Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.1.0 Handbook
    6.1.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring virtual servers

    Configuring virtual servers

    The virtual server configuration supports three classes of application delivery control:

    • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
    • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
    • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

    Before you begin:

    • You must have a deep understanding of the backend servers and your load-balancing objectives.
    • You must have configured a real server pool and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, content routes and rewriting rules, error messages, authentication policies, and source IP address pools if you are deploying NAT.
    • You must have Read-Write permission for load-balance configurations.
    Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you have configured them and set their status to Enable. You do not need to apply them by selecting them in a policy.

    Two Options for virtual server configuration

    FortiADC provides two options for configuring virtual servers—Basic Mode and Advanced Mode.

    In Basic Mode, you are required to specify only the basic parameters needed to configure a virtual server. FortiADC automatically configures those advanced parameters using the default values when you click the Save button. The Basic Mode is for less experienced users who may not have the skills required to configure the advanced features on their own.

    The Advanced Mode, on the other hand, is ideal for experienced or "power" users who are knowledgeable and comfortable enough to configure all the advanced features, in addition to the basic ones, on their own.

    All virtual servers you have added, whether they are configured through Basic Mode or Advanced Mode, end up on the Load Balance > Virtual Server page. You can view the configuration details of a virtual server by clicking the entry.

    Basic virtual server configuration

    This option is used mostly for beginners who have less experience with FortiADC.

    To configure a virtual server using Basic Mode:
    1. Click Server Load Balance > Virtual Server.
    2. Click Add >Basic Mode to open the Basic Mode configuration editor.
    3. Complete the configuration as described in Virtual server configuration Basic Mode.
    4. Click Save.

    Virtual server configuration Basic Mode
    Settings Guidelines

    Name

    Specify a unique name for the virtual server configuration object. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

    Note: Once saved, the name of a virtual server configuration cannot be changed

    Application

    Select an application from the list menu:

    • Microsoft SharePoint Application
    • Microsoft Exchange Server Application
    • IIS
    • Apache
    • Windows Remote Desktop
    • HTTPS H2
    • HTTPS H2C
    • HTTP(S)
    • TCPS
    • HTTP Turbo
    • RADIUS
    • DNS
    • SIP
    • TCP
    • UDP
    • FTP
    • IP
    • RTSP
    • RTMP
    • SMTP
    • DIAMETER
    • ISO8583

    Address

    Specify the IP address provisioned for the virtual server.

    Port

    Accept the default port number (80) or specify a port , ports, or a range of ports of your preference.

    Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

    Interface

    Select a network interface from the list menu, or specify a new one.

    Real Server Pool

    Select a real server pool (if you have one already configured) or create a new one.

    SSL

    Applicable to HTTP(S) applications only.

    Note: SSL is disabled by default, you must check the check box to enable it. Once SSL is enabled, you must select an profile from the Client SSL Profile drop-down menu below.

    Client SSL Profile

    Note: This setting applies to HTTPS, TCPS, HTTP2 H2, and SMTP applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

    Select a client SSL profile from the drop-down menu.

    Protocol

    Note: This setting becomes available only when Application is set to IP.

    Enter up to eight numeric values or value ranges corresponding to the protocols you'd like to use, separated by space.

    Domain Name

    Note: This field becomes available only when Application is set to SMTP.

    Specify the FQDN.

    Advanced virtual server configuration

    This option is used mostly by advanced users of FortiADC.

    To configure a virtual server using the Advanced Mode:
    1. Go to Server Load Balance > Virtual Server.
    2. Click Add > Advanced Mode to display the configuration editor.
    3. Complete the configuration as described in Virtual server configuration in Advanced Mode.
    4. Save the configuration.

    Virtual server configuration in Advanced Mode
    Settings Description

    Basic

    Name

    Enter a unique name for the virtual server. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

    Note: Once you have saved the configuration, you cannot edit the virtual server name.

    Status
    • Enable—The virtual server can receive new sessions.
    • Disable—The server does not receive new sessions and closes any current sessions as soon as possible.
    • Maintain—The server does not receive new sessions, but maintains its current connections.

    Type
    • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
    • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
    • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

    Address Type
    • IPv4
    • IPv6

    Note: IPv6 is not supported for FTP, HTTP Turbo, RDP, or SIP profiles.

