A virtual server profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific protocols.
Table 14 describes usage for profile type, including compatible virtual server types, load balancing methods, persistence methods, and content route types.
Profile | Usage | VS Type | LB Methods | Persistence |
---|---|---|---|---|
FTP |
Use with FTP servers. |
Layer 4 |
Round Robin, Least Connections, Fastest Response |
Source Address, Source Address Hash |
HTTP |
Use for standard, unsecured web server traffic. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections, URI Hash, Full URI Hash, Host Hash, Host Domain Hash
Layer 2: Same as Layer 7, plus Destination IP Hash |
Source Address, Source Address Hash, Source Address-Port Hash, HTTP Header Hash, HTTP Request Hash, Cookie Hash, Persistent Cookie, Insert Cookie, Embedded Cookie, Rewrite Cookie |
HTTPS |
Use for secured web server traffic when offloading TLS/SSL from the backend servers. You must import the backend server certificates into FortiADC and select them in the HTTPS profile. |
Layer 7, Layer 2 |
Same as HTTP |
Same as HTTP, plus SSL Session ID |
HTTP Turbo |
Use for unsecured HTTP traffic that does not require advanced features like caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. The profile can be used with content routes and destination NAT, but the HTTP request must be in the first data packet. This profile enables packet-based forwarding that reduces network latency and system CPU usage. However, packet-based forwarding for HTTP is advisable only when you do not anticipate dropped packets or out-of-order packets. |
Layer 7 |
Round Robin, Least Connections, Fastest Response |
Source Address |
RADIUS |
Use with RADIUS servers. |
Layer 7 |
Round Robin |
RADIUS attribute |
RDP | Use with Windows Terminal Service(remote desktop protocol). | Layer 7 | Round Robin, Least Connections | Source Address, Source Address Hash, Source Address-Port Hash, RDP Cookie |
SIP | Use with applications that use session initiation protocol (SIP), such as VoIP, instant messaging, and video. | Layer 7 | Round Robin, URI Hash, Full URI Hash | Source Address, Source Address Hash, Source Address-Port Hash, SIP Call ID |
TCP |
Use for other TCP protocols. |
Layer 4, Layer 2 |
Layer 4: Round Robin, Least Connections, Fastest Response Layer 2: Round Robin, Least Connections, Fastest Response, Destination IP Hash |
Source Address, Source Address Hash |
TCPS |
Use for secured TCP when offloading TLS/SSL from the backend servers. Like the HTTPS profile, you must import the backend server certificates into FortiADC and select them in the TCPS profile. |
Layer 7, Layer 2 |
Layer 7: Round Robin, Least Connections Layer 2: Round Robin, Least Connections, Destination IP Hash |
Source Address, Source Address Hash, Source Address-Port Hash, SSL Session ID |
Table 15 provides a summary of the predefined profiles. You can select predefined profiles in the virtual server configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching settings, compression options, and IP reputation.
Profile | Defaults |
---|---|
LB_PROF_TCP |
Session Timeout —100 seconds Session Timeout after FIN —100 seconds IP Reputation—disabled Geo IP block list—none |
LB_PROF_UDP |
Session Timeout —100 seconds IP Reputation—disabled Geo IP block list—none |
LB_PROF_HTTP |
Client Timeout—50 seconds Server Timeout—50 seconds Connect Timeout—5 seconds Queue Timeout—5 seconds HTTP Request Timeout—50 seconds HTTP Keepalive Timeout—50 seconds Buffer Pool—enabled Source Address—disabled X-Forwarded-For—disabled HTTP Mode—ServerClose Compression—none Caching—none IP Reputation—disabled Geo IP block list—none |
LB_PROF_TURBOHTTP |
Session Timeout—100 seconds Session Timeout after FIN—100 seconds IP Reputation—disabled |
LB_PROF_FTP |
Session Timeout—100 seconds Session Timeout after FIN—100 seconds IP Reputation—disabled Geo IP block list—none |
LB_PROF_RADIUS |
Session Timeout—300 seconds |
LB_PROF_RDP |
Client Timeout—50 seconds Server Timeout—50 seconds Connect Timeout—5 seconds Queue Timeout—5 seconds Buffer Pool—enabled Source Address—disabled IP Reputation—disabled Geo IP block list—none |
LB_PROF_SIP |
SIP Max Size—65535 bytes Server Keepalive—enabled Server Keepalive Timeout—30 seconds Client Keepalive—disabled Client Protocol—UDP Server Protocol—unset Failed Client Type—Drop Failed Server Type—Drop Insert Client IP—disabled |
LB_PROF_TCPS |
Client Timeout—50 seconds Server Timeout—50 seconds Connect Timeout—5 seconds Queue Timeout—5 seconds Buffer Pool—enabled Source Address—disabled IP Reputation—disabled Geo IP block list—none SSL Ciphers—none Allow SSL Versions—SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 Client SNI Required—disabled Certificate Group—LOCAL_CERT_GROUP |
Before you begin:
The configuration page displays the Profile tab.
