Server load balancing

Server farm name

Enter a name for the server farm, case insensitive.

Scheduling algorithm

Select a scheduling algorithm for the server farm.

·     Round robin—Assigns user requests to real servers based on the weights of real servers. A higher weight indicates more user requests will be assigned.

·     Random—Randomly assigns user requests to real servers.

·     Weighted least connections—Always assigns user requests to the real server with the fewest number of weighted active connections (the number of active connections divided by weight). The weight used by this algorithm is configured on the Create Real Server page.

·     Bandwidth—Distributes user requests to real servers according to the weights and remaining bandwidth of real servers.

·     Maximum bandwidth—Distributes user requests always to an idle real server that has the largest remaining bandwidth.

·     Dynamic feedback—Assigns new connections to real servers based on load weight values calculated by using the memory, CPU, and disk usage of the real servers. The less the load, the greater the weight value. A real server with a greater weight value is assigned more connections.

·     Least time—Assigns new connections to real servers based on load weight values calculated by using the response time of the real servers. The shorter the response time, the greater the weight value. A real server with a greater weight value is assigned more connections.

·     Source IP address hash—Hashes the source IP address of user requests and distributes user requests to different real servers according to the hash values.

·     Source IP address CARP hash—Hashes the source IP address of user requests and distributes user requests to different real servers according to the CARP hash values.

·     Source IP address and port number hash—Hashes the source IP address and port number of user requests and distributes user requests to different real servers according to the hash values.

·     Source IP address and port number CARP hash—Hashes the source IP address and port number of user requests and distributes user requests to different real servers according to the CARP hash values.

·     Destination IP address hash—Hashes the destination IP address of user requests and distributes user requests to different real servers according to the hash values.

·     Destination IP address CARP hash—Hashes the destination IP address of user requests and distributes user requests to different real servers according to the CARP hash values.

·     HTTP hash—Hashes the content of user requests and distributes user requests to different real servers according to the hash values. This scheduling algorithm takes effect only for an HTTP virtual server.

·     HTTP CARP hash—Hashes the content of user requests and distributes user requests to different real servers according to the CARP hash values. This scheduling algorithm takes effect only for an HTTP virtual server.

·     Weighted least connections (member)—Always assigns user requests to the real server with the fewest number of weighted active connections (the number of active connections divided by weight). The weight used by this algorithm is configured on the Real Server page.

·     Least time (member)—Always assigns user requests to real servers based on load weight values calculated by using the response time of the real servers. The shorter the response time, the greater the weight value. A real server with a greater weight value is assigned more connections.

By default, the source IP address hash algorithm is used.

Offset

Specify the offset value based on the start of the HTTP content.

This parameter is supported only when the scheduling algorithm is HTTP hash or HTTP CARP hash.

Start string

Specify the regular expression that marks the start of the HTTP content, a string starting from the offset value. The string cannot contain question marks (?).

This parameter is supported only when the scheduling algorithm is HTTP hash or HTTP CARP hash.

Length/End string

·     Length specifies the length of the HTTP content.

·     End string specifies the regular expression that marks the end of the HTTP content, a string starting from the start string value. The string cannot contain question marks (?).

This parameter is supported only when the scheduling algorithm is HTTP hash or HTTP CARP hash.

Priority scheduling

Specify the upper limit and lower limit of real servers in a server farm that can be scheduled. By default, all real servers with the highest priority in a server farm are scheduled.

·     If the number of real servers with the highest priority is greater than the configured maximum number, the maximum number applies.

·     If the number of such real servers is less than the minimum number, real servers with lower priority are selected to meet the minimum number or until no real servers are available.

The real server priority can be configured on the Real Servers page.

Real server

You can add a real server to a server farm in one of the following ways:

Create a real server and add it to the server farm.

1.     Click Add, and select Create real server.

2.     Configure the parameters for the real server (see "Configure a real server").

3.     Click OK. The new real server appears in the real server list.

Select an existing real server.

4.     Click Add, and select Add existing real server.

5.     Select a real server from the list, and configure real server parameters (see "Configure a real server").

6.     Click OK. The real server appears in the real server list.

Probe method

Specify a probe template used by the server farm to detect the health and availability of its real servers. You can also configure this parameter for a single real server on the Real Servers page. The configuration performed on the Real Servers page has higher priority over that performed on the Server Farms page.

You can select an existing probe template or create a probe template.

To create a probe template:

1.     Click Add.

¡     Template name: Enter a name for the probe template.

¡     Use template's port number for detection: If you select this option, the destination port number specified in the template is used for detection. If you do not select this option, the real server's port number is used for detection.

2.     Click OK. The new probe template appears on the Health Monitoring page.

Description

Enter a description for the server farm.

Success criteria

Specify the health monitoring success criteria for the real server.

·     All probes succeed: Health monitoring succeeds only when all the specified health monitoring methods succeed.

·     At least n probes succeed: Health monitoring succeeds when a minimum of the specified number of health monitoring methods succeed. When the specified number of health monitoring methods is greater than the number of health monitoring methods on the device, health monitoring succeeds if all health monitoring methods succeed.

SNAT mode

Specify an SNAT mode for the server farm.

·     SNAT pool: Translates the source IP address into an IP address in the specified SNAT address pool.

·     Auto mapping: Translates the source IP address into the IP address of the interface connecting to the real servers.

·     TCP option: Translates the source IP address into the IP address carried in the TCP option field of packets.

If SNAT is not configured for a server farm, the server farm uses global SNAT policies for address translation.

SNAT pool name

Select an existing SNAT pool or create an SNAT pool for the server farm.

This parameter is supported only when the SNAT mode is SNAT pool.

NAT

Disable NAT for the server farm in indirect-mode NAT configuration, or enable NAT for the server farm in NAT-mode configuration.

RST packet monitoring

Select an existing RST probe template or create an RST probe template for the server farm.

Zero-window packet monitoring

Select an existing zero-window probe template or create a zero-window probe template for the server farm.

HTTP passive probe

Select an existing HTTP passive probe template or create an HTTP passive probe template for the server farm.

Custom monitoring

Select an existing custom probe template or create a custom probe template for the server farm.

Auto recovery

Enable or disable auto recovery. This function enables automatic recovery for real servers shut down by intelligent probe templates when the auto recovery timer expires.

If health monitoring is not configured, a real server is recovered to the unknown state.

If health monitoring is configured and succeeds, a real server is recovered to the available state. If health monitoring fails, a real server is recovered to the health-monitoring-failed state.

This function is available only when an HTTP passive, RST, or zero-window probe template is specified for a server farm.

Recovery time

Enter the auto recovery time. The value 0 means that real servers cannot automatically recover.

This parameter is available only when auto recovery is enabled.

Fault processing method

Specify the fault processing method for the real server.

·     Keep existing connections—Keeps the connection with the failed real server. Keeping or terminating the connection depends on the timeout mechanism of the protocol.

·     Redirect connections—Redirects the connection to another available real server in the server farm.

·     Terminate existing connections—Terminates the connection with the failed real server by sending RST packets (for TCP packets) or ICMP unreachable packets (for other types of packets).

Slow online

The real servers newly added to a server farm might not be able to immediately process large numbers of services assigned by the LB device. To resolve this issue, enable the slow online feature for the server farm. The feature uses the standby timer and ramp-up timer. When the real servers are brought online, the LB device does not assign any services to the real servers until the standby timer expires. When the standby timer expires, the ramp-up timer starts. During the ramp-up time, the LB device increases the service amount according to the processing capability of the real servers, until the ramp-up timer expires.

·     Standby time: The value range is 0 to 600 seconds.

·     Ramp-up time: The value range is 3 to 600 seconds.

Action upon busyness

Specify the action to take when the server farm is busy. A server farm is considered busy when all its real servers are busy. You can configure one of the following actions:

·     Schedule—Forcibly assigns client requests to all real servers in the server farm.

·     Queue and wait—Stops assigning client requests to a server farm and assigns new client requests to a wait queue.

¡     Queue length: New client requests will be dropped when the queue length exceeds the configured length.

¡     Timeout time: Client requests already in the queue will be aged out when the configured timeout time expires.

·     Render scheduling failed—Stops assigning client requests to a server farm. If the LB policy for the server farm contains the action of matching the next rule, the device compares client requests with the next rule. Otherwise, the device drops the client requests.

The device determines whether a real server is busy based on the following factors:

·     Maximum number of connections.

·     Maximum number of connections per second.

·     Maximum number of HTTP requests per second.

·     Maximum bandwidth, maximum inbound bandwidth, and maximum outbound bandwidth.

