Fortinet white logo
Fortinet white logo

CLI Reference

config load-balance virtual-server

config load-balance virtual-server

Use this command to configure virtual servers.

The virtual server configuration supports three classes of application delivery control:

  • Layer 7—Persistence, load-balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load-balancing, and network address translation are based on Layer-4 objects, such as source and destination IP address.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections between multiple next-hop gateways.
Before you begin:
  • You must have a deep understanding of the backend servers and your load balancing objectives.
  • You must have configured a real server pool (required) and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, source IP address pools if you are deploying full NAT, content routes and rewriting rules, and error messages.
  • You must have read-write permission for load balancing settings.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you configure them and set status to enable. You do not apply them by selecting them in a policy.

Syntax

config load-balance virtual-server

edit <vs-name>

set type {l2-load-balance | l4-load-balance | l7-load-balance}

set addr-type {ipv4|ipv6}

set alone {enable|disable}

set auth-policy <datasource>

set clone-pool <datasource>

set clone-traffic-type {both-sides|client-side|server-side}

set comments <string>

set connection-limit <integer>

set connection-pool <datasource>

set connection-rate-limit <integer>

set content-rewriting {enable|disable}

set content-rewriting-list <string>

set content-routing {enable|disable}

set content-routing-list <string>

set error-msg <string>

set geoip-block-list <datasource>

set allowlist <datasource>

set interface <datasource>

set ip <class_ip>

set l2-exception-list <datasource>

set port <value> port range "portA-portB" or single port number "portA"

set port <number>

set load-balance-method <datasource>

set load-balance-persistence <datasource>

set load-balance-pool <datasource>

set load-balance-profile <datasource>

set client-ssl-profile <datasource>

set multi-process <integer>

set packet-forwarding-method {FullNAT|NAT|NAT46|NAT64|direct_routing| tunneling}

set ippool-list <datasource> <datasource> ...

set scripting-flag enable

set scripting-list <datasource> <datasource> ...

set status {enable|disable|maintain}

set traffic-log {enable|disable}

set event-log {enable|disable}

set trans-rate-limit <integer>

set waf-profile <datasource>

set warm-rate <integer>

set warm-up <integer>

set traffic-group <string>

set ssl-mirror {enable|disable}

set ssl-mirror-intf <port>

set pagespeed <datasource>

set http2https enable

set http2https-port <portA-portB portC portD>

set max-persistence-entries <integer>

set schedule-list {enable|disable}

set schedule-pool-list <datasource>

set dos-profile <datasource>

set ztna-profle <datasource>

set one-click-gslb-server-option {enable|disable}

next

end

type

Specify the virtual server type:

  • l7-load-balance: Persistence, load balancing, and routing are based on Layer 7 objects, such as HTTP headers, cookies, and so on.
  • l4-load-balance: Persistence, load balancing, and network address translation are based on Layer 4 objects, such as source and destination IP address.
  • l2-load-balance: This feature is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways.

After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

addr-type

IPv4 or IPv6

Note: IPv6 is not supported for layer 4 FTP, layer 2 FTP, HTTP Turbo or RDP.

alone

Enable/disable alone mode. Enabled by default.

When enabled, the virtual server is handled by a separate httproxy daemon. When disabled, the virtual server belongs to a group that is handled by one httproxy daemon.

Alone mode boosts performance but impacts memory utilization. If memory utilization becomes an issue, consider enabling alone mode only for key virtual servers and disabling for less important ones.

Note: HTTP, HTTPS, and TCPS only.

auth-policy

Specify an auth policy configuration object. HTTP/HTTPS only.

comments

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use. Put phrases in quotes. For example: “Customer ABC”.

connection-limit

Limit the number of concurrent connections. The default is 0 (disabled). The valid range is 1 to 1,048,576 concurrent connections.

You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: Not supported for FTP or SIP profiles.

connection-pool

Specify a connection pool configuration object.

Note: Not supported for SIP profiles.

connection-rate-limit

With all Layer 4 profiles, and with the Layer 2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). The valid range is 1 to 86,400 connections per second.

You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: Not supported for FTP profiles.

content-rewriting

Enable to rewrite HTTP headers.

Note: Not supported for SIP profiles.

content-rewriting-list

Specify content rewriting rules.

Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

content-routing

Enable to route packets to backend servers based on IP address (Layer 4) or HTTP headers (Layer 7 content).

