Whether or not the admin server, the internal control port and the config daemon honor the Fallback SCSV to protect connections against downgrade attacks.

Value type: Yes / No

Default value: "Yes"

Whether or not admin server SSL3 and TLS1 use one-byte fragments as a BEAST countermeasure for admin server and internal connections.

Value type: Yes / No

Default value: "No"

Whether or not SSL3/TLS re-handshakes should be supported for admin server and internal connections.

Value type: enumeration

Default value: "rfc5746"

Permitted values:

always: Always allow

safe: Allow safe re-handshakes

rfc5746: Only if client uses RFC 5746 (Secure Renegotiation Extension)

never: Never allow

The SSL ciphers to use for admin server and internal connections. For information on supported ciphers see the online help.

Value type: string

Default value: <none>

The length in bits of the Diffie-Hellman key for ciphers that use Diffie-Hellman key agreement for admin server and internal connections.

Value type: enumeration

Default value: "2048"

Permitted values:

1024: 1024

2048: 2048

3072: 3072

4096: 4096

If SSL3/TLS re-handshakes are supported on the admin server, this defines the minimum time interval (in milliseconds) between handshakes on a single SSL3/TLS connection that is permitted. To disable the minimum interval for handshakes the key should be set to the value 0.

Value type: unsigned integer

Default value: "1000"

The SSL elliptic curve preference list for admin and internal connections. For information on supported curves see the online help.

Value type: string

Default value: <none>

The maximum size (in bytes) of SSL handshake messages that the admin server and internal connections will accept. To accept any size of handshake message the key should be set to the value 0.

Value type: bytes

Default value: "10240"

This configuration is now obsolete and has no effect whether set or unset.

Value type: Yes / No

Default value: "No"

The SSL signature algorithms preference list for admin and internal connections. For information on supported algorithms see the online help.

Value type: string

Default value: <none>

Whether or not SSL3 support is enabled for admin server and internal connections.

Value type: Yes / No

Default value: "No"

Whether or not TLS1.0 support is enabled for admin server and internal connections.

Value type: Yes / No

Default value: "Yes"

Whether or not TLS1.1 support is enabled for admin server and internal connections.

Value type: Yes / No

Default value: "Yes"

Whether or not TLS1.2 support is enabled for admin server and internal connections.

Value type: Yes / No

Default value: "Yes"

Whether or not TLS1.3 support is enabled for admin server and internal connections.

Value type: Yes / No

Default value: "Yes"

Is the application firewall enabled.

Value type: Yes / No

Default value: "No"

Whether or not to allow the same character to appear consecutively in passwords.

Value type: Yes / No

Default value: "Yes"

The password used to protect the bootloader. An empty string means there will be no protection.

Value type: password

Default value: <none>

Whether or not the traffic manager will attempt to route response packets back to clients via the same route on which the corresponding request arrived.

Note that this applies only to the last hop of the route - the behaviour of upstream routers cannot be altered by the traffic manager.

Value type: Yes / No

Default value: "No"

The MAC address/network interface to IPv4 address mapping of a router the software is connected to. The value is the IPv4 address, the * (asterisk) in the key name is the MAC address and an optional network interface name, for example, 00:50:56:a6:24:3d or 00:50:56:a6:24:3d#eth0.

Value type: string

Default value: <none>

The MAC address/network interface to IPv6 address mapping of a router the software is connected to. The value is the IPv6 address, the * (asterisk) in the key name is the MAC address and an optional network interface name, for example, 00:50:56:a6:24:3d or 00:50:56:a6:24:3d#eth0.

Value type: string

Default value: <none>

The maximum size of a dependent resource that can undergo Web Accelerator optimization. Any content larger than this size will not be optimized. Units of KB and MB can be used, no postfix denotes bytes. A value of 0 disables the limit.

Value type: string

Default value: "2MB"

The maximum size of unoptimized content buffered in the traffic manager for a single backend response that is undergoing Web Accelerator optimization. Responses larger than this will not be optimized. Note that if the backend response is compressed then this setting pertains to the compressed size, before Web Accelerator decompresses it. Units of KB and MB can be used, no postfix denotes bytes. Value range is 1 - 128MB.

Value type: string

Default value: "2MB"

The period of time (in seconds) after which a previous failure will no longer count towards the watchdog limit.

Value type: seconds

Default value: "300"

The maximum number of times the Web Accelerator sub-process will be started or restarted within the interval defined by the aptimizer!watchdog_interval setting. If the process fails this many times, it must be restarted manually from the Diagnose page. Zero means no limit.

Value type: unsigned integer

Default value: "3"

The maximum number of entries in the ASP session persistence cache. This is used for storing session mappings for ASP session persistence. Approximately 100 bytes will be pre-allocated per entry.

Value type: unsigned integer

Default value: "32768"

Whether to mirror the audit log to EventD.