    Comment

    A string used to describe the purpose of the configuration

    Traffic Group

    Select the traffic group of your choice if you have one already configured, or create a new one by clicking Create New.

    Note: FortiADC will use the "default" if you do not choose or create a traffic group of your own.

    Specifics

    Note: Some of the settings in this part of the GUI apply to both Layer-7 and Layer-4 virtual servers, and some apply to Layer-7 virtual servers only, but none of them applies to Layer-2 virtual servers.

    Schedule Pool

    OFF (disabled) by default. Click the button to enable it.

    Schedule Pool List

    Available only when Schedule Pool is enabled. (See above). Follow the instructions onscreen to:

    1. Select the schedule pool(s).
    2. Arrange them in a desired order.

    Content Routing

    OFF (disabled) by default. Click the button to enable it.
    Note:

    • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
    • Content-routing rules override static or policy routes.
    • This option does NOT apply to SIP profiles.

    Content Routing List

    Available only when Content Routing is enabled. Follow the instructions onscreen to:

    1. Select the content-routing rules.
    2. Arrange them in a desired order.

    Note: You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

    See Configuring content routes.

    Content Rewriting

    OFF (disabled) by default. Click the button to enable it.

    Note:

    • This option applies to Layer-7 only.
    • This option does NOT apply to SIP profiles.

    Content Rewriting List

    Available only when Content Rewriting is enabled. Follow the instructions onscreen to

    1. Select the content rewriting rules.
    2. Arrange them in a desired order.

    Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

    See Using content rewriting rules.

    Transaction Rate Limit

    Note: This setting applies to Layer-7 virtual servers only. It is not supported for HTTP Turbo profiles.

    Set a limit to the number of HTTP requests per second that the virtual server can process. Valid values are from 0 to 1,048,567. The default is 0 (disabled).

    The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

    Packet Forwarding Method

    Note: This setting applies to Layer-4 virtual servers only.

    Select one of the following packet forwarding methods:

    • Direct Routing—Forwards the source and destination IP addresses with no changes.

    Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.

    • DNAT—Replaces the destination IP address with the IP address of the backend server selected by the load balancer.

    The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.

    • Full NAT—Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
    • Tunneling—(For Layer-4 IPv4 virtual servers) Allows FortiADC to send client requests to real servers through Layer-4 IP tunnels. See Layer-4 Virtual server IP tunneling.
    • NAT46—(If Address Tpye is IPv4) Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
    • NAT64—(If Address Type is IPv6) Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.

    For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer

    NAT Source Pool List

    If you are configuring a Layer 4 virtual server and enable Full NAT or NAT46, select one or more source pool configuration objects. See Using source pools.

    General

    Configuration

    Address

    Enter the IP address provisioned of the virtual server.

    Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

    Port

    Accept the default port or specify a port, ports, or port ranges of your preference.

    Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

    The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

    Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified port range.

    Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. Setting a port range is not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles.

    Connection Limit

    Set a limit to the number of concurrent connections. The default is 0 (disabled). Valid values are from 1 to 100,000,000.

    You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: This feature is NOT supported for FTP or SIP profiles.

    Connection Rate Limit

    With Layer 4 profiles, and with the Layer-2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). Valid values are from 1 to 86,400.

    You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: Not supported for FTP profiles.

    Interface

    Network interface that receives client traffic for this virtual server.

    Resources

    Profile

    Select a predefined or user-defined profile configuration object. See Configuring Application profiles.

    Persistence

    Select a predefined or user-defined persistence configuration object. See Configuring persistence rules.

    Method

    Select a predefined or user-defined method configuration object. See .

    Real Server Pool

    Select a real server pool configuration object. See Configuring real server pools.

    Clone Pool

    Select a configuration object. See Configuring a clone pool.

    Auth Policy

    Select an authentication policy configuration object. HTTP/HTTPS only.

    See Configuring authentication policies.

    Scripting

    Available only when Scripting is enabled. Follow the instructions on screen to:

    1. Select the scripting object
    2. Arrange them in desired order

    Note: FortiADC allows you to combine multiple individual scripts into one combined script so that you can execute them all at once. In that situation, you can set the order in which the scripts are executed by assigning the scripts with different priorities. For more information, see Support for multiple scripts.

    L2 Exception List

    Select an exception configuration object. Layer 2 HTTPS/TCPS only. See Configuring an L2 exception list.

    Note: This field is only available when Type is set to Layer 2.

