Fortinet white logo
Fortinet white logo

Handbook

Configuring virtual servers

Configuring virtual servers

The virtual server configuration supports three classes of application delivery control:

  • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.
Before you begin:
  • You must have a deep understanding of the backend servers and your load-balancing objectives.
  • You must have configured a real server pool and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, content routes and rewriting rules, error messages, authentication policies, and source IP address pools if you are deploying NAT.
  • You must have Read-Write permission for load-balance configurations.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you have configured them and set their status to Enable. You do not need to apply them by selecting them in a policy.

Two Options for virtual server configuration

FortiADC provides two options for configuring virtual servers—Basic Mode and Advanced Mode.

In Basic Mode, you are required to specify only the basic parameters needed to configure a virtual server. FortiADC automatically configures those advanced parameters using the default values when you click the Save button. The Basic Mode is for less experienced users who may not have the skills required to configure the advanced features on their own.

The Advanced Mode, on the other hand, is ideal for experienced or "power" users who are knowledgeable and comfortable enough to configure all the advanced features, in addition to the basic ones, on their own.

All virtual servers you have added, whether they are configured through Basic Mode or Advanced Mode, end up on the Load Balance > Virtual Server page. You can view the configuration details of a virtual server by clicking the entry.

Basic virtual server configuration

This option is used mostly for beginners who have less experience with FortiADC.

To configure a virtual server using Basic Mode:
  1. Click Server Load Balance > Virtual Server.
  2. Click Create New > Basic Mode to open the Basic Mode configuration editor.
  3. Complete the configuration as described in Virtual server configuration Basic Mode.
  4. Click Save.

Virtual server configuration Basic Mode

Settings Guidelines

Name

Specify a unique name for the virtual server configuration object. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

Note: Once saved, the name of a virtual server configuration cannot be changed

Application

Select an application from the list menu:

  • Microsoft SharePoint Application
  • Microsoft Exchange Server Application
  • IIS
  • Apache
  • Windows Remote Desktop
  • HTTPS H2
  • HTTPS H2C
  • HTTP(S)
  • TCPS
  • HTTP Turbo
  • RADIUS
  • DNS
  • SIP
  • TCP
  • UDP
  • FTP
  • IP
  • RTSP
  • RTMP
  • SMTP
  • DIAMETER
  • ISO8583
  • L7 TCP

  • L7 UDP

Address

Specify the IP address provisioned for the virtual server.

Port

Accept the default port number (80) or specify a port , ports, or a range of ports of your preference.

Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

Interface

Select a network interface from the list menu, or specify a new one.

Real Server Pool

Select a real server pool (if you have one already configured) or create a new one.

SSL

Applicable to HTTP(S) applications only.

Note: SSL is disabled by default, you must check the check box to enable it. Once SSL is enabled, you must select an profile from the Client SSL Profile drop-down menu below.

Client SSL Profile

Note: This setting applies to HTTPS, TCPS, HTTP2 H2, and SMTP applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

Select a client SSL profile from the drop-down menu.

Protocol

Note: This setting becomes available only when Application is set to IP.

Enter up to eight numeric values or value ranges corresponding to the protocols you'd like to use, separated by space.

Domain Name

Note: This field becomes available only when Application is set to SMTP.

Specify the FQDN.

Advanced virtual server configuration

This option is used mostly by advanced users of FortiADC.

To configure a virtual server using the Advanced Mode:
  1. Go to Server Load Balance > Virtual Server.
  2. Click Create New > Advanced Mode to display the Advanced Mode configuration editor.
    The settings for Advanced Mode are separated into tabs to configure specific virtual server functionality.
    • Basic
    • General
    • Security
    • SSL Traffic Mirror (only available for Layer 7 HTTPS and TCPS server load-balancing profiles)
    • Application Optimization (only available for Layer 7 HTTP and HTTPS server load-balancing profiles)
    • Monitoring
  3. Configure and save the settings in the Basic tab.