Note: Not supported for SIP profiles. Supports L2 TCP/UDP/IP profiles.

content-routing-list

Specify content route configuration objects.

Note: You can specify multiple content routing rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content routing rule conditions specified in the virtual server configuration, the system behaves unexpectedly. Therefore, it is important that you create a “catch all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

error-msg

Specify an error page configuration object.

Note: Not supported for SIP profiles.

error-page

If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available.

Note: Not supported for SIP profiles.

geoip-blocklist

Specify a geography IP address block list configuration object.

allowlist

Specify a geography IP address allowlist configuration object.

interface

Network interface that receives client traffic for this virtual server.

ip

IP address provisioned for the virtual server.

Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

port

Port number to listen for client requests.

Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface.

Note: A L7 virtual server can have up to 256 ports, but there is no such a limit for L4 virtual servers.

Note: Port number can be set to 0 if load-balance type is L4 or L2 and the profile is TCP or UDP.

port range

Specify the number of ports in a port range. For example, if port is 80, and port-range is 254, then the virtual port range starts at 80 and goes to 334.

The default is 0 (no range). The valid range is 0-255. For SIP, the valid range is 0-5.

The port-range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified range.

Note: Not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles

Note: You can define up to eight port ranges.

load-balance-method

Specify a predefined or user-defined method configuration object.

load-balance-persistence

Specify a predefined or user-defined persistence configuration object.

load-balance-pool

Specify a server pool configuration object.

load-balance-profile

Specify a predefined or user-defined profile configuration object.

After you have specified the profile, the CLI commands are constrained to the ones that are applicable to the specified profile type, not all of the settings described in this table.

client-ssl-profile

Specify a predefined or user-defined client SSL profile configuration object.

Note:

  • This setting applies to HTTPS, TCPS, HTTP2 H2, SMTP, and FTPS applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

  • If a ZTNA Profile is referenced in the VS, ensure the client SSL profile has enabled client certificate verification for the corresponding EMS CA certificate object. See config load-balance client-ssl-profile.

l2-exception-list

Specify a user-defined SSL forward proxy exception configuration object.

multi-process

If your system has a multicore CPU, you can assign the number of CPU cores to handle traffic for a virtual server. The valid range is 1 to 15.

Note: HTTP, HTTPS, and TCPS only.

packet-forwarding-method

In Layer 4 virtual server deployments, select one of the following packet forwarding methods:

  • direct_routing — Forwards the source and destination IP addresses with no changes.

    Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.

  • NAT— Replaces the destination IP address with the IP address of the backend server selected by the load balancer. The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.
  • FullNAT—Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
  • NAT46—Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
  • NAT64—Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.
  • Tunneling- In tunnel mode, the load balancer sends requests to real servers through an IP tunnel. When a user accesses the virtual server, a packet destined for the virtual IP address arrives, a real server is chosen from the cluster according to the connection scheduling algorithm. Then the load balancer encapsulates the packet within an IP datagram and forwards it to the chosen server.

Note: For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify with ippool. The destination IP address is replaced with the IP address of the backend server selected by the load balancer.

ippool-list

If you are configuring a Layer 4 virtual server and enable Full NAT, NAT46, or NAT64, specify a space-separated list of IP address pool configuration objects to be used for SNAT.

Note:

By default, the same IP pool cannot be set up in different virtual servers. However, you can enable IP address sharing through the CLI to allow the source pool to be set up in different virtual servers.

To enable IP address sharing:

config system global

set share-ip-address enable

end

scripting-flag

Enable by default.

scripting-list

Specify a scripting policy configuration object. HTTP/HTTPS only.

Note: The maximum number of scripts in "set scripting-list <>" is 256.

status

  • enable—The server can receive new sessions.
  • disable—The server does not receive new sessions and closes any current sessions as soon as possible.
  • maintain—The server does not receive new sessions but maintains any current connections.

traffic-log

Enable to record traffic logs for this virtual server.

Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

event-log

Enable to record event logs for this virtual server.

trans-rate-limit

Limit the number of HTTP or SIP requests per second. The default is 0 (disabled). The valid range is 1 to 1,048,567 transactions per second.

The system counts each client request against the limit. When the request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

Note: Not supported for HTTP Turbo profiles.

waf-profile

Specify a web application firewall (WAF) profile configuration object. HTTP/HTTPS only.

warm-rate

Maximum connection rate while the virtual server is starting up. The default is 100 connections per second. The valid range is 1 to 86,400 connections per second.