Value type: Yes / No

Default value: "No"

Whether to output audit log message to the syslog.

Value type: Yes / No

Default value: "No"

Lifetime in seconds of cryptographic keys used to decrypt SAML SP sessions stored externally (client-side).

Value type: seconds

Default value: "86400"

Rotation interval in seconds for cryptographic keys used to encrypt SAML SP sessions stored externally (client-side).

Value type: seconds

Default value: "14400"

Whether or not detailed messages about the autoscaler's activity are written to the error log.

Value type: Yes / No

Default value: "No"

Whether or not users must explicitly agree to the displayed login_banner text before logging in to the Admin Server.

Value type: Yes / No

Default value: "No"

The number of the BGP AS in which the traffic manager will operate. Must be entered in decimal.

Value type: unsigned integer

Default value: "65534"

Whether BGP Route Health Injection is enabled

Value type: Yes / No

Default value: "No"

The default chunk size for reading/writing requests.

Value type: bytes

Default value: "16384"

Whether or not your traffic manager should make use of TCP optimisations to defer the processing of new client-first connections until the client has sent some data.

Value type: Yes / No

Default value: "No"

Cluster identifier. Generally supplied by Services Director.

Value type: string

Default value: <none>

The default value of control!canupdate for new cluster members. If you have cluster members joining from less trusted locations (such as cloud instances) this can be set to No in order to make them effectively "read-only" cluster members.

Value type: Yes / No

Default value: "Yes"

The hosts that can contact the internal administration port on each traffic manager. This should be a list containing IP addresses, CIDR IP subnets, and localhost; or it can be set to all to allow any host to connect.

Value type: string

Default value: "all"

Maximum Time To Live (expiry time) for entries in the DNS cache.

Value type: seconds

Default value: "86400"

Minimum Time To Live (expiry time) for entries in the DNS cache.

Value type: seconds

Default value: "86400"

Expiry time for failed lookups in the DNS cache.

Value type: seconds

Default value: "60"

Maximum number of entries in the DNS cache.

Value type: unsigned integer

Default value: "10867"

Timeout for receiving a response from a DNS server.

Value type: seconds

Default value: "12"

Deprecated: This key is unused. Amazon authentication credentials are now extracted from IAM Roles assigned to an EC2 instance.

Value type: string

Default value: <none>

The maximum amount of time requests to the AWS Query API can take before timing out.

Value type: unsigned integer

Default value: "10"

URL for the EC2 metadata server, http://169.254.169.254/latest/meta-data for example.

Value type: string

Default value: <none>

URL for the Amazon EC2 endpoint, https://ec2.amazonaws.com/ for example.

Value type: string

Default value: <none>

Deprecated: This key is unused. Amazon authentication credentials are now extracted from IAM Roles assigned to an EC2 instance.

Value type: password

Default value: <none>

Whether to verify Amazon EC2 endpoint's certificate using CA(s) present in SSL Certificate Authorities Catalog.

Value type: Yes / No

Default value: "No"

The minimum severity of events/alerts that should be logged to disk. ERR_INFO will log all events; a higher severity setting will log fewer events. More fine-grained control can be achieved using events and actions in the Alerting section of the UI.

Value type: enumeration

Default value: "6"

Permitted values:

1: ERR_FATAL

2: ERR_SERIOUS

5: ERR_WARN

6: ERR_INFO

The file to log event messages to.

Value type: string

Default value: "%zeushome%/zxtm/log/errors"

Enable FIPS Mode (requires software restart).

Value type: Yes / No

Default value: "No"

The number of ARP packets a traffic manager should send when an IP address is raised.

Value type: unsigned integer

Default value: "10"

Whether or not traffic IPs automatically move back to machines that have recovered from a failure and have dropped their traffic IPs.

Value type: Yes / No

Default value: "Yes"

Configure the delay of automatic failback after a previous failover event. This setting has no effect if autofailback is disabled.

Value type: seconds

Default value: "10"

How long the traffic manager should wait for status updates from any of the traffic manager's child processes before assuming one of them is no longer servicing traffic.

Value type: seconds

Default value: "5"

The IP addresses used to check front-end connectivity. The text %gateway% will be replaced with the default gateway on each system. Set this to an empty string if the traffic manager is on an Intranet with no external connectivity.

Value type: list

Default value: "%gateway%"

The method traffic managers should use to exchange cluster heartbeat messages.

Value type: enumeration

Default value: "unicast"

Permitted values:

multicast: multicast

unicast: unicast

The interval between unsolicited periodic IGMP Membership Report messages for Multi-Hosted Traffic IP Groups.

Value type: seconds

Default value: "30"

The frequency, in milliseconds, that each traffic manager machine should check and announce its connectivity.

Value type: unsigned integer

Default value: "500"

How long, in seconds, each traffic manager should wait for a response from its connectivity tests or from other traffic manager machines before registering a failure.