    Setting

    Description

    Name

    Enter a unique name for the virtual server. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

    Note: Once you have saved the configuration, you cannot edit the virtual server name.

    Type

    • Layer 7 — Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
    • Layer 4 — Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
    • Layer 2 — This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

    Depending on your Type selection, the Layer 7, Layer 4, or Layer 2 Specifics configuration section will appear.

    Status

    • Enable — The virtual server can receive new sessions.
    • Disable — The server does not receive new sessions and closes any current sessions as soon as possible.
    • Maintain — The server does not receive new sessions, but maintains its current connections.

    Address Type

    • IPv4
    • IPv6

    Note: IPv6 is not supported for FTP, HTTP Turbo, RDP, or SIP profiles.

    Comment

    A string used to describe the purpose of the configuration

    1. If the Type is Layer 7, configure the following Layer 7 Specifics settings:

      Setting

      Description

      Schedule PoolEnable/disable the Schedule Pool. This is disabled by default.
      Note: If Schedule Pool is enabled, Content Routing becomes unavailable.

      Schedule Pool List

      The Schedule Pool List option appears if Schedule Pool is enabled.

      Select the schedule pool(s) and arrange them in a desired order.

      Content Routing

      Enable/disable the Content Routing. This is disabled by default.
      Note:

      • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
      • Content-routing rules override static or policy routes.
      • This option does NOT apply to SIP profiles.

      Content Routing List

      The Content Routing List option appears if Content Routing is enabled.

      Select the content-routing rules and arrange them in a desired order.

      Note:
      You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

      See Configuring content routes.

      Content Rewriting

      Enable/disable the Content Rewriting. This is disabled by default.

      Note:

      • This option applies to Layer-7 only.
      • This option does NOT apply to SIP profiles.

      Content Rewriting List

      The Content Rewriting List option appears if Content Rewriting is enabled.

      Select the content rewriting rules and arrange them in a desired order.

      Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

      See Using content rewriting rules.

      NAT Source Pool List

      Select one or more source pool configuration objects and arrange them in a desired order. See Using source pools.

      Note:

      By default, the same IP pool cannot be set up in different virtual servers. However, you can enable IP address sharing through the CLI to allow the source pool to be set up in different virtual servers.

      To enable IP address sharing:

      config system global

      set share-ip-address enable

      end

      Transaction Rate Limit

      Note: This setting applies to Layer-7 virtual servers only. It is not supported for HTTP Turbo profiles.

      Set a limit to the number of HTTP requests per second that the virtual server can process. Valid values are from 0 to 1,048,567. The default is 0 (disabled).

      The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

    2. If the Type is Layer 4, configure the following Layer 4 Specifics settings:

      Setting

      Description

      Schedule PoolEnable/disable the Schedule Pool. This is disabled by default.
      Note: If Schedule Pool is enabled, Content Routing becomes unavailable.

      Schedule Pool List

      The Schedule Pool List option appears if Schedule Pool is enabled.

      Select the schedule pool(s) and arrange them in a desired order.

      Content Routing

      Enable/disable the Content Routing. This is disabled by default.
      Note:

      • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
      • Content-routing rules override static or policy routes.
      • This option does NOT apply to SIP profiles.

      Content Routing List

      The Content Routing List option appears if Content Routing is enabled.

      Select the content-routing rules and arrange them in a desired order.

      Note:
      You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

      See Configuring content routes.

      Packet Forwarding Method

      Note: This setting applies to Layer-4 virtual servers only.

      Select one of the following packet forwarding methods:

      • Direct Routing — Forwards the source and destination IP addresses with no changes.
        Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.
      • DNAT — Replaces the destination IP address with the IP address of the backend server selected by the load balancer.

      The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.

      • Full NAT — Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
      • Tunneling — (For Layer-4 IPv4 virtual servers) Allows FortiADC to send client requests to real servers through Layer-4 IP tunnels. See Layer-4 Virtual server IP tunneling.
      • NAT46 — (If Address Tpye is IPv4) Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
      • NAT64 — (If Address Type is IPv6) Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.