·     SNMP-DCA probe result.

Availability criteria

Set the criteria (lower percentage and upper percentage) to determine whether a server farm is available. This helps implement traffic switchover between the master and backup server farms.

·     Lower percentage—When the number of available real servers to the total number of real servers in the primary server farm is smaller than the lower percentage, traffic is switched to the backup server farm.

·     Upper percentage—When the number of available real servers to the total number of real servers in the primary server farm is greater than the upper percentage, traffic is switched back to the master server farm.

Action when all server farm members are unavailable

Specify an action to take when all server farm members are unavailable:

·     Drop.

·     Forward—Forwards requests to the most recently selected server farm member.

Real server name

Enter a name for the real server, case insensitive.

IPv4 address

Specify an IPv4 address for the real server.

The IPv4 address cannot be a loopback address, multicast address, broadcast address, or an address in the format of 0.X.X.X.

IPv6 address

Specify an IPv6 address for the real server.

The IPv6 address cannot be a loopback address, multicast address, link-local address, or all-zero address.

Port number

Specify the port number for the real server. If the port number is 0, packets use their respective port numbers.

VPN instance

Specify a VPN instance for the real server.

VPN instance inheritance

Enable or disable VPN instance inheritance.

When VPN instance inheritance is enabled, a real server without a VPN instance specified inherits the VPN instance of its virtual server.

Probe logging

Enable or disable logging for health monitoring.

This feature logs heath status changes of the real server.

Real server feature

Enable or disable the real server feature.

Description

Enter a description for the real server.

Weight

Enter the weight for the real server. For the weighted round robin algorithm and weighted least connections algorithm, a greater value means a higher priority to be selected.

Priority

Enter a priority for the real server in the server farm. A greater value means a higher priority to be selected.

If the number of real servers with the highest priority is smaller than the configured minimum number, real servers with lower priority are selected to meet the minimum number.

You can configure the maximum number and minimum number on the Server Farms page.

Server farm

Select an existing server farm or create a server farm for the real server.

Probe-Probe method

Specify a probe template used by the real server to detect the health and availability. You can also configure this parameter for a server farm on the Server Farms page. The configuration performed on the Real Servers page has higher priority over that performed on the Server Farms page.

You can select an existing probe template or create a probe template

To create a probe template:

3.     Click Add.

¡     Template name: Enter a name for the probe template.

¡     Use template's port number for detection: If you select this option, the destination port number specified in the template is used for detection. If you do not select this option, the real server's port number is used for detection.

4.     Click OK. The new probe template appears on the Health Monitoring page.

Probe-Success criteria

Specify the health monitoring success criteria for the real server.

·     All probes succeed: Health monitoring succeeds only when all the specified health monitoring methods succeed.

·     At least n probes succeed: Health monitoring succeeds when a minimum of the specified number of health monitoring methods succeed. When the specified number of health monitoring methods is greater than the number of health monitoring methods on the device, health monitoring succeeds if all health monitoring methods succeed.

Custom monitoring

Select an existing custom probe template or create a custom probe template for the real server.

Variables

Configure a variable for a server farm member.

To configure a variable:

1.     Click Add.

¡     Name: Enter a variable name, case-sensitive.

¡     Value: Enter a variable value, case-sensitive.

2.     Click OK. The new variable appears in the Variables list.

This variable is used to rewrite the TCP payload in a general LB action. The specific content in the TCP payload will be replaced with the variable value associated with a server farm member. For example, if you configure a variable with name var1 and value _1 and configure an action of rewriting QMGR.S01 as QMGR.S01%[var1], the QMGR.S01 string in the TCP payload is rewritten as QMGR.S01_1.

QoS-Max connections

Specify the maximum number of connections for the real server. 0 means not limited.

QoS-Max connections per second

Specify the maximum number of connections per second for the real server. 0 means not limited.

QoS-HTTP requests per second

Specify the maximum number of HTTP requests per second for the real server. 0 means not limited.

QoS-Total max bandwidth

Specify the maximum bandwidth for the real server. 0 means not limited.

QoS-Max inbound bandwidth

Specify the maximum inbound bandwidth for the real server. 0 means not limited.

QoS-Max outbound bandwidth

Specify the maximum outbound bandwidth for the real server. 0 means not limited.

Class name

Enter a name for the class, case insensitive.

Type

Specify the type for the class.

·     Generic: Applies to Layer 4 server load balancing.

·     HTTP: Applies to Layer 7 server load balancing.

·     RADIUS: Applies to Layer 7 server load balancing.

·     MySQL: Applies to Layer 7 server load balancing.

Match type

Specify the match type for the class.

·     Match any: Requires matching any rule of the LB class.

·     Match all: Requires matching all rules of the LB class.

Match rule

A class classifies packets by comparing packets with specific rules. Matching packets are further processed by actions. You can create a maximum of 65535 rules for a class.

1.     Click Create to create a match rule.

¡     Rule ID: Specify the rule ID. Rules are matched in ascending order of rule IDs.

¡     Type: Specify the rule type. The rule types include source IPv4 address, source IPv6 address, class, IPv4 ACL, IPv6 ACL, cookie, HTTP header, method, URL, content, user, RADIUS attribute, input interface, HTTP version, ISP, TCP payload, and MySQL.

¡     IPv4 address: Specify an IPv4 address. This parameter is available only when the rule type is source IPv4 address.

¡     Mask length: Specify a mask length. This parameter is available only when the rule type is source IPv4 address.

¡     IPv6 address: Specify an IPv6 address. This parameter is available only when the rule type is source IPv6 address.

¡     Prefix length: Specify a prefix length. This parameter is available only when the rule type is source IPv6 address.

¡     Class: Specify a class. This parameter is available only when the rule type is class.

¡     ACL: Specify an ACL. You can select an existing ACL or create an ACL. This parameter is available only when the rule type is IPv4 ACL or IPv6 ACL.

¡     Cookie name: Specify the cookie name for HTTP packets. The cookie name is a case-sensitive string excluding spaces, horizontal tabs, ASCII characters smaller than or equal to 31, ASCII characters greater than or equal to 127, or the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }. This parameter is available only when the rule type is cookie.

¡     Cookie value: Specify the cookie value regular expression. The string cannot contain question marks (?). This parameter is available only when the rule type is cookie.

¡     Header name: Specify the header name for HTTP packets. The header name is a case-insensitive string excluding spaces, horizontal tabs, ASCII characters smaller than or equal to 31, ASCII characters greater than or equal to 127, or the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }. This parameter is available only when the rule type is HTTP header.

¡     Header value: Specify the header value regular expression. The string cannot contain question marks (?). This parameter is available only when the rule type is HTTP header.

¡     Extension type: The extension type can be Predefined or Custom. This parameter is available only when the rule type is method.

¡     Method: The predefined methods include GET, CONNECT, DELETE, HEAD, OPTIONS, POST, PUT, and TRACE. The custom method is a case-sensitive string excluding spaces, horizontal tabs, ASCII characters smaller than or equal to 31, ASCII characters greater than or equal to 127, or the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }. This parameter is available only when the rule type is method.

¡     URL: Specify the URL regular expression. The string cannot contain question marks (?). This parameter is available only when the rule type is URL.

¡     Content offset: Specify the offset value of the HTTP entity based on the start of the HTTP packet. This parameter is available only when the rule type is content.

¡     Content value: Specify the HTTP entity regular expression. The string cannot contain question marks (?). This parameter is available only when the rule type is content.

¡     User: Select an existing user or user group in an identity domain, or create a user or user group. This parameter is available only when the rule type is user.

¡     Attribute type: Enter an attribute type value. This parameter is available only when the rule type is RADIUS attribute.

¡     Attribute value: Specify the RADIUS attribute regular expression. This parameter is available only when the rule type is RADIUS attribute.

¡     Input interface: Specify an input interface. This parameter is available only when the rule type is input interface.

¡     HTTP version: Specify an HTTP version. This parameter is available only when the rule type is HTTP version.

¡     ISP: Select an existing ISP, or create an ISP. This parameter is available only when the rule type is ISP.

¡     TCP payload: Enter a regular expression used to match TCP payloads. This parameter is available only when the rule type is TCP payload.

¡     Case insensitivity: Enable case insensitivity for matching. This parameter is available only when the rule type is TCP payload or MySQL.

¡     Negate the match rule: If this option is not selected, an LB action is taken when TCP packets match the regular expression. If this option is selected, an LB action is taken when TCP packets do not match the regular expression. This parameter is available only when the rule type is TCP payload or MySQL.

¡     Regular expression: Enter a regular expression used to match MySQL statements. This parameter is available only when the rule type is MySQL.