You can clone a predefined configuration object to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page. |
Type | Profile Configuration Guidelines |
---|---|
TCP |
|
Timeout TCP Session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
Timeout TCP Session after FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. See Managing IP Reputation policy settings. |
Geo IP Block List |
Select a Geo IP block list configuration object. See Using the Geo IP block list. |
Geo IP Whitelist |
Select a whitelist configuration object. See Using the Geo IP block list. |
UDP |
|
Timeout UDP Session |
Client-side session timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. |
Geo IP Block List |
Select a Geo IP block list configuration object. |
Geo IP Whitelist |
Select a whitelist configuration object. |
HTTP |
|
Client Timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Server Timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Connect Timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
Queue Timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
HTTP Request Timeout |
Client-side HTTP request timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
HTTP Keepalive Timeout |
The default is 50 seconds. The valid range is 1 to 3,600. |
Buffer Pool | Enable/disable buffering. |
Source Address |
Use the original client IP address as the source address in the connection to the real server. |
X-Forwarded-For |
Append the client IP address found in IP layer packets to the HTTP header that you have specified in the X-Forwarded-For Header setting. If there is no existing X-Forwarded-For header, the system creates it. |
X-Forwarded-For Header |
Specify the HTTP header to which to write the client IP address. Typically, this is the X-Forwarded-For header, but it is customizable because you might support traffic that uses different headers for this. Do not include the 'X-' prefix. Examples: Forwarded-For, Real-IP, or True-IP. |
HTTP Mode |
|
Compression |
Select a compression configuration object. See Configuring compression rules. |
Caching |
Select a caching configuration object. See Using caching features. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. |
IP Reputation Redirect URL |
If you use the IP Reputation redirect action, specify a redirect URL. |
Geo IP Block List |
Select a Geo IP block list configuration object. |
Geo IP Whitelist |
Select a whitelist configuration object. |
Geo IP Redirect URL |
For HTTP, if you have configured a Geo IP redirect action, specify a redirect URL. |
FTP |
|
Timeout TCP Session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
Timeout TCP Session after FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. |
Geo IP Whitelist |
Select a whitelist configuration object. |
Geo IP Redirect |
If you use the Geo IP block list redirect action, specify a redirect URL. |
RADIUS |
|
RADIUS |
The system retrieves client information from the RADIUS Access-Request packet. However, if the listening port of the virtual server is 1813, the system retrieves client information from the RADIUS Accounting Start packet. Note: The IP reputation and Geo IP block list features are not available for RADIUS. |
Timeout RADIUS Session |
The default is 300 seconds. The valid range is 1 to 3,600. |
RDP | |
Buffer Pool | Enable/disable buffering. |
Source Address |
Use the original client IP address as the source address in the connection to the real server. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. |
Geo IP Whitelist |
Select a whitelist configuration object. |
Geo IP Redirect |
If you use the Geo IP block list redirect action, specify a redirect URL. |
TCPS |
|
Client Timeout |
Client-side TCP connection timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Server Timeout |
Server-side IP session timeout. The default is 50 seconds. The valid range is 1 to 3,600. |
Connect Timeout |
Multiplexed server-side TCP connection timeout. Usually less than the client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600. |
Queue Timeout |
Specifies how long connection requests to a backend server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, the system drops the connection and sends a 503 error to the client. The default is 5 seconds. The valid range is 1 to 3,600. |