      For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer

      NAT Source Pool List

      If you are configuring a Layer 4 virtual server and enable Full NAT or NAT46, select one or more source pool configuration objects. See Using source pools.

      Note:

      By default, the same IP pool cannot be set up in different virtual servers. However, you can enable IP address sharing through the CLI to allow the source pool to be set up in different virtual servers.

      To enable IP address sharing:

      config system global

      set share-ip-address enable

      end

    3. If the Type is Layer 2, configure the following Layer 2 Specifics settings:

      Setting

      Description

      Schedule PoolEnable/disable the Schedule Pool. This is disabled by default.
      Note: If Schedule Pool is enabled, Content Routing becomes unavailable.

      Schedule Pool List

      The Schedule Pool List option appears if Schedule Pool is enabled.

      Select the schedule pool(s) and arrange them in a desired order.

      Content Routing

      Enable/disable the Content Routing. This is disabled by default.
      Note:

      • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
      • Content-routing rules override static or policy routes.
      • This option does NOT apply to SIP profiles.

      Content Routing List

      The Content Routing List option appears if Content Routing is enabled.

      Select the content-routing rules and arrange them in a desired order.

      Note:
      You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

      See Configuring content routes.

  4. Configure and save the settings in the General tab.

    Setting

    Description

    Configuration
    Address

    Enter the IP address provisioned for the virtual server.

    Note:
    You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

    Port

    Accept the default port or specify a port, ports, or port ranges of your preference.

    Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

    The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

    Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified port range.

    Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. Setting a port range is not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles.

    Connection Limit

    Set a limit to the number of concurrent connections. The default is 0 (disabled). Valid values are from 1 to 100,000,000.

    You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: This feature is NOT supported for FTP or SIP profiles.

    Connection Rate Limit

    This option is available if Layer 4 is selected as the Type in the Basic settings.

    With Layer 4 profiles you can limit the number of new connections per second. The default is 0 (disabled). Valid values are from 1 to 86,400.

    You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: Not supported for FTP profiles.

    Interface

    Network interface that receives client traffic for this virtual server.

    Resources

    Profile

    Select a predefined or user-defined profile configuration object. See Configuring Application profiles.

    Note: Only TCP, UDP and IP profiles are available for Layer 2 VS Type with IPv6 Address.

    Client SSL Profile

    Note: This setting applies to HTTPS, TCPS, HTTP2 H2, SMTP, and FTPS applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

    Select a client SSL profile from the drop-down menu.

    Note: If a ZTNA Profile is referenced in the VS, ensure the client SSL profile has enabled client certificate verification for the corresponding EMS CA certificate object. See Configuring client SSL profiles.

    Persistence

    Select a predefined or user-defined persistence configuration object. See Configuring persistence rules.

    Note: The persistence rule with Match Across Virtual Servers enabled works only with L4 virtual servers or the L7 virtual server whose profile is LB_PROF_RADIUS.

    Method

    Select a predefined or user-defined method configuration object. See Configuring load-balancing (LB) methods.

    Real Server Pool

    Select a real server pool configuration object. See Configuring real server pools.

    Note: For Layer 2 VS Type, the available real server pools are dependent on the Address (IPv4 or IPv6) selected in Basic settings.

    Clone Pool

    Select a configuration object. See Configuring a clone pool.

    Note: This option is not available if the VS Type is Layer 2 and Address is IPv6.

    Auth Policy

    This option is available if Layer 7 is selected as the Type in the Basic settings.

    Select an authentication policy configuration object. HTTP/HTTPS only.

    See Configuring authentication policies.

    Scripting

    This option is available only if Scripting is enabled AND if Layer 7 is selected as the Type in the Basic settings.

    Select the scripting object(s) and arrange them in a desired order.