2.     Click OK.

Description

Enter a description for the class.

Action name

Enter a name for the action, case insensitive.

Type

Specify an action type.

·     Generic

·     HTTP

·     HTTP redirection

·     RADIUS

Forwarding mode

Specify a forwarding mode:

·     Load balance

·     Drop

·     Forward (supported by generic type and RADIUS type only)

·     Respond by using a file (supported by HTTP type only)

Uncompressed file

If the URL path in a client request matches the specified URL path, the device responds to the request by using an uncompressed file.

3.     Click Create to create an uncompressed response file.

¡     URL path: Specifies the URL path used to match HTTP requests, a case-sensitive string. The specified URL path must start with a forward slash (/).

¡     Uncompressed file: Specifies an uncompressed file by its absolute path plus a file name, which is case insensitive, for example, flash:/file.html. Only one uncompressed file can be used for a URL, and one uncompressed file can be used for multiple URLs.

4.     Click OK.

This parameter is available only when the forwarding mode is Respond by using a file.

Compressed file

If the URL path in a client request matches the specified working path plus a relative path in the zip file, the device responds to the request by using the file in the zip file. For example, if you configure the working path as /index and compressed file as flash:/za/zb/test.zip, and a relative path /css/col.css exists in test.zip, the matching URL is /index/css/col.css and the response file is col.css.

·     Working path: Specify a working path plus a relative path in the zip file to match the URL in HTTP requests, a case-sensitive string. The working path must start with a forward slash.

·     Compressed file: Specify a compressed file by its absolute path plus a file name, which is case insensitive. The file must be a zip file, for example, flash:/file.zip.

This parameter is available only when the forwarding mode is Respond by using a file.

Fallback action

Specify a fallback action.

·     Match next rule: Matches the next rule upon failure to find an available real server.

·     Respond by using another file: Responds to client requests with the specified default response file upon failure to find an available real server.

¡     Default response file: Specifies an uncompressed file by its absolute path plus a file name, which is case insensitive, for example, flash:/file.html.

·     Fin close: Sends FIN packets to close the TCP connection.

·     Rst close: Sends RST packets to close the TCP connection.

This parameter is available only when the forwarding mode is Load balance.

Action taken upon failure to find the response file

Specify an action taken upon failure to find the response file.

·     Match next rule: Matches the next rule upon failure to find a response file.

·     Respond by using a file: Responds to client requests with the specified default response file upon failure to find a response file.

¡     Default response file: Specifies an uncompressed file by its absolute path plus a file name, which is case insensitive, for example, flash:/file.html.

·     Fin close: Sends FIN packets to close the TCP connection.

·     Rst close: Sends RST packets to close the TCP connection.

This parameter is available only when the forwarding mode is Respond by using a file.

TCP connection close mode

Specify a TCP connection close mode.

·     By sending FIN: Sends FIN packets to close the TCP connection.

·     By sending RST: Sends RST packets to close the TCP connection.

This parameter is available only when the forwarding mode is Drop.

ToS

Set the ToS field value of IP packets sent to the server.

Description

Enter a description for the action.

Server farms-Primary server farm

Select an existing server farm or create a server farm as the primary server farm.

When the primary server farm is available (contains real servers), packets are forwarded through the primary server farm. When the primary server farm is not available, packets are forwarded through the backup server farm.

This parameter is available only when the forwarding mode is Load balance.

Server farms-Backup server farm

Select an existing server farm or create a server farm as the backup server farm.

This parameter is available only when the forwarding mode is Load balance.

Server farms-Sticky group

Select an existing sticky group or create a sticky group.

This parameter is available only when the forwarding mode is Load balance.

HTTP redirection configuration-Redirection URL

This setting redirects all HTTP request packets matching an action to the specified URL.

Specify a redirection URL, a case-sensitive string. You can also specify the question mark (?) or the following character strings as the redirection URL:

·     %h: Specifies the host name in the client request packet.

·     %p: Specifies the URL in the client request packet.

·     %%: Specifies the percentage sign (%).

This parameter is available only when the action type is HTTP redirection.

HTTP redirection configuration -Redirection mode

Specify a redirection mode.

·     Temporary

·     Permanent

This parameter is available only when the action type is HTTP redirection.

TCP payload rewrite

1.     Click Create.

¡     Direction: Specify the direction, which can be Both, Request, or Response.

¡     Content before rewrite: TCP message body to rewrite, a case-sensitive regular expression string.

¡     Content after rewrite: TCP message body after rewrite. You can also specify the following replacement strings:

¡     %[variable]—Replaces the specified value with the variable associated with the server farm member. The variable is the variable name.

¡     %[1-9]—Replaces the specified value with the content in the corresponding parentheses. For example, if you configure the content before rewrite as (Wel)(co)(me) and the content after rewrite as %2, the string Welcome will be replaced with co in the second pair of parentheses.

2.     Click OK.

This parameter is supported only in a generic LB action.

Only TCP virtual servers operating at Layer 7 support an LB policy containing the TCP payload rewrite configuration.

Insert X-Forwarded-For

Insert the X-Forwarded-For header.

Response content rewrite-Content before rewrite

Specify the HTTP packet content to be rewritten.

Response content rewrite-Content after rewrite

Specify the HTTP packet content after rewrite.

·     %is: Source IPv4 or IPv6 address.

·     %ps: Source port number.

·     %id: Destination IPv4 or IPv6 address.

·     %pd: Destination port number.

·     %%: Percentage sign (%).

·     %[1-9] : Header value enclosed in parenthesis.

Header deletion

1.     Click Create.

¡     Direction: Specify the direction, which can be Both, Request, or Response.

¡     Header name: Specify the header name, which is case insensitive and can be predefined or customized. It cannot contain spaces, horizontal tabs, ASCII characters less than or equal to 31, ASCII characters greater than or equal to 127, or the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }.

2.     Click OK.

Header insertion

1.     Click Create.

¡     Direction: Specify the direction of HTTP packets, which can be Both, Request, or Response.

¡     Header name: Specify the header name, which is case insensitive and can be predefined or customized. It cannot contain spaces, horizontal tabs, ASCII characters less than or equal to 31, ASCII characters greater than or equal to 127, or the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }.

¡     Header value: Specify the header content to be inserted to the HTTP packet. The string cannot contain question marks (?). You can also specify the following replacement strings:

¡     %is: Source IP address in HTTP requests.

¡     %ps: Source port number in HTTP requests.

¡     %id: Destination IP address in HTTP requests.

¡     %pd: Destination port number in HTTP requests.

¡     %sps: Source port number in HTTP responses.

¡     %spd: Destination port number in HTTP responses.

¡     %sis: Source IP address in HTTP responses.

¡     %sid: Destination IP address in HTTP responses.

¡     %{x509v}: Certificate version.

¡     %{x509snum}: Certificate serial number.

¡     %{x509sigalgo}: Certificate signature algorithm.

¡     %{x509issuer}: Certificate issuer.

¡     %{x509before}: Certificate effective time.

¡     %{x509after}: Certificate expiration time.

¡     %{x509sub}: Certificate subject.

¡     %{x509spktype}: Public key type for the certificate subject.

¡     %{x509spk}: Public key for the certificate subject.

¡     %{x509spkRSA}: Length of the RSA public key for the certificate subject (available only for an RSA public key).

¡     %{x509hash}: MD5 hash value of the client certificate.

¡     %{dncn}: Issuee.

¡     %{dne}: Email.

¡     %{dno}: Company/Organization.

¡     %{dnou}: Department.

¡     %{dnc}: Country.

¡     %{dns}: State/Province.

¡     %{dnl}: City.

¡     Encoding method: Specify an encoding method for replacement strings, which can be Not encoded, URL, or Base64. URL encoding encodes only spaces and the following special characters in replacement strings ; / ? : @ & = + $ | { } , \ ^ [ ] ` < > # %. Base64 encoding encodes entire replacement strings.

2.     Click OK.

Header rewrite

1.     Click Create.

¡     Direction: Specify the direction of HTTP packets, which can be Both, Request, or Response.

¡     Header name: Specify the header name, which is case insensitive and can be predefined or customized. It cannot contain spaces, horizontal tabs, ASCII characters less than or equal to 31, ASCII characters greater than or equal to 127, or the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }.

¡     Header value: Specify the header content after rewrite. The string cannot contain question marks (?). You can also specify the following replacement strings:

¡     %is: Source IP address in HTTP requests.

¡     %ps: Source port number in HTTP requests.

¡     %id: Destination IP address in HTTP requests.