Buffer Pool | Enable/disable buffering. |
Source Address |
Use the original client IP address as the source address in the connection to the real server. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. |
Customized SSL Ciphers Flag | Enable/disable use of user-specified cipher suites. |
Customized SSL Ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. |
SSL Ciphers |
Ciphers are listed from strongest to weakest:
We recommend retaining the default list. If necessary, you can deselect ciphers you do not want to support. |
Allow SSL Versions |
You have the following options:
We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. |
Client SNI Required |
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
Geo IP Block List |
Select a Geo IP block list configuration object. |
Geo IP Whitelist |
Select a whitelist configuration object. |
Local Certificate Group |
A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers’ certificate, NOT the appliance’s GUI web server certificate. See Managing local certificates. |
Certificate Verify |
Select a certificate validation policy. See Configuring a certificate verification object. |
HTTPS |
|
HTTPS |
Same as HTTP, plus the certificate settings listed next. See Chapter 15: SSL Transactions for an overview of HTTPS features. |
SSL Proxy Mode | Enable/disable SSL forward proxy. |
Customized SSL Ciphers Flag | Enable/disable use of user-specified cipher suites. |
Customized SSL Ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. |
SSL Ciphers |
We recommend retaining the default list. If necessary, you can deselect ciphers you do not want to support. |
Allow SSL Versions |
We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. |
Client SNI Required |
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
Local Certificate Group |
A configuration group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Managing local certificates. |
Certificate Verify |
Select a certificate validation policy. See Configuring a certificate verification object. |
HTTP Turbo |
|
Timeout TCP Session |
Client-side timeout for connections where the client has not sent a FIN signal, but the connection has been idle. The default is 100 seconds. The valid range is 1 to 86,400. |
Timeout TCP Session after FIN |
Client-side connection timeout. The default is 100 seconds. The valid range is 1 to 86,400. |
IP Reputation |
Enable to apply the FortiGuard IP reputation service. |
SIP | |
SIP Max Size | Maximum message size. The default is 65535 bytes. The valid range is 1-65535. |
Server Keepalive Timeout | Maximum wait for a new server-side request to appear. The default is 30 seconds. The valid range is 5-300. |
Server Keepalive | Enable/disable a keepalive period for new server-side requests. Supports CRLF ping-pong for TCP connections. Enabled by default. |
Client Keepalive | Enable/disable a keepalive period for new client-side requests. Supports CRLF ping-pong for TCP connections. Disabled by default. |
Client Protocol |
Client-side transport protocol:
|
Server Protocol |
Server-side transport protocol.
Default is "unset", so the client-side protocol determines the server-side protocol. |
Failed Client Type |
Action when the SIP client cannot be reached:
|
Failed Server Type |
Action when the SIP server cannot be reached:
|
Insert Client IP | Enable/disable option to insert the client source IP address into the X-Forwarded-For header of the SIP request. |
Client-Request-Header-Insert (maximum 4 members) | |
Type |
|
HeaderName:Value | The header:value pair to be inserted. |
Client-Request-Header-Erase (maximum 4 members) | |
Type |
|
HeaderName | Header to be erased. |
Client-Response-Header-Insert (maximum 4 members) | |
Type |
|
HeaderName:Value | The header:value pair to be inserted. |
Client-Response-Header-Erase (maximum 4 members) | |
Type |
|
HeaderName | Header to be erased. |
Server-Request-Header-Insert (maximum 4 members) | |
Type |
|
HeaderName:Value | The header:value pair to be inserted. |
Server-Request-Header-Erase (maximum 4 members) | |
Type |
|
HeaderName | Header to be erased. |
Server-Response-Header-Insert (maximum 4 members) | |
Type |
|
HeaderName:Value | The header:value pair to be inserted. |
Server-Response-Header-Erase (maximum 4 members) | |
Type |
|
HeaderName | Header to be erased. |