Value type: seconds

Default value: "5"

The multicast address and port to use to exchange cluster heartbeat messages.

Requires: flipper!heartbeat_method is set to "multicast"

Value type: string

Default value: "239.100.1.1:9090"

The unicast UDP port to use to exchange cluster heartbeat messages.

Requires: flipper!heartbeat_method is set to "unicast"

Value type: unsigned integer

Default value: "9090"

Whether or not cluster heartbeat messages should only be sent and received over the management network.

Value type: Yes / No

Default value: "No"

Whether or not a traffic manager should log all connectivity tests. This is very verbose, and should only be used for diagnostic purposes.

Value type: Yes / No

Default value: "No"

Whether or not the traffic manager should permit use of FTP data connection source ports lower than 1024. If No the traffic manager can completely drop root privileges, if Yes some or all privileges may be retained in order to bind to low ports.

Value type: Yes / No

Default value: "No"

Write a message to the logs for every DNS query that is load balanced, showing the source IP address and the chosen datacenter.

Value type: Yes / No

Default value: "No"

How long an unused HTTP keepalive connection should be kept before it is discarded.

Value type: seconds

Default value: "10"

IP session persistence cache expiry time in seconds. A session will not be reused if the time since it was last used exceeds this value. 0 indicates no expiry timeout.

Value type: unsigned integer

Default value: "0"

The maximum number of entries in the IP session persistence cache. This is used to provide session persistence based on the source IP address. Approximately 100 bytes will be pre-allocated per entry.

Value type: unsigned integer

Default value: "32768"

J2EE session persistence cache expiry time in seconds. A session will not be reused if the time since it was last used exceeds this value. 0 indicates no expiry timeout.

Value type: unsigned integer

Default value: "0"

The maximum number of entries in the J2EE session persistence cache. This is used for storing session mappings for J2EE session persistence. Approximately 100 bytes will be pre-allocated per entry.

Value type: unsigned integer

Default value: "32768"

CLASSPATH to use when starting the Java runner.

Value type: string

Default value: <none>

Java command to use when starting the Java runner, including any additional options.

Value type: string

Default value: "java -server"

Whether or not Java support should be enabled. If this is set to No, then your traffic manager will not start any Java processes. Java support is only required if you are using the TrafficScript java.run() function.

Value type: Yes / No

Default value: "No"

Java library directory for additional jar files. The Java runner will load classes from any .jar files stored in this directory, as well as the * jar files and classes stored in traffic manager's catalog.

Value type: string

Default value: <none>

Maximum number of simultaneous Java requests. If there are more than this many requests, then further requests will be queued until the earlier requests are completed. This setting is per-CPU, so if your traffic manager is running on a machine with 4 CPU cores, then each core can make this many requests at one time.

Value type: unsigned integer

Default value: "256"

Default time to keep a Java session.

Value type: seconds

Default value: "86400"

Whether or not a traffic manager should log all Kerberos related activity. This is very verbose, and should only be used for diagnostic purposes.

Value type: Yes / No

Default value: "No"

A list of license servers for FLA licensing. A license server should be specified as a <ip/host>:<port> pair.

Value type: list

Default value: <none>

The listen queue size for managing incoming connections. It may be necessary to increase the System's listen queue size if this value is altered. If the value is set to 0 then the default system setting will be used.

Value type: unsigned integer

Default value: "0"

The maximum change to load per second, when monitored by GLB. This limit does not apply to external setting of the load by a SOAP agent.

Value type: unsigned integer

Default value: "800"

How long to wait before flushing the request log files for each virtual server.

Value type: seconds

Default value: "5"

The maximum number of connection errors logged per second when connection error reporting is enabled.

Value type: unsigned integer

Default value: "50"

How long to wait before re-opening request log files, this ensures that log files will be recreated in the case of log rotation.

Value type: seconds

Default value: "30"

The minimum time between log messages for log intensive features such as SLM.

Value type: seconds

Default value: "60"

The HTTP Event Collector token to use for HTTP authentication with a Splunk server.

Value type: string

Default value: <none>

The HTTP authentication method to use when exporting log entries.

Value type: enumeration

Default value: "none"

Permitted values:

none: None

basic: Basic (Username and Password)

splunk: Splunk (HEC token)

The password to use for HTTP basic authentication.

Value type: password

Default value: <none>

The username to use for HTTP basic authentication.

Value type: string

Default value: <none>

Monitor log files and export entries to the configured endpoint.

Value type: Yes / No

Default value: "No"

The URL to which log entries should be sent. Entries are sent using HTTP(S) POST requests.

Value type: string

Default value: <none>

The number of seconds after which HTTP requests sent to the configured endpoint will be considered to have failed if no response is received. A value of 0 means that HTTP requests will not time out.

Value type: seconds

Default value: "30"

Whether the server certificate should be verified when connecting to the endpoint. If enabled, server certificates that do not match the server name, are self-signed, have expired, have been revoked, or that are signed by an unknown CA will be rejected.

