile.
cert-verify
Specify a certificate validation policy.
client-sni-required
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.
local-cert-group
A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate.
ssl-ciphers
Ciphers are listed from strongest to weakest:
DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
We recommend retaining the default list. If necessary, you can specify a space-separated list of algorithms you want to support for this profile.
RADIUS
timeout-radius-session
The default is 300 seconds. The valid range is 1 to 3,600.
TCP
timeout_tcp_session
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.
timeout_tcp_session_after_FIN
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.
ip-reputation
Enable to apply the FortiGuard IP reputation service.
geoip-list
Specify a Geo IP block list configuration object.
whitelist
Specify a Geo IP whitelist configuration object.
TCPS
buffer-pool
Enable to use buffering.
tune-bufsize
Specify the buffer size for a session when buffer-pool is enabled. Specify lower values to allow more sessions to coexist in the same amount of RAM, and higher values for traffic with larger HTTP body content. The default is 8,030 bytes. The valid range is 128 to 2,147,483,647.
client-timeout
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600.
server-timeout
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600.
connect-timeout
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.
queue-timeout
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600.
client-address
Use the original client IP address as the source address in the connection to the real server.
allow-ssl-versions
You have the following options:
SSLv2
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
We recommend retaining the default list. If necessary, you can specify a space-separated list of SSL versions you want to support for this profile.
cert-verify
Specify a certificate validation policy.
client-sni-required
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.
local-cert-group
A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate.
ssl-ciphers
Ciphers are listed from strongest to weakest:
DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
We recommend retaining the default list. If necessary, you can specify a space-separated list of algorithms you want to support for this profile.
TurboHTTP
timeout_tcp_session
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400.
timeout_tcp_session_after_FIN
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400.
ip-reputation
Enable to apply the FortiGuard IP reputation service.
UDP
timeout_udp_session
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400.
ip-reputation
Enable to apply the FortiGuard IP reputation service.
geoip-list
Specify a Geo IP block list configuration object.
whitelist
Specify a Geo IP whitelist configuration object.
Example
FortiADC-VM # get load-balance profile
== [ LB_PROF_TCP ]
== [ LB_PROF_UDP ]
== [ LB_PROF_HTTP ]
== [ LB_PROF_TURBOHTTP ]
== [ LB_PROF_FTP ]
== [ LB_PROF_RADIUS ]
== [ LB_PROF_TCPS ]
== [ LB_PROF_HTTPS ]
 
FortiADC-VM # get load-balance profile LB_PROF_HTTPS
type : https
tune-bufsize : 8030
tune-maxrewrite : 1024
client-timeout : 50
server-timeout : 50
connect-timeout : 5
queue-timeout : 5
http-request-timeout : 50
http-keepalive-timeout : 50
buffer-pool : enable
client-address : disable
http-x-forwarded-for : disable
http-x-forwarded-for-header :
once-only : disable
ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2
local-cert-group : LOCAL_CERT_GROUP
client-sni-required : disable
cert-verify :
compression :
caching :
ip-reputation : disable
geoip-list :
whitelist :
geoip-redirect :
 
FortiADC-VM # config load-balance profile
 
FortiADC-VM (profile) # edit https-example
Add new entry 'https-example' for node 1643
FortiADC-VM (https-example) # set type https
FortiADC-VM (https-example) # set local-cert-group local-cert-group-1
FortiADC-VM (https-example) # set cert-verify cert-verify-rule1
FortiADC-VM (https-example) # end
 
FortiADC-VM # get load-balance profile https-example
type : https
tune-bufsize : 8030
tune-maxrewrite : 1024
client-timeout : 50
server-timeout : 50
connect-timeout : 5
queue-timeout : 5
http-request-timeout: 50
http-keepalive-timeout: 50
buffer-pool : enable
client-address : disable
http-x-forwarded-for: disable
http-x-forwarded-for-header:
once-only : disable
ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2
local-cert-group : local-cert-group-1
client-sni-required : disable
cert-verify : cert-verify-rule1
compression :
caching :
ip-reputation : disable
geoip-list :
whitelist :
geoip-redirect :