    Note:
    FortiADC allows you to combine multiple individual scripts into one combined script so that you can execute them all at once. In that situation, you can set the order in which the scripts are executed by assigning the scripts with different priorities. For more information, see Support for multiple scripts.

    AD FS Published Service

    This option is available if Layer 7 is selected as the Type in the Basic settings.

    Select an AD FS configuration object. HTTPS only.

    See Configuring AD FS Proxy.

    L2 Exception List

    This option is available if Layer 2 is selected as the Type in the Basic settings AND an HTTPS server load-balancing profile is selected.

    Select an exception configuration object. See Configuring an L2 exception list.

    HTTP Redirect to HTTPS

    This option becomes available when an HTTPS server load-balancing profile is selected.

    Enable/disable HTTP redirect to HTTPS. This option is disabled by default.

    If enabled, it opens HTTP service on an HTTPS virtual server which redirects traffic to an HTTP virtual server.

    Redirect Service Port

    This option becomes available when HTTP Redirect to HTTPS is enabled.

    You can either accept the default port (80), or specify up to eight ports or ranges of ports of your preference.

    Error Page (This section is only available for Layer 7 virtual servers)

    Error Page

    Select an error page configuration object. See Configuring error pages.

    Note: Not supported for SIP profiles.

    Error Message

    If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. Maximum 1023 bytes.

    Note: Not supported for SIP profiles.

    FortiGSLB (This section is not available for Layer 2 virtual servers)

    Public IP Type

    Set the Public IP type for the virtual server as either IPv4 or IPv6.

    Public IPv4/IPv6

    Enter the virtual server public IP address.

    One Click GSLB Server

    Enable/disable the FortiGSLB One Click GSLB server.

    Host Name

    The Host Name option is available if One Click GSLB Server is enabled.

    Enter the hostname part of the FQDN, such as www.

    Note: You can specify the @ symbol to denote the zone root. The value substitute for @ is the preceding $ORIGIN directive.

    Domain Name

    The Domain Name option is available if One Click GSLB Server is enabled.

    The domain name must end with a period. For example, example.com.

  5. Configure and save the settings in the Security tab. The security settings available are dependent on the virtual server type selected in Basic settings and the server load-balancing profile in General settings.

    Setting

    Description

    WAF Profile

    Select a WAF profile configuration object or create a new one.

    See Configuring a WAF Profile.

    AV Profile

    Select an existing AV profile from the drop-down menu or create a new one. AV profile can support HTTP/HTTPS/SMTP.

    See Creating an AV profile.

    DoS Protection Profile

    Select a DoS protection profile configuration object or create a new one.

    See Configuring DoS Protection Profile.

    Captcha Profile

    Select a Captcha configuration object.

    See Configuring Captcha.

    ZTNA Profile

    Note: This setting applies to Layer 7 HTTPS and TCPS applications only.

    Select a ZTNA Profile object.

    See Configuring a ZTNA Profile

  6. Configure and save the settings in the SSL Traffic Mirror tab.
    Note: The SSL Traffic Mirror settings are only accessible if Layer 7 is selected as the Type in the Basic settings AND an HTTPS or TCPS server load-balancing profile is selected in General settings.

    Setting

    Description

    SSL Traffic Mirror

    Enable/disable SSL Traffic Mirror.

    Mirror To

    The Mirror To field appears when SSL Traffic Mirror is enabled.

    Select the ports from the list of Available Items.

  7. Configure and save the settings in the Application Optimization tab.
    Note: The Application Optimization settings are only accessible if Layer 7 is selected as the Type in the Basic settings AND an HTTP or HTTPS server load-balancing profile is selected in General settings.

    Setting

    Description

    Page SpeedSelect a page speed optimization profile.
  8. Configure and save the settings in the Monitoring tab.

    Setting

    Description

    Traffic Log

    Enable/disable to record traffic logs for this virtual server.

    Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

    FortiView

    Enable/disable to view this virtual server from FortiView.

    WCCP

    The WCCP option is only available for Layer 7 virtual servers.

    Enable/disable Web Cache Communications Protocol.