¡     %pd: Destination port number in HTTP requests.

¡     %sps: Source port number in HTTP responses.

¡     %spd: Destination port number in HTTP responses.

¡     %sis: Source IP address in HTTP responses.

¡     %sid: Destination IP address in HTTP responses.

¡     %1-9: Specified string used for replacement. A maximum of nine items are supported.

¡     %{x509v}: Certificate version.

¡     %{x509snum}: Certificate serial number.

¡     %{x509sigalgo}: Certificate signature algorithm.

¡     %{x509issuer}: Certificate issuer.

¡     %{x509before}: Certificate effective time.

¡     %{x509after}: Certificate expiration time.

¡     %{x509sub}: Certificate subject.

¡     %{x509spktype}: Public key type for the certificate subject.

¡     %{x509spk}: Public key for the certificate subject.

¡     %{x509spkRSA}: Length of the RSA public key for the certificate subject (available only for an RSA public key).

¡     %{x509hash}: MD5 hash value of the client certificate.

¡     %{dncn}: Issuee.

¡     %{dne}: Email.

¡     %{dno}: Company/Organization.

¡     %{dnou}: Department.

¡     %{dnc}: Country.

¡     %{dns}: State/Province.

¡     %{dnl}: City.

¡     Encoding method: Specify an encoding method for replacement strings, which can be Not encoded, URL, or Base64. URL encoding encodes only spaces and the following special characters in replacement strings ; / ? : @ & = + $ | { } , \ ^ [ ] ` < > # %. Base64 encoding encodes entire replacement strings.

2.     Click OK.

URL rewrite

1.     Click Create.

¡     URL to be rewritten: The URL content cannot contain question marks (?).

¡     URL after rewrite: Specify the URL content after rewrite. You can also specify the following replacement strings:

¡     %is: Source IP address in HTTP requests.

¡     %ps: Source port number in HTTP requests.

¡     %id: Destination IP address in HTTP requests.

¡     %pd: Destination port number in HTTP requests.

¡     %sps: Source port number in HTTP responses.

¡     %spd: Destination port number in HTTP responses.

¡     %sis: Source IP address in HTTP responses.

¡     %sid: Destination IP address in HTTP responses.

¡     %1-9: Specified string used for replacement. A maximum of nine items are supported.

¡     %{x509v}: Certificate version.

¡     %{x509snum}: Certificate serial number.

¡     %{x509sigalgo}: Certificate signature algorithm.

¡     %{x509issuer}: Certificate issuer.

¡     %{x509before}: Certificate effective time.

¡     %{x509after}: Certificate expiration time.

¡     %{x509sub}: Certificate subject.

¡     %{x509spktype}: Public key type for the certificate subject.

¡     %{x509spk}: Public key for the certificate subject.

¡     %{x509spkRSA}: Length of the RSA public key for the certificate subject (available only for an RSA public key).

¡     %{x509hash}: MD5 hash value of the client certificate.

¡     %{dncn}: Issuee.

¡     %{dne}: Email.

¡     %{dno}: Company/Organization.

¡     %{dnou}: Department.

¡     %{dnc}: Country.

¡     %{dns}: State/Province.

¡     %{dnl}: City.

¡     Encoding method: Specify an encoding method for replacement strings, which can be Not encoded, URL, or Base64. URL encoding encodes only spaces and the following special characters in replacement strings ; / ? : @ & = + $ | { } , \ ^ [ ] ` < > # %. Base64 encoding encodes entire replacement strings.

2.     Click OK.

SSL security-SSL client policy

Select an existing SSL client policy or create an SSL client policy.

SSL security-SSL redirection URL list

1.     Click Create.

¡     URL: Specify the Location header URL regular expression.

¡     HTTP port: Specify the HTTP port number to be rewritten.

¡     SSL port: Specify the SSL port number after rewrite.

2.     Click OK.

Name

Enter a name for the LB policy, case insensitive.

Type

Specify the type for the LB policy.

·     Generic: Applies to Layer 4 server load balancing.

·     HTTP: Applies to Layer 7 server load balancing.

·     RADIUS: Applies to Layer 7 server load balancing.

·     MySQL: Applies to Layer 7 server load balancing.

Default action

Specify a generic action for a generic LB policy, or specify any type of action for an HTTP LB policy.

You can select an existing action or create an action.

Rule

Specify an action for packets matching the specified class.

3.     Click Create.

¡     Class: Select an existing class or create a class.

¡     Action: Select an existing action or create an action.

¡     Insert before: Inserts the target class before a class.

4.     Click OK.

Description

Enter a description for the LB policy.

Name

Enter a name for the connection limit policy, case insensitive.

Limit rule

Create a rule.

5.     Click Create.

¡     Rule ID: Specify an ID for the connection limit rule.

¡     Type: Specify a connection limit rule type, which can be IPv4 ACL or IPv6 ACL.

¡     ACL: Specify an ACL. You can select an existing ACL or create an ACL.

¡     Limit by: Select source IP address, destination IP address, or service. Source IP address limits user connections by source IP address. Destination IP address limits user connections by destination IP address. Service limits user connections by service. Services are classified by transport layer protocol and service port number.

¡     Connection limits-Upper limit: Specify the upper limit of connections. When the number of connections in a specified range or for a certain type reaches the upper limit, the device does not accept new connection requests.

¡     Connection limits–Lower limit: Specify the lower limit of connections. The lower limit must be equal to or smaller than the upper limit. The device accepts new connection requests only when the number of connections drops below the lower limit.

6.     Click OK.

Description

Enter a description for the connection limit policy.

Name

Enter a name for the protection policy, case insensitive.

Type

Specify the type for the protection policy.

The device supports only the HTTP type.

Protection action

Select protection actions. A protection action is taken if the number of times a user accesses a protected URL exceeds the configured protection threshold. You can specify the following protection actions:

·     Warning—Generates a log message and sends it to the information center.

·     Drop—Drops requests.

·     Verify client—Returns a response carrying a cookie value to the client. If a subsequent request carries the returned cookie value, it passes the verification. If a subsequent request does not carry a cookie value or carries a different cookie value, it fails to pass the verification and is dropped. The device supports returning a cookie value by inserting an HTTP header or a JS script.

Protection rule

A protection policy can contain multiple protection rules. Each protection rule defines the URLs to be protected and the protection period. A protection action is taken if the number of times a user accesses a protected URL exceeds the configured protection threshold during the protection period. The device supports using source-IP-based and cookie-based criteria to determine whether requests belong to the same user. If you configure both a cookie-based request threshold and a source-IP-based request threshold, the protection action is taken when either threshold is exceeded.

1.     Click Create to create a protection rule.

¡     Rule ID: Specify the rule ID.

¡     Protected URL: Specify a regular expression to match URLs, a case-sensitive string. The regular expression cannot contain question marks (?).

¡     Statistics period: Set the protection period. If the number of times that a user accesses a protected URL exceeds the request threshold during the protection period, the protection action is taken.

¡     Source-IP-based threshold: Configure a source-IP-based request threshold.

¡     Cookie name: Specify an HTTP cookie by its name, a case-sensitive string. The cookie name cannot contain brackets ({ }, ( ),[ ], < >), at sign (@), comma (,), semicolon (;), colon (:), backslash (\), quotation mark ("), slash (/), question mark (?), equal sign (=), space character (SP), and horizontal tab (HT). Additionally, the cookie name cannot contain ASCII codes that are less than or equal to 31 and greater than or equal to 127.

¡     Cookie-based threshold: Configure a cookie-based protection threshold.

2.     Click OK.

Description

Enter a description for the protection policy.

Parameter profile name

Enter a name for the parameter profile, case insensitive.

Type

Specify the type for the parameter profile.

·     IP: Applies to Layer 4 server load balancing. For more information about IP parameter configuration, see Table 12.

·     TCP: Applies to Layer 7 server load balancing. For more information about TCP parameter configuration, see Table 13.

·     HTTP: Applies to Layer 7 server load balancing. For more information about HTTP parameter configuration, see Table 14.

·     HTTP-Compression: Applies to Layer 7 server load balancing. For more information about HTTP compression parameter configuration, see Table 15.

·     HTTP-Statistics: Applies to Layer 7 server load balancing. For more information about HTTP statistics parameter configuration, see Table 16.

·     OneConnect: Applies to Layer 7 server load balancing. For more information about OneConnect parameter configuration, see Table 17.

·     TCP-Application: Applies to Layer 7 server load balancing. For more information about TCP application parameter configuration, see Table 18.

·     MySQL: Applies to Layer 7 server load balancing. For more information about MySQL application parameter configuration, see Table 19.