    HTTP Redirect to HTTPS

    This option becomes available when an HTTPS server load-balancing profile is selected. It's disabled by default. Click the button to enable.

    Note: If enabled, it opens HTTP service on an HTTPS virtual server which redirects traffic to an HTTP virtual server.

    Redirect Service Port

    This option becomes available when HTTP Redirect to HTTPS is enabled for an HTTPS type of server load-balancing profile, as described above.

    You can either accept the default port (80), or specify up to eight ports or ranges of ports of your preference.

    Error Page

    Error Page

    Select an error page configuration object. See Configuring error pages.

    Note: Not supported for SIP profiles.

    Error Message

    If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. Maximum 1023 bytes.

    Note: Not supported for SIP profiles.

    FortiGSLB

    Public IP Type

    IPv4 or IPv6

    Set the Public IP type for the virtual server.

    Public IPv4

    Virtual server public IP address.

    One Click GSLB Server

    FortiGSLB One Click GSLB server

    Host Name

    The hostname part of the FQDN, such as www.

    Note: You can specify the @ symbol to denote the zone root. The value substitute for @ is the preceding $ORIGIN directive.

    Domain Name

    The domain name must end with a period. e.g. example.com.

    Security

    		AV profile can support HTTP/HTTPS/SMTP

    WAF Profile

    Select a WAF profile configuration object or create a new one. See Configuring a WAF Profile.

    AV Profile

    Select an existing AV profile from the drop-down menu or create a new one. See Creating an AV profile.

    DoS Protection Profile

    Select a DoS protection profile configuration object or create a new one. See Configuring DoS Protection Profile.

    Captcha Profile

    Select a Captcha configuration object. See Configuring Captcha.

    SSL Traffic Mirror

    		This field applies to HTTPS and TCPS only.

    SSL Traffic Mirror

    		Select the check box to enable it. Then select the ports from the list of Available Items.

    Application Optimization

    Page Speed

    Select a page speed optimization profile.

    Monitoring

    Traffic Log

    Enable to record traffic logs for this virtual server.

    Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

    FortiView

    Enable the view virtual server from FortiView

    WCP

    Web Cache Communications Protocol
    Previous
    Next

    Configuring virtual servers

    Configuring virtual servers

    The virtual server configuration supports three classes of application delivery control:

    • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
    • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
    • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

    Before you begin:

    • You must have a deep understanding of the backend servers and your load-balancing objectives.
    • You must have configured a real server pool and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, content routes and rewriting rules, error messages, authentication policies, and source IP address pools if you are deploying NAT.
    • You must have Read-Write permission for load-balance configurations.
    Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you have configured them and set their status to Enable. You do not need to apply them by selecting them in a policy.

    Two Options for virtual server configuration

    FortiADC provides two options for configuring virtual servers—Basic Mode and Advanced Mode.

    In Basic Mode, you are required to specify only the basic parameters needed to configure a virtual server. FortiADC automatically configures those advanced parameters using the default values when you click the Save button. The Basic Mode is for less experienced users who may not have the skills required to configure the advanced features on their own.

    The Advanced Mode, on the other hand, is ideal for experienced or "power" users who are knowledgeable and comfortable enough to configure all the advanced features, in addition to the basic ones, on their own.

    All virtual servers you have added, whether they are configured through Basic Mode or Advanced Mode, end up on the Load Balance > Virtual Server page. You can view the configuration details of a virtual server by clicking the entry.

    Basic virtual server configuration

    This option is used mostly for beginners who have less experience with FortiADC.

    To configure a virtual server using Basic Mode:
    1. Click Server Load Balance > Virtual Server.
    2. Click Add >Basic Mode to open the Basic Mode configuration editor.
    3. Complete the configuration as described in Virtual server configuration Basic Mode.
    4. Click Save.

    Virtual server configuration Basic Mode
    Settings Guidelines

    Name

    Specify a unique name for the virtual server configuration object. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

    Note: Once saved, the name of a virtual server configuration cannot be changed

    Application

    Select an application from the list menu:

    • Microsoft SharePoint Application
    • Microsoft Exchange Server Application
    • IIS
    • Apache
    • Windows Remote Desktop
    • HTTPS H2
    • HTTPS H2C
    • HTTP(S)
    • TCPS
    • HTTP Turbo
    • RADIUS
    • DNS
    • SIP
    • TCP
    • UDP
    • FTP
    • IP
    • RTSP
    • RTMP
    • SMTP
    • DIAMETER
    • ISO8583

    Address

    Specify the IP address provisioned for the virtual server.