Configuring virtual servers

Configuring virtual servers

The virtual server configuration supports three classes of application delivery control:

  • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.
Before you begin:
  • You must have a deep understanding of the backend servers and your load-balancing objectives.
  • You must have configured a real server pool and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, content routes and rewriting rules, error messages, authentication policies, and source IP address pools if you are deploying NAT.
  • You must have Read-Write permission for load-balance configurations.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you have configured them and set their status to Enable. You do not need to apply them by selecting them in a policy.

Two Options for virtual server configuration

FortiADC provides two options for configuring virtual servers—Basic Mode and Advanced Mode.

In Basic Mode, you are required to specify only the basic parameters needed to configure a virtual server. FortiADC automatically configures those advanced parameters using the default values when you click the Save button. The Basic Mode is for less experienced users who may not have the skills required to configure the advanced features on their own.

The Advanced Mode, on the other hand, is ideal for experienced or "power" users who are knowledgeable and comfortable enough to configure all the advanced features, in addition to the basic ones, on their own.

All virtual servers you have added, whether they are configured through Basic Mode or Advanced Mode, end up on the Load Balance > Virtual Server page. You can view the configuration details of a virtual server by clicking the entry.

Basic virtual server configuration

This option is used mostly for beginners who have less experience with FortiADC.

To configure a virtual server using Basic Mode:
  1. Click Server Load Balance > Virtual Server.
  2. Click Create New > Basic Mode to open the Basic Mode configuration editor.
  3. Complete the configuration as described in Virtual server configuration Basic Mode.
  4. Click Save.

Virtual server configuration Basic Mode

Settings Guidelines

Name

Specify a unique name for the virtual server configuration object. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

Note: Once saved, the name of a virtual server configuration cannot be changed

Application

Select an application from the list menu:

  • Microsoft SharePoint Application
  • Microsoft Exchange Server Application
  • IIS
  • Apache
  • Windows Remote Desktop
  • HTTPS H2
  • HTTPS H2C
  • HTTP(S)
  • TCPS
  • HTTP Turbo
  • RADIUS
  • DNS
  • SIP
  • TCP
  • UDP
  • FTP
  • IP
  • RTSP
  • RTMP
  • SMTP
  • DIAMETER
  • ISO8583
  • L7 TCP

  • L7 UDP

Address

Specify the IP address provisioned for the virtual server.

Port

Accept the default port number (80) or specify a port , ports, or a range of ports of your preference.

Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

Interface

Select a network interface from the list menu, or specify a new one.

Real Server Pool

Select a real server pool (if you have one already configured) or create a new one.

SSL

Applicable to HTTP(S) applications only.

Note: SSL is disabled by default, you must check the check box to enable it. Once SSL is enabled, you must select an profile from the Client SSL Profile drop-down menu below.

Client SSL Profile

Note: This setting applies to HTTPS, TCPS, HTTP2 H2, and SMTP applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

Select a client SSL profile from the drop-down menu.

Protocol

Note: This setting becomes available only when Application is set to IP.

Enter up to eight numeric values or value ranges corresponding to the protocols you'd like to use, separated by space.

Domain Name

Note: This field becomes available only when Application is set to SMTP.

Specify the FQDN.

Advanced virtual server configuration

This option is used mostly by advanced users of FortiADC.

To configure a virtual server using the Advanced Mode:
  1. Go to Server Load Balance > Virtual Server.
  2. Click Create New > Advanced Mode to display the Advanced Mode configuration editor.
    The settings for Advanced Mode are separated into tabs to configure specific virtual server functionality.
    • Basic
    • General
    • Security
    • SSL Traffic Mirror (only available for Layer 7 HTTPS and TCPS server load-balancing profiles)
    • Application Optimization (only available for Layer 7 HTTP and HTTPS server load-balancing profiles)
    • Monitoring
  3. Configure and save the settings in the Basic tab.