Description

Enter a description for the parameter profile.

ToS sent to client

Set the ToS field value of IP packets sent to the client.

Option operation list

This feature enables the LB device to insert the client's actual IP address into the specified option in headers of TCP packets sent to the server or remove the specified option.

3.     To create an option operation, click Create.

¡     Insert: Inserts the client's actual IP address into the specified option in headers of TCP packets sent to the server.

¡     Remove: Removes the specified option from headers of TCP packets sent to the server.

¡     Option number: Number of the option to be operated.

¡     Encoding type: Select the binary or string encoding mode for the TCP option.

4.     Click OK. The new option operation appears in the Option operation list.

Max local window size

Configure the maximum local window size for TCP connections.

Action on MSS-exceeded packets

Specify the action to take on the segments that exceed the MSS in the HTTP requests sent by the client.

·     Permit: Allows the segments to exceed the MSS.

·     Drop: Discards the segments that exceed the MSS.

Idle timeout time

Specify the idle timeout time for TCP connections.

If no data is transmitted before the idle timeout time expires, the LB device disconnects the TCP connection with the client or server.

TCP MSS

Specify the MSS for the LB device.

TIME-WAIT timeout time

Set the TIME_WAIT state timeout time for TCP connections.

A TCP connection is released slowly after it is disconnected, because the TIME_WAIT timer of TCP is long. You can adjust the TIME_WAIT state timeout time.

This parameter takes effect only when the TCP parameter profile is used by an HTTP or HTTPS virtual server.

SYN timeout time

Set the SYN packet timeout time for TCP connections. If no SYN-ACK packet is received when the timer expires, the TCP connection is closed.

This parameter takes effect only when the TCP parameter profile is used by an HTTP or HTTPS virtual server.

Keepalive timeout time

Set the TCP keepalive packet sending interval for an idle TCP connection.

This parameter takes effect only when the TCP parameter profile is used by an HTTP or HTTPS virtual server.

Keepalive retransmission interval

Set the TCP keepalive packet retransmission interval.

This parameter takes effect only when the TCP parameter profile is used by an HTTP or HTTPS virtual server.

Keepalive retransmission times

Set the TCP keepalive packet retransmission times.

This parameter takes effect only when the TCP parameter profile is used by an HTTP or HTTPS virtual server.

FIN-WAIT-1 timeout time

Set the FIN-WAIT-1 state timeout timer for TCP connections.

This parameter takes effect only when the TCP parameter profile is used by an HTTP or HTTPS virtual server.

FIN-WAIT-2 timeout time

Set the FIN-WAIT-2 state timeout timer for TCP connections.

This parameter takes effect only when the TCP parameter profile is used by an HTTP or HTTPS virtual server.

TCP option number for SNAT

Specify the number of the TCP option used for SNAT.

The LB device translates the source IP address of packets into the IP address in the specified TCP option.

Encoding type

Select the binary or string encoding mode for the TCP option.

Max header parse length

Set the maximum length of HTTP headers that can be parsed.

Max content parse length

Set the maximum length of the HTTP entities that can be parsed.

Max content length

Set the maximum content length of HTTP requests. If the content length of an HTTP request exceeds the maximum length, the device drops the HTTP request.

Secondary cookie delimiter

Specify the delimiter that separates secondary cookies in URLs, including ! " # ; < > ? [ \ ] ^ ` | : @ & $ + * ' ( ) , /.

Secondary cookie start delimiter

Specify the start delimiter for secondary cookies in URLs, including ! " # ; < > ? [ \ ] ^ ` |.

Cookie name

Specify the cookie to be encrypted by its name, a case-sensitive string.

Cookie encryption key

Specify a key in plaintext or ciphertext form.

Key

Specifies the key, a case-sensitive string.

Action on max-header-length exceeded packets

Specify the action to take on the HTTP requests when their packet headers exceed the maximum length.

·     Permit: Allows the HTTP requests to pass.

·     Drop: Discards the HTTP requests.

When the HTTP packet header length exceeds the processing capability of load balancing, the drop action applies.

Per-packet load balancing

Enable or disable per-packet load balancing for HTTP requests.

Connection reuse

Enable or disable connection reuse between the LB device and the server.

Connection reuse allows the LB device to establish connections to the server that can be reused by clients. Because multiple clients can use the same connection, the number of connections between the clients and the server is reduced.

Case sensitivity

Enable or disable case sensitivity for matching character strings. This setting affects the following content:

·     HTTP header value, HTTP cookie name and value, and URL for matching classes.

·     Header value, URL, and key value used for generating sticky entries for the HTTP header sticky method.

·     Cookie name and value and key value used for generating sticky entries for the cookie get sticky method.

Load balance each request

Enable or disable per-request load balancing for HTTP requests.

Level

Set the compression level for response packets. A larger value indicates a lower compression speed and a higher compression ratio.

Preferred compression algorithm

Specify the preferred compression algorithm. If the client request supports the configured compression algorithm, the configured compression algorithm applies. If the client request does not support the configured compression algorithm, the compression algorithm contained in the request applies.

·     gzip: Specifies the GNU zip compression algorithm.

·     deflate: Specifies the Deflate compression algorithm.

Min content length

Set the minimum length of HTTP response content for compression. The value 0 indicates that the packet content is always compressed, regardless of the content length.

If an HTTP response packet contains the Content-Length header, the packet content is compressed only when its length reaches the minimum length of HTTP response content for compression. If the HTTP response packet does not contain the Content-Length header, the configuration does not take effect. The packet content is compressed regardless of its length.

Insert Vary header

Enable or disable insertion of the Vary header into HTTP responses.

Enabling this feature inserts the Vary header to HTTP responses and sets the header content to Accept-Encoding before sending them to the client. The setting takes effect regardless of whether the response packets contain the Vary header or whether the packets are compressed.

Compression for HTTP 1.0

Enable or disable compression for responses to HTTP 1.0 requests.

Delete Accept-Encoding header

Enable or disable deletion of the Accept-Encoding header from HTTP requests.

Enabling this feature enables the LB device to delete the Accept-Encoding header from the HTTP request before sending it to the server. If the response packet sent by the server matches the specified match rule, the LB device compresses the packet before sending it to the requesting client. If the HTTP request sent by the client does not contain the Accept-Encoding header, the LB device does not compress the response packet regardless of whether this feature is enabled.

Memory size

Specify the memory size in KB used for compression. The value can only be 1, 2, 4, 8, 16, 32, or 64.

Window size

Specify the window size in KB used for compression. The value can only be 1, 2, 4, 8, 16, or 32.

Filtering rule for compression

5.     Click Create.

¡     Rule ID: Specify the rule ID.

¡     Action: Specify permit to compress matching packets, or specify deny to not compress matching packets.

¡     Type: Specify URL to match URLs in packets, or specify content to match content types in the Content-Type header of packets.

¡     URL: Specify a regular expression for matching URLs, a case-sensitive string. The string cannot contain question marks (?). This parameter is available only for the URL type.

¡     Content-Type: Specify a regular expression for matching content types, a case-sensitive string. The string cannot contain question marks (?). This parameter is available only for the content type.

6.     Click OK.

Address object group

If HTTP packets match the specified URL and source IP address object group, they are counted based on the source IP address object group. If HTTP packets match the specified URL but do not match the specified source IP address object group, they are counted based on the source IP address.

You can specify a maximum of 1024 source IP address object groups in one HTTP statistics parameter profile.

HTTP statistics node list

7.     Click Create.

¡     Node name: Specify the statistics node name, case insensitive. You can configure a maximum of 256 statistics nodes in one HTTP statistics parameter profile.

¡     Description: Enter a description for the statistics node, case sensitive.

¡     Statistics rule list: List of URL match rules. You can configure a maximum of 256 URL match rules for one statistics node.

¡     ID: Specify the match rule ID.

¡     URL: Specify a URL regular expression. The string cannot contain question marks (?).

8.     Click OK.

Max reuse number

Set the maximum number of times that a TCP connection can be reused.

After connection reuse is enabled, a TCP connection is not disconnected until the maximum number of reuse times is reached. After the TCP connection is disconnected, new connection requests trigger establishment of a new TCP connection.

Idle timeout time

Set the idle timeout time for TCP connections between the LB device and servers.

The idle timeout time is the amount of time that a TCP connection can stay idle before it is disconnected. After the TCP connection is disconnected, new connection requests trigger establishment of a new TCP connection.

IPv4 mask length

Specify the IPv4 mask length for connection reuse.