Value type: Yes / No

Default value: "Yes"

Banner text displayed on the Admin Server login page and before logging in to appliance SSH servers.

Value type: string

Default value: <none>

The number of seconds before another login attempt can be made after a failed attempt.

Value type: seconds

Default value: "4"

The maximum number of unused HTTP keepalive connections with back-end nodes that the traffic manager should maintain for re-use. Setting this to 0 (zero) will cause the traffic manager to auto-size this parameter based on the available number of file-descriptors.

Value type: unsigned integer

Default value: "0"

The number of sequential failed login attempts that will cause a user account to be suspended. Setting this to 0 disables this feature. To apply this to users who have never successfully logged in, track_unknown_users must also be enabled.

Value type: unsigned integer

Default value: "0"

Whether or not usernames blocked due to the max_login_attempts limit should also be blocked from authentication against external services (such as LDAP and RADIUS).

Value type: Yes / No

Default value: "No"

The number of minutes to suspend users who have exceeded the max_login_attempts limit.

Value type: unsigned integer

Default value: "15"

The maximum amount of memory allowed to be used to buffer network data in user space for all TCP connections. The TCP data buffered are either received from clients but before sending to pool nodes, or recevied from pool nodes but before sending to clients. This is specified as either a percentage of system RAM, 5% for example, or an absolute size such as 1024MB and 2GB. A numeric value without suffix MB, GB or % defaults to MB. A value of 800 means 800MB. A value of 0 means unlimited.

Value type: string

Default value: "0"

The maximum number of file descriptors that your traffic manager will allocate.

Value type: unsigned integer

Default value: "1048576"

Minimum number of alphabetic characters a password must contain. Set to 0 to disable this restriction.

Value type: unsigned integer

Default value: "0"

Minimum number of numeric characters a password must contain. Set to 0 to disable this restriction.

Value type: unsigned integer

Default value: "0"

Minimum number of characters a password must contain. Set to 0 to disable this restriction.

Value type: unsigned integer

Default value: "0"

Minimum number of special (non-alphanumeric) characters a password must contain. Set to 0 to disable this restriction.

Value type: unsigned integer

Default value: "0"

Minimum number of uppercase characters a password must contain. Set to 0 to disable this restriction.

Value type: unsigned integer

Default value: "0"

The maximum number of each of nodes, pools or locations that can be monitored. The memory used to store information about nodes, pools and locations is allocated at start-up, so the traffic manager must be restarted after changing this setting.

Value type: unsigned integer

Default value: "4096"

Whether or not the traffic manager should try to read multiple new connections each time a new client connects. This can improve performance under some very specific conditions. However, in general it is recommended that this be set to 'No'.

Value type: Yes / No

Default value: "No"

The minimum length of time that must elapse between alert emails being sent. Where multiple alerts occur inside this timeframe, they will be retained and sent within a single email rather than separately.

Value type: seconds

Default value: "30"

The number of times to attempt to send an alert email before giving up.

Value type: unsigned integer

Default value: "10"

The OSPF area in which the traffic manager will operate. May be entered in decimal or IPv4 address format.

Value type: string

Default value: "0.0.0.1"

The type of OSPF area in which the traffic manager will operate. This must be the same for all routers in the area, as required by OSPF.

Value type: enumeration

Default value: "normal"

Permitted values:

normal: Normal area

stub: Stub area

nssa: Not So Stubby Area (RFC3101)

OSPFv2 authentication key ID. If set to 0, which is the default value, the key is disabled.

Value type: unsigned integer

Default value: "0"

OSPFv2 authentication key ID. If set to 0, which is the default value, the key is disabled.

Value type: unsigned integer

Default value: "0"

OSPFv2 authentication shared secret (MD5). If set to blank, which is the default value, the key is disabled.

Value type: string

Default value: <none>

OSPFv2 authentication shared secret (MD5). If set to blank, which is the default value, the key is disabled.

Value type: string

Default value: <none>

The number of seconds before declaring a silent router down.

Value type: seconds

Default value: "40"

Whether OSPFv2 Route Health Injection is enabled

Value type: Yes / No

Default value: "No"

The interval at which OSPF "hello" packets are sent to the network.

Value type: seconds

Default value: "10"

The maximum number of times a password can be changed in a 24-hour period. Set to 0 to disable this restriction.

Value type: unsigned integer

Default value: "0"

The number of times a password must have been changed before it can be reused. Set to 0 to disable this restriction.

Value type: unsigned integer

Default value: "0"

Banner text to be displayed on the appliance console after login.

Value type: string

Default value: <none>

The amount of shared memory reserved for an inter-process table of combined connection counts, used by all Service Protection classes that have per_process_connection_count set to No. The amount is specified as an absolute size, eg 20MB.

Value type: string

Default value: "20MB"

The maximum number of Rate classes that can be created. Approximately 100 bytes will be pre-allocated per Rate class.