    Setting

    Description

    Name

    Enter a unique name for the virtual server. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

    Note: Once you have saved the configuration, you cannot edit the virtual server name.

    Type

    • Layer 7 — Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
    • Layer 4 — Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
    • Layer 2 — This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

    Depending on your Type selection, the Layer 7, Layer 4, or Layer 2 Specifics configuration section will appear.

    Status

    • Enable — The virtual server can receive new sessions.
    • Disable — The server does not receive new sessions and closes any current sessions as soon as possible.
    • Maintain — The server does not receive new sessions, but maintains its current connections.

    Address Type

    • IPv4
    • IPv6

    Note: IPv6 is not supported for FTP, HTTP Turbo, RDP, or SIP profiles.

    Comment

    A string used to describe the purpose of the configuration

    1. If the Type is Layer 7, configure the following Layer 7 Specifics settings:

      Setting

      Description

      Schedule PoolEnable/disable the Schedule Pool. This is disabled by default.
      Note: If Schedule Pool is enabled, Content Routing becomes unavailable.

      Schedule Pool List

      The Schedule Pool List option appears if Schedule Pool is enabled.

      Select the schedule pool(s) and arrange them in a desired order.

      Content Routing

      Enable/disable the Content Routing. This is disabled by default.
      Note:

      • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
      • Content-routing rules override static or policy routes.
      • This option does NOT apply to SIP profiles.

      Content Routing List

      The Content Routing List option appears if Content Routing is enabled.

      Select the content-routing rules and arrange them in a desired order.

      Note:
      You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

      See Configuring content routes.

      Content Rewriting

      Enable/disable the Content Rewriting. This is disabled by default.

      Note:

      • This option applies to Layer-7 only.
      • This option does NOT apply to SIP profiles.

      Content Rewriting List

      The Content Rewriting List option appears if Content Rewriting is enabled.

      Select the content rewriting rules and arrange them in a desired order.

      Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

      See Using content rewriting rules.

      NAT Source Pool List

      Select one or more source pool configuration objects and arrange them in a desired order. See Using source pools.

      Note:

      By default, the same IP pool cannot be set up in different virtual servers. However, you can enable IP address sharing through the CLI to allow the source pool to be set up in different virtual servers.

      To enable IP address sharing:

      config system global

      set share-ip-address enable

      end

      Transaction Rate Limit

      Note: This setting applies to Layer-7 virtual servers only. It is not supported for HTTP Turbo profiles.

      Set a limit to the number of HTTP requests per second that the virtual server can process. Valid values are from 0 to 1,048,567. The default is 0 (disabled).

      The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

    2. If the Type is Layer 4, configure the following Layer 4 Specifics settings:

      Setting

      Description

      Schedule PoolEnable/disable the Schedule Pool. This is disabled by default.
      Note: If Schedule Pool is enabled, Content Routing becomes unavailable.

      Schedule Pool List

      The Schedule Pool List option appears if Schedule Pool is enabled.

      Select the schedule pool(s) and arrange them in a desired order.

      Content Routing

      Enable/disable the Content Routing. This is disabled by default.
      Note:

      • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
      • Content-routing rules override static or policy routes.
      • This option does NOT apply to SIP profiles.

      Content Routing List

      The Content Routing List option appears if Content Routing is enabled.

      Select the content-routing rules and arrange them in a desired order.

      Note:
      You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

      See Configuring content routes.

      Packet Forwarding Method

      Note: This setting applies to Layer-4 virtual servers only.

      Select one of the following packet forwarding methods:

      • Direct Routing — Forwards the source and destination IP addresses with no changes.
        Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.
      • DNAT — Replaces the destination IP address with the IP address of the backend server selected by the load balancer.

      The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.

      • Full NAT — Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
      • Tunneling — (For Layer-4 IPv4 virtual servers) Allows FortiADC to send client requests to real servers through Layer-4 IP tunnels. See Layer-4 Virtual server IP tunneling.
      • NAT46 — (If Address Tpye is IPv4) Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
      • NAT64 — (If Address Type is IPv6) Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.

