Created on
10-31-2023
07:46 AM
Edited on
06-10-2025
12:55 AM
By
Jean-Philippe_P
This article describes the factors that can trigger a 400 Bad Request response in Layer 7 HTTP/HTTPS Virtual Servers on FortiADC and learns how to identify and resolve this issue by adjusting the application profile settings.
FortiADC.
Suppose FortiADC responds with 400 Bad Request responses for HTTP requests (even when they appear to be correctly formatted) in Layer 7 HTTP/HTTPS virtual servers. In that case, it may be due to the overall size of the headers exceeding the buffer limits set in the HTTP/HTTPS application profile. This article will explore the default HTTP application profile 'LB_PROF_HTTP' as an example.
config load-balance profile
edit "LB_PROF_HTTP"
set type http
set tune-bufsize 8030 <--
set tune-maxrewrite 1024 <--
set client-timeout 50
set server-timeout 50
set connect-timeout 5
set queue-timeout 5
set http-send-timeout 0
set http-request-timeout 50
set http-keepalive-timeout 50
set buffer-pool enable
set client-address disable
set http-x-forwarded-for disable
unset http-x-forwarded-for-header
set http-mode KeepAlive
set modify-host-on-nonstandard-rs-port disable
unset compression
unset decompression
unset caching
set ip-reputation disable
unset geoip-list
unset allowlist
unset http2-profile
set geoip-redirect http://
set max-http-headers 100
set response-half-closed-request disable
next
end
In this profile, the 'tune-bufsize' is set to 8030 bytes, and 'tune-maxrewrite' is configured as 1024 bytes. These values are used for handling HTTP request headers.
In this particular configuration, 1024 bytes out of the 8030 bytes set as 'tune-bufsize' are reserved for header manipulation(adding or modifying headers). This leaves approximately 7006 bytes for buffering HTTP headers within the HTTP request. If an incoming HTTP request contains headers that collectively exceed the available buffer space (7006 bytes), the request will be dropped and the FortiADC will respond with an error 400 'Bad Request' status code.
It is important to examine the total size of headers in situations where HTTP requests are dropped and FortiADC responds with the 400 'Bad Request' response code, even if they do not exceed the 'tune-bufsize' value but do fall within the range of 'tune-bufsize' - 'tune-maxrewrite'.
If the collective size of the headers in the HTTP request exceeds the available buffer space reserved for the headers, this is considered expected behavior. To address this, increase the 'tune-bufsize' value in the application profile to accommodate larger header sizes.
Curl commands can also be used to send traffic directly to the backend server using FortiADC as the client, using the same format as the client,t and checking whether the same issue will occur or not using the command below:
execute curl <test URL to the backend server>
Example:
execute curl -vk https://10.10.10.10/login
For the steps to obtain the curl command format with all the required headers from the browser, refer to this article: Technical Tip: How to use browsers to obtain curl commands for testing.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.