This setting limits the network segment of clients that can reuse connections between the LB device and servers. If the client that initiates a connection request is in the same network segment as the idle TCP connection, the idle TCP connection is reused. If the client does not match this requirement, a new TCP connection is established.

IPv6 prefix length

Specify the IPv6 prefix length for connection reuse.

This setting limits the network segment of clients that can reuse connections between the LB device and servers. If the client that initiates a connection request is in the same network segment as the idle TCP connection, the idle TCP connection is reused. If the client does not match this requirement, a new TCP connection is established.

TCP buffering period

Specify the buffering period for TCP payload matching.

TCP maximum buffering size

Specify the maximum buffering size.

The device stops buffering traffic when the maximum buffering size is reached.

TCP buffering end string

Configure the TCP buffering end string.

The device stops buffering traffic when it receives the buffering end string.

Connection pool size

Specify the maximum number of TCP connections that can be stored in a connection pool.

After MySQL data transfer is completed, the TCP connection is stored in a connection pool instead of being closed. For a new connection request, the device selects an available connection from the connection pool before attempting to open a new connection.

Connection reuse

Enable or disable connection reuse.

This feature allows the LB device to establish connections to the server that can be reused by multiple clients.

This feature helps reduce the connections opened between clients and servers.

Max reuse number

Set the maximum number of times that a TCP connection can be reused.

After connection reuse is enabled, a TCP connection is not disconnected until the maximum number of reuse times is reached. After the TCP connection is disconnected, new connection requests trigger establishment of a new TCP connection.

Idle timeout time

Set the idle timeout time for TCP connections between the LB device and servers.

The idle timeout time is the amount of time that a TCP connection can stay idle before it is disconnected. After the TCP connection is disconnected, new connection requests trigger establishment of a new TCP connection.

IPv4 mask length

Specify the IPv4 mask length for connection reuse.

This setting limits the network segment of clients that can reuse connections between the LB device and servers. If a client that initiates a connection request is in the same network segment as the idle TCP connection, the client reuses the idle TCP connection. If the client does not match this requirement, a new TCP connection is established.

IPv6 prefix length

Specify the IPv6 prefix length for connection reuse.

This setting limits the network segment of clients that can reuse connections between the LB device and servers. If a client that initiates a connection request is in the same network segment as the idle TCP connection, the client reuses the idle TCP connection. If the client does not match this requirement, a new TCP connection is established.

Probe template name

Enter a name for the probe template, case insensitive.

Type

Specify the type for the intelligent probe template:

·     RST: Monitors the number of RST packets sent by a real server. For information about configuring an RST probe template, see Table 21.

·     Zero-window: Monitors the number of zero-window packets sent by a real server. For information about configuring a zero-window probe template, see Table 21.

·     HTTP passive: Monitors the number of abnormal URLs in HTTP response packets. For information about configuring an HTTP passive probe template, see Table 22.

·     Custom: Monitors the state of real servers by using a custom script file. For information about configuring a custom probe template, see Table 23.

Description

Enter a description for the intelligent probe template.

Monitoring time

Specify the monitoring time. During the monitoring time, the system counts the number of RST packets or zero-window packets sent by each server farm member in a server farm if an RST or zero-window probe template is specified.

Threshold

Specify the maximum number of RST packets or zero-window packets a real server can send before an action is taken.

Action

Specify the action to take when the RST or zero-window packet threshold is reached.

·     Shut down: Shuts down a real server.

·     Set to busy: Places a real server in busy state. The system continues to probe the real server at the probe intervals. If the number of RST or zero-window packets sent does not reach the threshold during the probe interval, the real server is placed back in normal state. If the packet number reaches the threshold, the system probes the real server until the maximum probe times is reached. If the result of every probe reaches the threshold, the system automatically shuts down the real server.

A real server that is shut down due to packet threshold violation or exceeded probe times will be restored to normal state immediately when the intelligent probe template is deleted.

Probe interval

Specify the interval to probe the real server in busy state.

Probe times

Specify the maximum number of times for probing the real server in busy state. The value 0 means that the number of probe times is not limited.

Monitoring time

Specify the monitoring time. During the monitoring time, the system monitors the responses of matching HTTP requests if an HTTP passive probe template is specified.

Threshold

Specify the maximum number of abnormal URLs in HTTP response packets. If the number of abnormal URLs exceeds the maximum number, the real server is shut down.

Timeout time

Specify the timeout time for the HTTP passive probe template.

The device monitors the responses of HTTP requests with the specified URL. If the response time for an HTTP request exceeds the timeout time, a URL error is recorded.

URLs to check

Configure the URLs to check. The URLs cannot contain question marks (?).

If the device receives an HTTP request with any of the specified URLs, the device monitors the responses of the HTTP request.

A maximum of 10 URLs can be configured for an HTTP passive probe template.

Response status code

Configure the response status codes to check.

If an HTTP response contains any of the specified response status codes, a URL error is recorded.

A maximum of 10 response status codes can be configured for an HTTP passive probe template.

Monitoring time

Specify the monitoring interval. At the monitoring intervals, the system executes the specified script file.

Timeout time

Specify the timeout time for waiting for responses.

As a best practice, set timeout time to be smaller than the monitoring interval.

Script parameters

Configure script parameters.

When executing a script file, the device transfers the script parameters to the script file.

Multiple space-separated script parameters are supported.

Script file

Select and import a script file.

The device detects the state of real severs according to the detection contents in the script file.

The device supports only script files with the .py suffix.

Environment variable

Configure an environment variable.

You can specify the environment to execute the custom script file by configuring an environment variable.

Global SNAT policy name

Enter a name for the global SNAT policy, case insensitive.

SNAT mode

Select an SNAT mode.

·     SNAT pool: Translates the source IP address into an IP address in the specified SNAT address pool.

·     Auto mapping: Translates the source IP address into the IP address of the interface connecting to the real servers.

SNAT pool name

Select an existing SNAT pool or create an SNAT pool.

This parameter is supported only when the SNAT mode is SNAT pool.

VRF

Specify the VPN instance to which the global SNAT policy belongs.

Priority

Set the priority for the global SNAT policy.

You can configure multiple global SNAT policies with different priorities. They are matched in descending order of priority values.

Source IP address object group

Specify a source IP address object group for address translation. The device performs SNAT on only packets with a matching source IP address.

Destination IP address object group

Specify a destination IP address object group for address translation. The device performs SNAT on only packets with a matching destination IP address.

Service object group

Specify a service object group for address translation. The device performs SNAT on only packets with a matching service.

Policy status

Enable or disable the global SNAT policy.

Description

Enter a description for the global SNAT policy.

Virtual server name

Enter a name for the virtual server, case insensitive.

Type

Specify the virtual server type, which can be IP, TCP, UDP, SIP-TCP, SIP-UDP, HTTP, Performance (HTTP), HTTPS, HTTP redirection, RADIUS, or MySQL.

IPv4 address

Configure an IPv4 address/mask length (0-32) for the virtual server.

IPv6 address

Configure an IPv6 address/prefix length (0-128) for the virtual server.

Port number

Configure the port number of the virtual server. 0 indicates any port.

For the IP, TCP, UDP, and RADIUS virtual server types, you can enter a comma-separated list of up to 32 port number items. Each item specifies a port number or a range of port numbers, for example, 5,10,20-28.

UDP per-packet load balancing

Enable or disable per-packet load balancing for UDP traffic for a virtual server.

When per-packet load balancing for UDP traffic is disabled, the LB device distributes traffic matching the virtual server according to application type. Traffic of the same application type is distributed to one real server. When per-packet load balancing for UDP traffic is enabled, the LB device distributes traffic matching the virtual server on a per-packet basis.

This parameter is supported only by virtual servers of the UDP type, SIP-UDP type, and RADIUS type.

SSL server policy

Specify an SSL server policy for a virtual server to encrypt traffic between the LB device (SSL server) and the SSL client.

You can select an existing SSL server policy or create an SSL server policy.

This parameter is supported only by virtual servers of the TCP and HTTPS types.

Redirection URL

Specify a redirection URL for the virtual server, case sensitive. The redirection feature redirects all request packets matching the virtual server to the URL.

You can also specify the question mark (?) or the following character strings as the redirection URL:

·     %h: Specifies the host name in the client request packet.

·     %p: Specifies the URL in the client request packet.

·     %%: Specifies the percentage sign (%).

This parameter is supported only by virtual servers of the HTTP redirection type.

Redirection mode

Specify a redirection mode for the virtual server.

·     Temporary

·     Permanent

This parameter is supported only by virtual servers of the HTTP redirection type.

Server farm

Select an existing server farm or create a server farm for the virtual server.