Value type: unsigned integer

Default value: "25000"

How many recently closed connections each traffic manager process should save. These saved connections will be shown alongside currently active connections when viewing the Connections page. You should set this value to 0 in a benchmarking or performance-critical environment.

Value type: unsigned integer

Default value: "500"

The amount of time for which snapshots will be retained on the Connections page.

Value type: seconds

Default value: "60"

The maximum number of connections each traffic manager process should show when viewing a snapshot on the Connections page. This value includes both currently active connections and saved connections. If set to 0 all active and saved connection will be displayed on the Connections page.

Value type: unsigned integer

Default value: "500"

Whether to create a Communications Channel agent to send and receive messages from the Services Director Registration Server. This will be disabled when performing self-registration with a Services Director which does not support this feature.

Value type: Yes / No

Default value: "Yes"

The port number the Services Director instance is using for access to the traffic manager Communications Channel.

Value type: unsigned integer

Default value: "8102"

The Owner of a Services Director instance, used for self-registration.

Value type: string

Default value: <none>

The secret associated with the Owner.

Value type: string

Default value: <none>

The auto-accept Policy ID that this instance should attempt to use.

Value type: string

Default value: <none>

A Services Director address for self-registration. A registration server should be specified as a <ip/host>:<port> pair.

Value type: string

Default value: <none>

The certificate of a Services Director instance, used for self-registration.

Value type: string

Default value: <none>

The length of time after a successful request that the authentication of a given username and password will be cached for an IP address. A setting of 0 disables the cache forcing every REST request to be authenticated which will adversely affect performance.

Value type: seconds

Default value: "120"

Whether or not the REST service is enabled.

Value type: Yes / No

Default value: "Yes"

The maximum allowed length in bytes of a HTTP request's headers.

Value type: unsigned integer

Default value: "4096"

Maximum number of file descriptors that the REST API will allocate. The REST API must be restarted for a change to this setting to take effect.

Value type: unsigned integer

Default value: "1048576"

Configuration changes will be replicated across the cluster after this period of time, regardless of whether additional API requests are being made.

Value type: seconds

Default value: "20"

Configuration changes made via the REST API will be propagated across the cluster when no further API requests have been made for this period of time.

Value type: seconds

Default value: "5"

The period of time after which configuration replication across the cluster will be cancelled if it has not completed.

Value type: seconds

Default value: "10"

The size of the shared memory pool used for shared storage across worker processes (e.g. bandwidth shared data).This is specified as either a percentage of system RAM, 5% for example, or an absolute size such as 10MB.

Value type: string

Default value: "10MB"

The maximum number of SLM classes that can be created. Approximately 100 bytes will be pre-allocated per SLM class.

Value type: unsigned integer

Default value: "1024"

The number of user defined SNMP counters. Approximately 100 bytes will be pre-allocated at start-up per user defined SNMP counter.

Value type: unsigned integer

Default value: "10"

The size of the operating system's read buffer. A value of 0 (zero) means to use the OS default; in normal circumstances this is what should be used.

Value type: bytes

Default value: "0"

The size of the operating system's write buffer. A value of 0 (zero) means to use the OS default; in normal circumstances this is what should be used.

Value type: bytes

Default value: "0"

The number of minutes that the SOAP server should remain idle before exiting. The SOAP server has a short startup delay the first time a SOAP request is made, subsequent SOAP requests don't have this delay.

Value type: unsigned integer

Default value: "10"

Whether or not the traffic manager should use potential network socket optimisations. If set to auto, a decision will be made based on the host platform.

Value type: enumeration

Default value: "auto"

Permitted values:

auto: auto

Yes: Yes

No: No

Whether or not SSL/TLS re-handshakes should be supported. Enabling support for re-handshakes can expose services to Man-in-the-Middle attacks. It is recommended that only "safe" handshakes be permitted, or none at all.

Value type: enumeration

Default value: "safe"

Permitted values:

always: Always allow

safe: Allow safe re-handshakes

rfc5746: Only if client uses RFC 5746 (Secure Renegotiation Extension)

never: Never allow

Whether or not the SSL server session cache is enabled, unless overridden by virtual server settings.

Value type: Yes / No

Default value: "Yes"

How long the SSL session IDs for SSL decryption should be stored for.

Value type: seconds

Default value: "1800"

Whether an SSL session created by a given virtual server can only be resumed by a connection to the same virtual server.

Value type: Yes / No

Default value: "Yes"

How many entries the SSL session ID cache should hold. This cache is used to cache SSL sessions to help speed up SSL handshakes when performing SSL decryption. Each entry will allocate approximately 1.75kB of metadata.

Value type: unsigned integer

Default value: "6151"

The SSL/TLS cipher suites preference list for SSL/TLS connections, unless overridden by virtual server or pool settings. For information on supported cipher suites see the online help.