      For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer

      NAT Source Pool List

      If you are configuring a Layer 4 virtual server and enable Full NAT or NAT46, select one or more source pool configuration objects. See Using source pools.

      Note:

      By default, the same IP pool cannot be set up in different virtual servers. However, you can enable IP address sharing through the CLI to allow the source pool to be set up in different virtual servers.

      To enable IP address sharing:

      config system global

      set share-ip-address enable

      end

    3. If the Type is Layer 2, configure the following Layer 2 Specifics settings:

      Setting

      Description

      Schedule PoolEnable/disable the Schedule Pool. This is disabled by default.
      Note: If Schedule Pool is enabled, Content Routing becomes unavailable.

      Schedule Pool List

      The Schedule Pool List option appears if Schedule Pool is enabled.

      Select the schedule pool(s) and arrange them in a desired order.

      Content Routing

      Enable/disable the Content Routing. This is disabled by default.
      Note:

      • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
      • Content-routing rules override static or policy routes.
      • This option does NOT apply to SIP profiles.

      Content Routing List

      The Content Routing List option appears if Content Routing is enabled.

      Select the content-routing rules and arrange them in a desired order.

      Note:
      You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

      See Configuring content routes.

  4. Configure and save the settings in the General tab.

    Setting

    Description

    Configuration
    Address

    Enter the IP address provisioned for the virtual server.

    Note:
    You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

    Port

    Accept the default port or specify a port, ports, or port ranges of your preference.

    Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

    The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

    Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified port range.

    Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. Setting a port range is not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles.

    Connection Limit

    Set a limit to the number of concurrent connections. The default is 0 (disabled). Valid values are from 1 to 100,000,000.

    You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: This feature is NOT supported for FTP or SIP profiles.

    Connection Rate Limit

    This option is available if Layer 4 is selected as the Type in the Basic settings.

    With Layer 4 profiles you can limit the number of new connections per second. The default is 0 (disabled). Valid values are from 1 to 86,400.

    You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

    Note: Not supported for FTP profiles.

    Interface

    Network interface that receives client traffic for this virtual server.

    Resources

    Profile

    Select a predefined or user-defined profile configuration object. See Configuring Application profiles.

    Note: Only TCP, UDP and IP profiles are available for Layer 2 VS Type with IPv6 Address.

    Client SSL Profile

    Note: This setting applies to HTTPS, TCPS, HTTP2 H2, SMTP, and FTPS applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

    Select a client SSL profile from the drop-down menu.

    Note: If a ZTNA Profile is referenced in the VS, ensure the client SSL profile has enabled client certificate verification for the corresponding EMS CA certificate object. See Configuring client SSL profiles.

    Persistence

    Select a predefined or user-defined persistence configuration object. See Configuring persistence rules.

    Note: The persistence rule with Match Across Virtual Servers enabled works only with L4 virtual servers or the L7 virtual server whose profile is LB_PROF_RADIUS.

    Method

    Select a predefined or user-defined method configuration object. See Configuring load-balancing (LB) methods.

    Real Server Pool

    Select a real server pool configuration object. See Configuring real server pools.

    Note: For Layer 2 VS Type, the available real server pools are dependent on the Address (IPv4 or IPv6) selected in Basic settings.

    Clone Pool

    Select a configuration object. See Configuring a clone pool.

    Note: This option is not available if the VS Type is Layer 2 and Address is IPv6.

    Auth Policy

    This option is available if Layer 7 is selected as the Type in the Basic settings.

    Select an authentication policy configuration object. HTTP/HTTPS only.

    See Configuring authentication policies.

    Scripting

    This option is available only if Scripting is enabled AND if Layer 7 is selected as the Type in the Basic settings.

    Select the scripting object(s) and arrange them in a desired order.

    Note:
    FortiADC allows you to combine multiple individual scripts into one combined script so that you can execute them all at once. In that situation, you can set the order in which the scripts are executed by assigning the scripts with different priorities. For more information, see Support for multiple scripts.