This parameter is not supported by virtual servers of the HTTP redirection type.

Sticky group of the server farm

Select an existing sticky group or create a sticky group as the primary sticky group for the server farm.

This parameter is not supported by virtual servers of the HTTP redirection type.

VRRP-group-associated interface

Specify the interface to be associated with the VRRP group.

If you configure this parameter, you must bind a VRRP group number to the virtual server.

VRRP group number

Specify the number of the VRRP group to be bound to the virtual server.

In dual-active mode of the high availability (HA) group, both devices back up each other and process services. If you do not bind a VRRP group number to the virtual server, both devices process services and use the SNAT address pool. If you bind a VRRP group number to the virtual server, only the primary device processes services and uses the SNAT address pool. For more information about the HA group, see its online help.

This setting applies only to virtual severs with IPv4 addresses.

You can configure this parameter only after you specify a VRRP-group-associated interface.

IPv6 VRRP-group-associated interface

Specify the interface to be associated with the IPv6 VRRP group.

If you configure this parameter, you must bind an IPv6 VRRP group number to the virtual server.

IPv6 VRRP group number

Specify the number of the IPv6 VRRP group to be bound to the virtual server.

In a dual-active HA network, both devices back up each other and process services. If you do not bind an IPv6 VRRP group number to the virtual server, both devices process services and use the SNAT address pool. If you bind an IPv6 VRRP group number to the virtual server, only the primary device processes services and uses the SNAT address pool. For more information about HA, see its online help.

This setting applies only to virtual severs with IPv6 addresses.

You can configure this parameter only after you specify an IPv6-VRRP-group-associated interface.

MySQL version

Specify the MySQL database version.

The LB device initiates authentication to clients on behalf of the MySQL server and sends database initialization packets of the specified MySQL version to clients.

Read/Write splitting

Enable or disable read/write splitting.

This feature allows read commands and write commands to be executed by the read server farm and write server farm, respectively.

This feature helps reduce the impact of concurrent read/write requests on database performance.

After this feature is enabled, you must configure both a read server farm and a write server farm.

Read server farm

Select an existing server farm or create a server farm as the read server farm for the virtual server.

This parameter is available only when read/write splitting is enabled.

Read sticky group

Select an existing sticky group or create a sticky group as the read sticky group for the virtual server.

This parameter is available only when read/write splitting is enabled.

Write server farm

Select an existing server farm or create a server farm as the write server farm for the virtual server.

This parameter is available only when write/write splitting is enabled.

Write sticky group

Select an existing sticky group or create a sticky group as the write sticky group for the virtual server.

This parameter is available only when write/write splitting is enabled.

Interfaces for sending gratuitous ARP/ND packets

Specify interfaces for sending gratuitous ARP packets and ND packets.

If the IP address of an interface connected to a client is in the same network segment as the virtual server IP address, you must perform the following tasks:

·     Specify the interface connected to the corresponding client as an interface for sending gratuitous ARP/ND packets.

·     Enable IP address advertisement.

Operation mode

Operating mode of the virtual server:

·     Layer 4.

·     Layer 7.

This parameter is supported only by TCP virtual servers.

IP address advertisement

Enable or disable IP address advertisement for the virtual server.

After this feature is configured, the device advertises the IP address of the virtual server to OSPF for route calculation. When the service of a data center switches to another data center, the traffic to the virtual server can also be switched to that data center.

Redundancy group traffic distribution

Select an existing redundancy group or create a redundancy group. The traffic matching the virtual server is directed to the specified redundancy group.

If the redundancy group does not exist or contains no effective failover groups, this function does not take effect.

Support for this function depends on the device model.

Session extension information synchronization

Enable or disable session extension information synchronization for the virtual server.

This parameter is supported only by virtual servers of the IP, TCP, UDP, SIP-TCP, SIP-UDP, and RADIUS types.

Sticky entry synchronization

Enable or disable sticky entry synchronization for the virtual server.

The following configuration changes will cause the device to delete existing sticky entries and generate new ones based on subsequent traffic:

·     Disable sticky entry synchronization.

·     Change the sticky entry synchronization type.

This parameter is not supported by virtual servers of the HTTP redirection type.

Sticky entry synchronization type

Select the sticky entry synchronization type:

·     Intra-group synchronization—Synchronizes sticky entries to the device in the same failover group.

·     Global synchronization—Synchronizes sticky entries to devices in all failover groups.

This function is available only when sticky entry synchronization is enabled.

Virtual servers of the HTTP redirection type do not support this function.

Support for this function depends on the device model.

Virtual server feature

Enable or disable the virtual server.

After you configure a virtual server, you must enable the virtual server for it to work.

Fast log output

Configure the content to be output by using the fast log output feature.

Multiple semicolon-separated variables are supported. The device supports the following variables:

·     %{is}—Source IP address in HTTP requests.

·     %{ps}—Source port number in HTTP requests.

·     %{id}—Destination IP address in HTTP requests.

·     %{pd}—Destination port number in HTTP requests.

·     %{sis}—Source IP address in HTTP responses.

·     %{sps}—Source port number in HTTP responses.

·     %{sid}—Destination IP address in HTTP responses.

·     %{spd}—Destination port number in HTTP responses.

·     %{vsn}—Virtual server name.

·     %{sfn}—Server farm name.

·     %{reqtmstamp}—HTTP request timestamp.

·     %{uri}—HTTP URI.

·     %{ver}—HTTP version number.

·     %{args}—HTTP access parameters.

·     %{method}—HTTP request method.

·     %{xff}—IP address of XFF (X-Forwarded-For).

·     %{ctype}—Content-Type field in HTTP requests.

·     %{clen}—Content-Length field in HTTP requests.

·     %{ref}—Referer header field in HTTP requests.

·     %{ua}—User-Agent header field in HTTP requests.

·     %{host}—Host header field in HTTP requests.

·     %{path}—Path in HTTP requests.

·     %{reqsz}—HTTP request size in bytes.

·     %{reqtm}—HTTP request duration in milliseconds. The duration is from the time when the device receives an HTTP request to the time when the device receives the HTTP response.

·     %{rspclen}—Content-Type field in HTTP responses.

·     %{reqsz}—HTTP response size in bytes.

·     %{rsptm}—HTTP response duration in milliseconds. The duration is from the time when the device receives an HTTP response to the time when the device finishes sending out the HTTP response.

·     %{stscode}—HTTP response status code.

·     %{reqbsz}—Body size of HTTP requests, in bytes.

·     %{rspbsz}—Body size of HTTP responses received by the device from the server, in bytes.

·     %{rspsntbsz}—Body size of HTTP responses sent from the device to the client, in bytes.

·     %{cookie_cookie-name}—HTTP cookie name, case-sensitive. The cookie name cannot contain brackets ({ }, ( ),[ ], < >), at sign (@), comma (,), semicolon (;), colon (:), backslash (\), quotation mark ("), slash (/), question mark (?), equal sign (=), space character (SP), or horizontal tab (HT). Additionally, the cookie name cannot contain ASCII codes that are less than or equal to 31 or greater than or equal to 127. You can specify multiple cookies.

This parameter is supported only by HTTP and HTTPS virtual servers.

Description

Enter a description for the virtual server.

User list

Configure the user name and password used to log in to the MySQL server.

1.     Click Create to create a user.

¡     Username: Enter a username.

¡     Password: Enter a password.

2.     Click OK. The new user appears in the user list.

The device supports a maximum of 100 login users.

External link domain name rewrite

Enable or disable external link proxy.

The external link proxy feature enables an LB device to operate as an external link proxy to request IPv4 resources on behalf of IPv6 clients. This feature helps achieve smooth IPv4-to-IPv6 network transition.

When the LB device detects an external link in the HTTP response from the server, it returns a script file for rewriting the external link. The client executes the script file and adds the specified parameters to the domain name of the external link. The parameters include the URI, domain name suffix, and virtual server port number. Upon receiving a DNS request containing the modified domain name, the LB device will request the associated IPv4 resource on behalf of the IPv6 client.

The format of the domain name after rewrite is protocol type://original domain name+URI+domain name suffix+:virtual server port number. The protocol type can be HTTP or HTTPS.

Suppose the protocol type is HTTP, domain name of the original external link is www.aaa.com, URI is proxy, domain name suffix is bbb.com, and virtual server port number is 8080. The external link domain name after rewrite is http://www.aaa.com.proxy.bbb.com:8080.

URI

Specify the URI for rewriting domain names of external links. The URI is a case-insensitive string that can contain only letters, digits, hyphens (-), and underscores (_).