Value type: string

Default value: <none>

Whether or the SSL client cache will be used, unless overridden by pool settings.

Value type: Yes / No

Default value: "Yes"

How long in seconds SSL sessions should be stored in the client cache for, by default. Servers returning session tickets may also provide a lifetime hint, which will be used if it is less than this value.

Value type: seconds

Default value: "14400"

How many entries the SSL client session cache should hold, per child. This cache is used to cache SSL sessions to help speed up SSL handshakes when performing SSL encryption. Each entry will require approx 100 bytes of memory plus space for either an SSL session id or an SSL session ticket, which may be as small as 16 bytes or may be as large as a few kilobytes, depending upon the server behavior.

Value type: unsigned integer

Default value: "1024"

Whether or not session tickets, including TLS >= 1.3 PSKs, may be requested and stored in the SSL client cache.

Value type: Yes / No

Default value: "Yes"

How much shared memory to allocate for loading Certificate Revocation Lists. This should be at least 3 times the total size of all CRLs on disk. This is specified as either a percentage of system RAM, 1% for example, or an absolute size such as 10MB.

Value type: string

Default value: "5MB"

The size in bits of the modulus for the domain parameters used for cipher suites that use finite field Diffie-Hellman key agreement.

Value type: enumeration

Default value: "2048"

Permitted values:

1024: 1024

2048: 2048

3072: 3072

4096: 4096

The SSL/TLS elliptic curve preference list for SSL/TLS connections using TLS version 1.0 or higher, unless overridden by virtual server or pool settings. For information on supported curves see the online help.

Value type: string

Default value: <none>

Whether or not ssl-decrypting Virtual Servers honor the Fallback SCSV to protect connections against downgrade attacks.

Value type: Yes / No

Default value: "Yes"

Whether or not SSL3 and TLS1 use one-byte fragments as a BEAST countermeasure.

Value type: Yes / No

Default value: "No"

Whether SSL connection key logging should be available via the ssl.sslkeylogline() TrafficScript function. If this setting is disabled then ssl.sslkeylogline() will always return the empty string.

Value type: Yes / No

Default value: "No"

The maximum size (in bytes) of SSL handshake messages that SSL connections will accept. To accept any size of handshake message the key should be set to the value 0.

Value type: bytes

Default value: "10240"

Whether or not TLS 1.3 middlebox compatibility mode as described in RFC 8446 appendix D.4 will be used in connections to pool nodes, unless overridden by pool settings.

Value type: Yes / No

Default value: "Yes"

If SSL3/TLS re-handshakes are supported, this defines the minimum time interval (in milliseconds) between handshakes on a single SSL3/TLS connection that is permitted. To disable the minimum interval for handshakes the key should be set to the value 0.

Value type: unsigned integer

Default value: "1000"

The maximum number of cached client certificate OCSP results stored. This cache is used to speed up OCSP checks against client certificates by caching results. Approximately 1040 bytes are pre-allocated per entry.

Value type: unsigned integer

Default value: "2048"

How long to wait before refreshing requests on behalf of the store of certificate status responses used by OCSP stapling, if we don't have an up-to-date OCSP response.

Value type: seconds

Default value: "60"

Maximum time to wait before refreshing requests on behalf of the store of certificate status responses used by OCSP stapling. (0 means no maximum.)

Value type: seconds

Default value: "864000"

How much shared memory to allocate for the store of certificate status responses for OCSP stapling. This should be at least 2kB times the number of certificates configured to use OCSP stapling. This is specified as either a percentage of system RAM, 1% for example, or an absolute size such as 10MB.

Value type: string

Default value: "1MB"

How many seconds to allow the current time to be outside the validity time of an OCSP response before considering it invalid.

Value type: seconds

Default value: "30"

Whether the OCSP response signature should be verified before the OCSP response is cached.

Value type: Yes / No

Default value: "No"

This configuration is now obsolete and has no effect whether set or unset.

Value type: Yes / No

Default value: "No"

The SSL/TLS signature algorithms preference list for SSL/TLS connections using TLS version 1.2 or higher, unless overridden by virtual server or pool settings. For information on supported algorithms see the online help.

Value type: string

Default value: <none>

Whether or not SSL3 support is enabled.

Requires: fips!enabled is set to "Yes"

Value type: Yes / No

Default value: "No"

Whether or not TLS1.0 support is enabled.

Value type: Yes / No

Default value: "Yes"

Whether or not TLS1.1 support is enabled.

Value type: Yes / No

Default value: "Yes"

Whether or not TLS1.2 support is enabled.

Value type: Yes / No

Default value: "Yes"

Whether or not TLS1.3 support is enabled.

Value type: Yes / No

Default value: "Yes"

Whether or not session tickets will be issued to and accepted from clients that support them, unless overridden by virtual server settings.

Value type: Yes / No

Default value: "Yes"

When an SSL session ticket will be reissued (ie when a new ticket will be generated for the same SSL session).