If Warm Up is 5 and Warm Rate is 2, the number of allowed new connections increases at the following rate:

  • 1st second—Total of 2 new connections allowed (0+2).
  • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
  • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
  • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
  • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).

Note: Not supported for SIP profiles.

warm-up

If the server cannot initially handle full connection load when it begins to respond to health checks (for example, if it begins to respond when startup is not fully complete), indicate how long to forward traffic at a lesser rate. The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

Note: Not supported for SIP profiles.

ssl-mirror

Enable/disable SSL mirroring. When ssl-mirror is enabled, FortiADC will mirror the client HTTPS/TCPS packets traffic by the SSL-mirror-interface port after decrypting the SSL.

Note: Use this command send mirror packets of HTTPS or TCPS virtual servers to third-party solutions via the designated network interfaces. See below.

ssl-miror-intf

Specify the outgoing interfaces be ssl-mirror interfaces. You can set up to four outgoing interfaces.

pagespeed Set PageSpeed to let FortiADC speed up HTTP responses using its Web Performance Optimization solutions.
http2https Enable/disable redirect HTTP request to HTTPS
http2https-port

HTTP service port list for redirecting HTTP to HTTPS.

Format: portA-portB portC portD.

max-persistence-entries Maximum persistence entries size. This command only works if load-balance-persistence is enabled with type source-address.
schedule-list Enable/disable schedule pool list.
schedule-pool-list Specify the schedule-pool.
clone-pool Specify the clone-pool.
clone-traffic-type Specify the clone-traffic-type.

dos-profile

LB process will get all the configurations of this profile and write the parameters to the configuration file of HTTProxy.

ztna-profile

Specify a ZTNA profile configuration object.

Note: This setting applies to Layer 7 HTTPS and TCPS applications only.

one-click-gslb-server-option

Enable/disable the FortiGSLB function.

Example

FortiADC-VM # config load-balance virtual-server

FortiADC-VM (virtual-server) # edit lb-vs1

Add new entry 'lb-vs1' for node 1775

config load-balance virtual-server

edit “l7vs”

set type l7-load-balance

set interface port1

set ip 172.1.1.2

set traffic-group traffic-group-1

next

end

config load-balance virtual-server

edit "VS"

set type l7-load-balance

set interface port3

set ip 192.168.1.1

set load-balance-profile LB_PROF_HTTPS

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool pool

set scripting-flag enable

set scripting-list HTTP_2_HTTPS_REDIRECTION REWRITE_HOST_n_PATH REDIRECTION_by_STATUS_CODE

set traffic-group default

set clone-pool 1

set clone-traffic-type both-sides

set dos-profile dos-profile

set ztna-profile ztna-profile

next

end

FortiADC-VM (lb-vs1) # get

status : enable

type : l4-load-balance

multi-process : 1

packet-forwarding-method: NAT

interface :

addr-type : ipv4

ip : 0.0.0.0

port : 80

connection-limit : 10000

load-balance-profile:

content-routing : disable

load-balance-persistence:

load-balance-method :

load-balance-pool :

traffic-log : disable

warm-up : 0

warm-rate : 10

connection-rate-limit: 0

id : 0

clone-pool : 1

clone-traffic-type : both-sides

FortiADC-VM (lb-vs1) # set ip 192.168.200.1

FortiADC-VM (lb-vs1) # set interface port4

FortiADC-VM (lb-vs1) # set load-balance-profile LB_PROF_TCP

FortiADC-VM (lb-vs1) # set load-balance-method LB_METHOD_ROUND_ROBIN

FortiADC-VM (lb-vs1) # set load-balance-pool lb-pool

FortiADC-VM (lb-vs1) # end

FortiADC-VM # get load-balance virtual-server lb-vs1

status : enable

type : l4-load-balance

multi-process : 1

packet-forwarding-method: NAT

interface : port4

addr-type : ipv4

ip : 192.168.200.1

port : 80

connection-limit : 10000

load-balance-profile: LB_PROF_TCP

content-routing : disable

load-balance-persistence:

load-balance-method : LB_METHOD_ROUND_ROBIN

load-balance-pool : lb-pool

traffic-log : disable

warm-up : 0

warm-rate : 10

connection-rate-limit: 0

id : 1

config load-balance virtual-server

config load-balance virtual-server

Use this command to configure virtual servers.