Upon receiving a response from the IPv6 site server, the LB device rewrites the IPv4 external link in the response by adding the specified parameters to the associated domain name. The parameters include the URI, domain name suffix, and virtual server port number. Suppose the domain name of the original external link is http://www.aaa.com, URI is proxy, domain name suffix is bbb.com, and virtual server port number is 8080. The external link domain name after rewrite is http://www.aaa.com.proxy.bbb.com:8080. Upon receiving a DNS request containing this modified domain name, the LB device performs the following operations:

1.     Extracts the original domain name.

2.     Requests the associated IPv4 resource on behalf of the IPv6 client.

3.     Returns the obtained IPv4 resource to the IPv6 client.

Domain name suffix

Specifies the domain name suffix for rewriting domain names of external links.

The domain name suffix is a case-insensitive, dot-separated string. Each dot-separated label in the domain name can contain a maximum of 63 characters. The domain name can contain letters, digits, hyphens (-), underscores (_), and dots (.).

SNAT address pool

Specify a SNAT address pool for external link proxy.

To request an IPv4 resource as an external link proxy, the LB device will choose an IP address from the specified SNAT pool. The LB device uses this IP address as the client IP address to initiate a request on behalf of the IPv6 client.

If you do not specify a SNAT address pool, the LB device uses the IP address of the output interface to the server as the client IP address.

SNAT address pool

Specify a SNAT address pool for external link proxy.

To request an IPv4 resource as an external link proxy, the LB device will choose an IP address from the specified SNAT pool. The LB device uses this IP address as the client IP address to initiate a request on behalf of the IPv6 client.

If you configure a traffic distribution mode, you must specify a SNAT address pool. If you disable traffic distribution, you can choose to specify or not specify a SNAT address pool.

If you do not specify a SNAT address pool, the LB device uses the IP address of the output interface to the server as the client IP address.

Allowlists

Add a domain name to the allowlist for external link proxy.

1.     Enter a domain name, a case-insensitive, dot-separated string. Each dot-separated label in the domain name can contain a maximum of 63 characters. The domain name can contain letters, digits, hyphens (-), underscores (_), and dots (.).

2.     Click Add. The domain name appears in the Allowlists.

The LB device does not rewrite the external links containing any domain names in the allowlist.

Scheduling resources-Backup server farm

Specify the backup server farm for the virtual server.

When the primary server farm is available (contains real servers), the virtual server forwards packets through the primary server farm. When the primary server farm is not available, the virtual server forwards packets through the backup server farm.

You can select an existing server farm or create a server farm.

Scheduling resources-Backup sticky group of the server farm

Specify the backup sticky group for the server farm.

If you specify both a primary sticky group and a backup sticky group, the device generates both primary sticky entries and backup sticky entries. If packets do not match primary sticky entries, backup sticky entries are used to match the packets.

This parameter is supported only by virtual servers of the HTTP, HTTPS, and RADIUS types.

Scheduling resources-Load balancing policy

Specify an LB policy for the virtual server.

By using an LB policy, the virtual server implements load balancing for matching packets based on the packet contents.

You can select an existing LB policy or create an LB policy.

A virtual server can use the policy template of the specified type. For example, a virtual server of the Performance (HTTP) or HTTP type can use a policy template of the generic type or HTTP type. A virtual server of the IP, TCP, UDP, SIP-TCP, or SIP-UDP type can use a policy template of the generic type only. A virtual server of the RADIUS type can use a policy template of the generic or RADIUS type only.

Scheduling resources-Connection limit policy

Specify a connection limit policy for the virtual server to limit the number of connections on the virtual server.

You can select an existing connection limit policy or create a connection limit policy.

Scheduling resources-SSL client policy

Specify an SSL client policy for the virtual server to encrypt traffic between the LB device (SSL client) and the SSL server.

You can select an existing SSL client policy or create an SSL client policy.

This parameter is supported only by virtual servers of the HTTPS type.

Scheduling resources-SSL server policy with SNI

Configure an SSL server policy with an SNI for the virtual server.

1.     Click Add to create an SSL server policy with an SNI.

¡     Policy name: Enter a policy name, case insensitive.

¡     Server name indication (SNI): Enter an SNI, case insensitive.

2.     Click OK. The new SSL server policy appears in the policy list.

If you configured both an SSL server policy without an SNI and an SSL server policy with an SNI, the SSL server policy without an SNI takes effect.

You cannot configure multiple SSL server policies with the same SNI for a virtual server.

This parameter is supported only by virtual servers of the HTTPS type.

Scheduling resources-Cookie sticky group

Specify a cookie sticky group for the virtual server.

You can also specify sticky groups to be associated with server farms on the Create Virtual Server page or Create Action page. The cookie sticky group specified for the virtual server has the highest priority. It is preferentially used to generate sticky entries.

Only cookie sticky groups can be specified for this parameter.

Scheduling resources-VPN instance

Specify a VPN instance for the virtual server.

You can select an existing VPN instance or create a VPN instance.

Protection policy-HTTP protection policy

Specify an HTTP protection policy for the virtual server to guard against attack traffic matching the protection policy.

You can select an existing HTTP protection policy or create an HTTP protection policy.

Parameter profile-IP parameter profile

Specify an IP parameter profile for the virtual server to process matching traffic based on the parameter profile.

You can select an existing IP parameter profile or create an IP parameter profile.

Parameter profile-TCP parameter profile (client side)

Specify a TCP parameter profile for the virtual server to process matching traffic based on the parameter profile. A TCP parameter profile (client) used by the virtual server processes and optimizes TCP connections between the device and the client.

You can select an existing TCP parameter profile or create a TCP parameter profile.

This parameter is supported only by virtual servers of the TCP, Performance (HTTP), HTTP, HTTPS, or MySQL type.

Parameter profile-TCP parameter profile (server side)

Specify a TCP parameter profile for the virtual server to process matching traffic based on the parameter profile. A TCP parameter profile (server) used by the virtual server processes and optimizes TCP connections between the device and the server.

You can select an existing TCP parameter profile or create a TCP parameter profile.

This parameter is supported only by virtual servers of the TCP, Performance (HTTP), HTTP, HTTPS, or MySQL type.

Parameter profile-TCP-application parameter profile

Specify a TCP-application parameter profile for the virtual server to process matching traffic based on the parameter profile.

You can select an existing TCP-application parameter profile or create a TCP-application parameter profile.

This parameter is supported only by TCP virtual servers operating at Layer 7.

Parameter profile-HTTP parameter profile

Specify an HTTP parameter profile for the virtual server to process matching traffic based on the parameter profile.

You can select an existing HTTP parameter profile or create an HTTP parameter profile.

This parameter is supported only by virtual servers of the Performance (HTTP), HTTP, or HTTPS type.

Parameter profile-HTTP statistics parameter profile

Specify an HTTP statistics parameter profile for the virtual server to process matching traffic based on the parameter profile.

You can select an existing HTTP statistics parameter profile or create an HTTP statistics parameter profile.

This parameter is supported only by virtual servers of the HTTP type.

OneConnect parameter profile

Specify a OneConnect parameter profile for the virtual server to process matching traffic based on the parameter profile.

You can select an existing OneConnect parameter profile or create a OneConnect parameter profile.

This parameter is supported only by virtual servers of the HTTP or HTTPS type.

MySQL parameter profile

Specify a MySQL parameter profile for the virtual server to process matching traffic based on the parameter profile.

You can select an existing MySQL parameter profile or create a MySQL parameter profile.

This parameter is supported only by virtual servers of the MySQL type.

QoS-Maximum connections

Specify the maximum number of connections for the virtual server. 0 means not limited.

QoS-Maximum connections per second

Specify the maximum number of connections per second for the virtual server. 0 means not limited.

QoS-Maximum bandwidth

Specify the maximum bandwidth for the virtual server. 0 means not limited.

QoS-Maximum inbound bandwidth

Specify the maximum inbound bandwidth for the virtual server. 0 means not limited.

QoS-Maximum outbound bandwidth

Specify the maximum outbound bandwidth for the virtual server. 0 means not limited.

Content security-Content security function

Enable or disable content security.

Content security-WAF profile

Specify a WAF profile to be used for Web application protection of traffic matching the virtual server.

For more information about WAF profiles, see the WAF online help.

Content security-IPS profile

Specify the IPS profile to be used for intrusion protection of traffic matching the virtual server.

For more information about IPS profiles, see the IPS online help.

Content security-Anti-virus profile

Specify the antivirus protection configuration file to be used for antivirus protection of traffic matching the virtual server.

For more information about anti-virus profiles, see the anti-virus online help.