Value type: enumeration

Default value: "never"

Permitted values:

always: always

never: never

The length of time for which an SSL session ticket will be accepted by a virtual server after the ticket is created. If a ticket is reissued (if ssl!tickets!reissue_policy is set to 'always') this time starts at the time when the ticket was reissued.

Value type: seconds

Default value: "14400"

The length of time for which an auto-generated SSL ticket key will be used to decrypt old session ticket, before being deleted from memory. This setting is ignored if there are any entries in the (REST-only) SSL ticket keys catalog.

Value type: seconds

Default value: "86400"

The length of time for which an auto-generated SSL ticket key will be used to encrypt new session tickets, before a new SSL ticket key is generated. The ticket encryption key will be held in memory for ssl!tickets!ticket_key_expiry, so that tickets encrypted using the key can still be decrypted and used. This setting is ignored if there are any entries in the (REST-only) SSL ticket keys catalog.

Value type: seconds

Default value: "14400"

How many seconds to allow the current time to be outside the validity time of an SSL ticket before considering it invalid.

Value type: seconds

Default value: "30"

Whether the traffic manager should validate that SSL server certificates form a matching key pair before the certificate gets used on an SSL decrypting virtual server.

Value type: Yes / No

Default value: "Yes"

The maximum number of entries in the SSL session persistence cache. This is used to provide session persistence based on the SSL session ID. Approximately 200 bytes will be pre-allocated per entry.

Value type: unsigned integer

Default value: "32768"

Whether or not the SSL hardware is an "accelerator" (faster than software). By default the traffic manager will only use the SSL hardware if a key requires it (i.e. the key is stored on secure hardware and the traffic manager only has a placeholder/identifier key). With this option enabled, your traffic manager will instead try to use hardware for all SSL decrypts.

Value type: Yes / No

Default value: "No"

The client identifier used when accessing the Microsoft Azure Key Vault.

Value type: string

Default value: <none>

The client secret used when accessing the Microsoft Azure Key Vault.

Value type: password

Default value: <none>

The URL for the REST API of the Microsoft Azure Key Vault.

Value type: string

Default value: <none>

Whether or not the Azure Key Vault REST API certificate should be verified.

Value type: Yes / No

Default value: "Yes"

Print verbose information about the PKCS11 hardware security module to the event log.

Value type: Yes / No

Default value: "No"

The location of the PKCS#11 library for your SSL hardware if it is not in a standard location. The traffic manager will search the standard locations by default.

Value type: string

Default value: <none>

The label of the SSL Hardware slot to use. Only required if you have multiple HW accelerator slots.

Value type: string

Default value: <none>

The type of SSL hardware slot to use.

Value type: enumeration

Default value: "operator"

Permitted values:

operator: Operator Card Set

softcard: Soft Card

module: Module Protected

The User PIN for the PKCS token (PKCS#11 devices only).

Value type: password

Default value: <none>

The number of consecutive failures from the SSL hardware that will be tolerated before the traffic manager assumes its session with the device is invalid and tries to log in again. This is necessary when the device reboots following a power failure.

Value type: unsigned integer

Default value: "5"

The type of SSL hardware to use. The drivers for the SSL hardware should be installed and accessible to the traffic manager software.

Value type: enumeration

Default value: "none"

Permitted values:

none: None

pkcs11: PKCS#11

azure: Microsoft Azure Key Vault

Number of days to store historical traffic information, if set to 0 the data will be kept indefinitely.

Value type: unsigned integer

Default value: "90"

How often to propagate the session persistence and bandwidth information to other traffic managers in the same cluster. Set this to 0 (zero) to disable propagation.

Note that a cluster using "unicast" heartbeat messages cannot turn off these messages.

Value type: seconds

Default value: "3"

The maximum amount of time to wait when propagating session persistence and bandwidth information to other traffic managers in the same cluster. Once this timeout is hit the transfer is aborted and a new connection created.

Value type: seconds

Default value: "6"

Allow the reporting of anonymized usage data for product improvement and customer support purposes.

Value type: Yes / No

Default value: "Yes"

The maximum number of Traffic IP Groups that can be created.

Value type: unsigned integer

Default value: "10000"

Whether to remember past login attempts from usernames that are not known to exist (should be set to No for an Admin Server accessible from the public Internet). This does not affect the audit log.

Value type: Yes / No

Default value: "No"

The maximum amount of memory available to store TrafficScript data.local.set() information. This can be specified as a percentage of system RAM, 5% for example; or an absolute size such as 200MB.

Value type: string

Default value: "5%"

The maximum amount of memory available to store TrafficScript data.set() information. This can be specified as a percentage of system RAM, 5% for example; or an absolute size such as 200MB.