    Port

    Accept the default port number (80) or specify a port , ports, or a range of ports of your preference.

    Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

    Interface

    Select a network interface from the list menu, or specify a new one.

    Real Server Pool

    Select a real server pool (if you have one already configured) or create a new one.

    SSL

    Applicable to HTTP(S) applications only.

    Note: SSL is disabled by default, you must check the check box to enable it. Once SSL is enabled, you must select an profile from the Client SSL Profile drop-down menu below.

    Client SSL Profile

    Note: This setting applies to HTTPS, TCPS, HTTP2 H2, and SMTP applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

    Select a client SSL profile from the drop-down menu.

    Protocol

    Note: This setting becomes available only when Application is set to IP.

    Enter up to eight numeric values or value ranges corresponding to the protocols you'd like to use, separated by space.

    Domain Name

    Note: This field becomes available only when Application is set to SMTP.

    Specify the FQDN.

    Advanced virtual server configuration

    This option is used mostly by advanced users of FortiADC.

    To configure a virtual server using the Advanced Mode:
    1. Go to Server Load Balance > Virtual Server.
    2. Click Add > Advanced Mode to display the configuration editor.
    3. Complete the configuration as described in Virtual server configuration in Advanced Mode.
    4. Save the configuration.

    Virtual server configuration in Advanced Mode
    Settings Description

    Basic

    Name

    Enter a unique name for the virtual server. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

    Note: Once you have saved the configuration, you cannot edit the virtual server name.

    Status
    • Enable—The virtual server can receive new sessions.
    • Disable—The server does not receive new sessions and closes any current sessions as soon as possible.
    • Maintain—The server does not receive new sessions, but maintains its current connections.

    Type
    • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
    • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
    • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

    Address Type
    • IPv4
    • IPv6

    Note: IPv6 is not supported for FTP, HTTP Turbo, RDP, or SIP profiles.

    Comment

    A string used to describe the purpose of the configuration

    Traffic Group

    Select the traffic group of your choice if you have one already configured, or create a new one by clicking Create New.

    Note: FortiADC will use the "default" if you do not choose or create a traffic group of your own.

    Specifics

    Note: Some of the settings in this part of the GUI apply to both Layer-7 and Layer-4 virtual servers, and some apply to Layer-7 virtual servers only, but none of them applies to Layer-2 virtual servers.

    Schedule Pool

    OFF (disabled) by default. Click the button to enable it.

    Schedule Pool List

    Available only when Schedule Pool is enabled. (See above). Follow the instructions onscreen to:

    1. Select the schedule pool(s).
    2. Arrange them in a desired order.

    Content Routing

    OFF (disabled) by default. Click the button to enable it.
    Note:

    • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
    • Content-routing rules override static or policy routes.
    • This option does NOT apply to SIP profiles.

    Content Routing List

    Available only when Content Routing is enabled. Follow the instructions onscreen to:

    1. Select the content-routing rules.
    2. Arrange them in a desired order.

    Note: You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

    See Configuring content routes.

    Content Rewriting

    OFF (disabled) by default. Click the button to enable it.

    Note:

    • This option applies to Layer-7 only.
    • This option does NOT apply to SIP profiles.

    Content Rewriting List

    Available only when Content Rewriting is enabled. Follow the instructions onscreen to

    1. Select the content rewriting rules.
    2. Arrange them in a desired order.

    Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

    See Using content rewriting rules.

    Transaction Rate Limit

    Note: This setting applies to Layer-7 virtual servers only. It is not supported for HTTP Turbo profiles.

    Set a limit to the number of HTTP requests per second that the virtual server can process. Valid values are from 0 to 1,048,567. The default is 0 (disabled).

    The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

    Packet Forwarding Method

    Note: This setting applies to Layer-4 virtual servers only.

    Select one of the following packet forwarding methods:

    • Direct Routing—Forwards the source and destination IP addresses with no changes.

    Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.

    • DNAT—Replaces the destination IP address with the IP address of the backend server selected by the load balancer.

    The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.