    AD FS Published Service

    This option is available if Layer 7 is selected as the Type in the Basic settings.

    Select an AD FS configuration object. HTTPS only.

    See Configuring AD FS Proxy.

    L2 Exception List

    This option is available if Layer 2 is selected as the Type in the Basic settings AND an HTTPS server load-balancing profile is selected.

    Select an exception configuration object. See Configuring an L2 exception list.

    HTTP Redirect to HTTPS

    This option becomes available when an HTTPS server load-balancing profile is selected.

    Enable/disable HTTP redirect to HTTPS. This option is disabled by default.

    If enabled, it opens HTTP service on an HTTPS virtual server which redirects traffic to an HTTP virtual server.

    Redirect Service Port

    This option becomes available when HTTP Redirect to HTTPS is enabled.

    You can either accept the default port (80), or specify up to eight ports or ranges of ports of your preference.

    Error Page (This section is only available for Layer 7 virtual servers)

    Error Page

    Select an error page configuration object. See Configuring error pages.

    Note: Not supported for SIP profiles.

    Error Message

    If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. Maximum 1023 bytes.

    Note: Not supported for SIP profiles.

    FortiGSLB (This section is not available for Layer 2 virtual servers)

    Public IP Type

    Set the Public IP type for the virtual server as either IPv4 or IPv6.

    Public IPv4/IPv6

    Enter the virtual server public IP address.

    One Click GSLB Server

    Enable/disable the FortiGSLB One Click GSLB server.

    Host Name

    The Host Name option is available if One Click GSLB Server is enabled.

    Enter the hostname part of the FQDN, such as www.

    Note: You can specify the @ symbol to denote the zone root. The value substitute for @ is the preceding $ORIGIN directive.

    Domain Name

    The Domain Name option is available if One Click GSLB Server is enabled.

    The domain name must end with a period. For example, example.com.

  5. Configure and save the settings in the Security tab. The security settings available are dependent on the virtual server type selected in Basic settings and the server load-balancing profile in General settings.

    Setting

    Description

    WAF Profile

    Select a WAF profile configuration object or create a new one.

    See Configuring a WAF Profile.

    AV Profile

    Select an existing AV profile from the drop-down menu or create a new one. AV profile can support HTTP/HTTPS/SMTP.

    See Creating an AV profile.

    DoS Protection Profile

    Select a DoS protection profile configuration object or create a new one.

    See Configuring DoS Protection Profile.

    Captcha Profile

    Select a Captcha configuration object.

    See Configuring Captcha.

    ZTNA Profile

    Note: This setting applies to Layer 7 HTTPS and TCPS applications only.

    Select a ZTNA Profile object.

    See Configuring a ZTNA Profile

  6. Configure and save the settings in the SSL Traffic Mirror tab.
    Note: The SSL Traffic Mirror settings are only accessible if Layer 7 is selected as the Type in the Basic settings AND an HTTPS or TCPS server load-balancing profile is selected in General settings.

    Setting

    Description

    SSL Traffic Mirror

    Enable/disable SSL Traffic Mirror.

    Mirror To

    The Mirror To field appears when SSL Traffic Mirror is enabled.

    Select the ports from the list of Available Items.

  7. Configure and save the settings in the Application Optimization tab.
    Note: The Application Optimization settings are only accessible if Layer 7 is selected as the Type in the Basic settings AND an HTTP or HTTPS server load-balancing profile is selected in General settings.

    Setting

    Description

    Page SpeedSelect a page speed optimization profile.
  8. Configure and save the settings in the Monitoring tab.

    Setting

    Description

    Traffic Log

    Enable/disable to record traffic logs for this virtual server.

    Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

    FortiView

    Enable/disable to view this virtual server from FortiView.

    WCCP

    The WCCP option is only available for Layer 7 virtual servers.

    Enable/disable Web Cache Communications Protocol.