Value type: string

Default value: "5%"

Raise an event if a TrafficScript rule runs for more than this number of milliseconds in a single invocation. If you get such events repeatedly, you may want to consider re-working some of your TrafficScript rules. A value of 0 means no warnings will be issued.

Value type: unsigned integer

Default value: "500"

The maximum number of instructions a TrafficScript rule will run. A rule will be aborted if it runs more than this number of instructions without yielding, preventing infinite loops.

Value type: unsigned integer

Default value: "100000"

Raise an event if a TrafficScript rule requires more than this amount of buffered network data. If you get such events repeatedly, you may want to consider re-working some of your TrafficScript rules to use less memory or to stream the data that they process rather than storing it all in memory. This setting also limits the amount of data that can be returned by request.GetLine().

Value type: bytes

Default value: "1048576"

The maximum number of regular expressions to cache in TrafficScript. Regular expressions will be compiled in order to speed up their use in the future.

Value type: unsigned integer

Default value: "57"

The maximum number of ways TrafficScript will attempt to match a regular expression at each position in the subject string, before it aborts the rule and reports a TrafficScript error.

Value type: unsigned integer

Default value: "10000000"

The percentage of trafficscript!regex_match_limit at which TrafficScript reports a performance warning.

Value type: unsigned integer

Default value: "5"

Allow the pool.use and pool.select TrafficScript functions to accept variables instead of requiring literal strings.

Enabling this feature has the following effects:

Your traffic manager may no longer be able to know whether a pool is in use.

Errors for pools that aren't in use will not be hidden.

Some settings displayed for a Pool may not be appropriate for the type of traffic being managed.

Pool usage information on the pool edit pages and config summary may not be accurate.

Monitors will run for all pools (with this option disabled monitors will only run for Pools that are used).

Value type: Yes / No

Default value: "No"

Export metadata about transactions processed by the traffic manager to an external location.

Value type: Yes / No

Default value: "No"

The endpoint to which transaction metadata should be exported. The endpoint is specified as a hostname or IP address with a port.

Value type: string

Default value: <none>

Whether the connection to the specified endpoint should be encrypted.

Value type: Yes / No

Default value: "Yes"

Whether the server certificate presented by the endpoint should be verified, preventing a connection from being established if the certificate does not match the server name, is self-signed, is expired, is revoked, or has an unknown CA.

Value type: Yes / No

Default value: "Yes"

Whether or not the traffic manager should try to read multiple UDP packets from clients each time the kernel reports data received from clients. This can improve performance for the situation with high UDP traffic throughput from clients to the traffic manager. Therefore, in general it is recommended that this be set to 'Yes'.

Value type: Yes / No

Default value: "Yes"

Banner text to be displayed on all Admin Server pages.

Value type: string

Default value: <none>

Universal session persistence cache expiry time in seconds. A session will not be reused if the time since it was last used exceeds this value. 0 indicates no expiry timeout.

Value type: unsigned integer

Default value: "0"

The maximum number of entries in the global universal session persistence cache. This is used for storing session mappings for universal session persistence. Approximately 100 bytes will be pre-allocated per entry.

Value type: unsigned integer

Default value: "32768"

The maximum time in seconds a process can fail to update its heartbeat, before the watchdog considers it to have stalled.

Value type: seconds

Default value: "5"

The estimated average length of the path (including query string) for resources being cached. An amount of memory equal to this figure multiplied by max_file_num will be allocated for storing the paths for cache entries. This setting can be increased if your web site makes extensive use of long URLs.

Value type: unsigned integer

Default value: "512"

Whether or not to use a disk-backed (typically SSD) cache. If set to Yes cached web pages will be stored in a file on disk. This enables the traffic manager to use a cache that is larger than available RAM. The webcache!size setting should also be adjusted to select a suitable maximum size based on your disk space.

Note that the disk caching is optimized for use with SSD storage.

Value type: Yes / No

Default value: "No"

If disk caching is enabled, this sets the directory where the disk cache file will be stored. The traffic manager will create a file called webcache.data in this location.

Note that the disk caching is optimized for use with SSD storage.

Value type: string

Default value: "%zeushome%/zxtm/internal"

Maximum number of entries in the cache. Approximately 0.9 KB will be pre-allocated per entry for metadata, this is in addition to the memory reserved for the content cache and for storing the paths of the cached resources.

Value type: unsigned integer

Default value: "10000"

Largest size of a cacheable object in the cache. This is specified as either a percentage of the total cache size, 2% for example, or an absolute size such as 20MB.

Value type: string

Default value: "2%"

The maximum length of the path (including query string) for the resource being cached. If the path exceeds this length then it will not be added to the cache.

Value type: unsigned integer

Default value: "2048"

Enable normalization (lexical ordering of the parameter-assignments) of the query string.

Value type: Yes / No

Default value: "Yes"

The maximum size of the HTTP web page cache. This is specified as either a percentage of system RAM, 20% for example, or an absolute size such as 200MB.

Value type: string

Default value: "20%"