    • Full NAT—Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
    • Tunneling—(For Layer-4 IPv4 virtual servers) Allows FortiADC to send client requests to real servers through Layer-4 IP tunnels. See Layer-4 Virtual server IP tunneling.
    • NAT46—(If Address Tpye is IPv4) Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
    • NAT64—(If Address Type is IPv6) Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.

    For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer

    NAT Source Pool List

    If you are configuring a Layer 4 virtual server and enable Full NAT or NAT46, select one or more source pool configuration objects. See Using source pools.

    General

    Configuration

    Address

    Enter the IP address provisioned of the virtual server.

    Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

    Port

    Accept the default port or specify a port, ports, or port ranges of your preference.

    Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

    The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

    Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified port range.

    Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. Setting a port range is not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles.

    Connection Limit

    Set a limit to the number of concurrent connections. The default is 0 (disabled). Valid values are from 1 to 100,000,000.

    You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: This feature is NOT supported for FTP or SIP profiles.

    Connection Rate Limit

    With Layer 4 profiles, and with the Layer-2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). Valid values are from 1 to 86,400.

    You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: Not supported for FTP profiles.

    Interface

    Network interface that receives client traffic for this virtual server.

    Resources

    Profile

    Select a predefined or user-defined profile configuration object. See Configuring Application profiles.

    Persistence

    Select a predefined or user-defined persistence configuration object. See Configuring persistence rules.

    Method

    Select a predefined or user-defined method configuration object. See .

    Real Server Pool

    Select a real server pool configuration object. See Configuring real server pools.

    Clone Pool

    Select a configuration object. See Configuring a clone pool.

    Auth Policy

    Select an authentication policy configuration object. HTTP/HTTPS only.

    See Configuring authentication policies.

    Scripting

    Available only when Scripting is enabled. Follow the instructions on screen to:

    1. Select the scripting object
    2. Arrange them in desired order

    Note: FortiADC allows you to combine multiple individual scripts into one combined script so that you can execute them all at once. In that situation, you can set the order in which the scripts are executed by assigning the scripts with different priorities. For more information, see Support for multiple scripts.

    L2 Exception List

    Select an exception configuration object. Layer 2 HTTPS/TCPS only. See Configuring an L2 exception list.

    Note: This field is only available when Type is set to Layer 2.

    HTTP Redirect to HTTPS

    This option becomes available when an HTTPS server load-balancing profile is selected. It's disabled by default. Click the button to enable.

    Note: If enabled, it opens HTTP service on an HTTPS virtual server which redirects traffic to an HTTP virtual server.

    Redirect Service Port

    This option becomes available when HTTP Redirect to HTTPS is enabled for an HTTPS type of server load-balancing profile, as described above.

    You can either accept the default port (80), or specify up to eight ports or ranges of ports of your preference.

    Error Page

    Error Page

    Select an error page configuration object. See Configuring error pages.

    Note: Not supported for SIP profiles.

    Error Message

    If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. Maximum 1023 bytes.

    Note: Not supported for SIP profiles.

    FortiGSLB

    Public IP Type

    IPv4 or IPv6

    Set the Public IP type for the virtual server.

    Public IPv4

    Virtual server public IP address.

    One Click GSLB Server

    FortiGSLB One Click GSLB server

    Host Name

    The hostname part of the FQDN, such as www.

    Note: You can specify the @ symbol to denote the zone root. The value substitute for @ is the preceding $ORIGIN directive.

    Domain Name

    The domain name must end with a period. e.g. example.com.

    Security

    		AV profile can support HTTP/HTTPS/SMTP

    WAF Profile

    Select a WAF profile configuration object or create a new one. See Configuring a WAF Profile.

    AV Profile

    Select an existing AV profile from the drop-down menu or create a new one. See Creating an AV profile.

    DoS Protection Profile

    Select a DoS protection profile configuration object or create a new one. See Configuring DoS Protection Profile.

    Captcha Profile

    Select a Captcha configuration object. See Configuring Captcha.

    SSL Traffic Mirror

    		This field applies to HTTPS and TCPS only.

    SSL Traffic Mirror

    		Select the check box to enable it. Then select the ports from the list of Available Items.

    Application Optimization

    Page Speed

    Select a page speed optimization profile.

    Monitoring

    Traffic Log

    Enable to record traffic logs for this virtual server.

    Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

    FortiView

    Enable the view virtual server from FortiView

    WCP

    Web Cache Communications Protocol
    Previous
    Next