The virtual server configuration supports three classes of application delivery control:

  • Layer 7—Persistence, load-balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load-balancing, and network address translation are based on Layer-4 objects, such as source and destination IP address.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections between multiple next-hop gateways.
Before you begin:
  • You must have a deep understanding of the backend servers and your load balancing objectives.
  • You must have configured a real server pool (required) and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, source IP address pools if you are deploying full NAT, content routes and rewriting rules, and error messages.
  • You must have read-write permission for load balancing settings.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you configure them and set status to enable. You do not apply them by selecting them in a policy.

Syntax

config load-balance virtual-server

edit <vs-name>

set type {l2-load-balance | l4-load-balance | l7-load-balance}

set addr-type {ipv4|ipv6}

set alone {enable|disable}

set auth-policy <datasource>

set clone-pool <datasource>

set clone-traffic-type {both-sides|client-side|server-side}

set comments <string>

set connection-limit <integer>

set connection-pool <datasource>

set connection-rate-limit <integer>

set content-rewriting {enable|disable}

set content-rewriting-list <string>

set content-routing {enable|disable}

set content-routing-list <string>

set error-msg <string>

set geoip-block-list <datasource>

set allowlist <datasource>

set interface <datasource>

set ip <class_ip>

set l2-exception-list <datasource>

set port <value> port range "portA-portB" or single port number "portA"

set port <number>

set load-balance-method <datasource>

set load-balance-persistence <datasource>

set load-balance-pool <datasource>

set load-balance-profile <datasource>

set client-ssl-profile <datasource>

set multi-process <integer>

set packet-forwarding-method {FullNAT|NAT|NAT46|NAT64|direct_routing| tunneling}

set ippool-list <datasource> <datasource> ...

set scripting-flag enable

set scripting-list <datasource> <datasource> ...

set status {enable|disable|maintain}

set traffic-log {enable|disable}

set event-log {enable|disable}

set trans-rate-limit <integer>

set waf-profile <datasource>

set warm-rate <integer>

set warm-up <integer>

set traffic-group <string>

set ssl-mirror {enable|disable}

set ssl-mirror-intf <port>

set pagespeed <datasource>

set http2https enable

set http2https-port <portA-portB portC portD>

set max-persistence-entries <integer>

set schedule-list {enable|disable}

set schedule-pool-list <datasource>

set dos-profile <datasource>

set ztna-profle <datasource>

set one-click-gslb-server-option {enable|disable}

next

end

type

Specify the virtual server type:

  • l7-load-balance: Persistence, load balancing, and routing are based on Layer 7 objects, such as HTTP headers, cookies, and so on.
  • l4-load-balance: Persistence, load balancing, and network address translation are based on Layer 4 objects, such as source and destination IP address.
  • l2-load-balance: This feature is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways.

After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table.

addr-type

IPv4 or IPv6

Note: IPv6 is not supported for layer 4 FTP, layer 2 FTP, HTTP Turbo or RDP.

alone

Enable/disable alone mode. Enabled by default.

When enabled, the virtual server is handled by a separate httproxy daemon. When disabled, the virtual server belongs to a group that is handled by one httproxy daemon.

Alone mode boosts performance but impacts memory utilization. If memory utilization becomes an issue, consider enabling alone mode only for key virtual servers and disabling for less important ones.

Note: HTTP, HTTPS, and TCPS only.

auth-policy

Specify an auth policy configuration object. HTTP/HTTPS only.

comments

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use. Put phrases in quotes. For example: “Customer ABC”.

connection-limit

Limit the number of concurrent connections. The default is 0 (disabled). The valid range is 1 to 1,048,576 concurrent connections.

You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: Not supported for FTP or SIP profiles.

connection-pool

Specify a connection pool configuration object.

Note: Not supported for SIP profiles.

connection-rate-limit

With all Layer 4 profiles, and with the Layer 2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). The valid range is 1 to 86,400 connections per second.

You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: Not supported for FTP profiles.

content-rewriting

Enable to rewrite HTTP headers.

Note: Not supported for SIP profiles.

content-rewriting-list

Specify content rewriting rules.

Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

content-routing

Enable to route packets to backend servers based on IP address (Layer 4) or HTTP headers (Layer 7 content).

Note: Not supported for SIP profiles. Supports L2 TCP/UDP/IP profiles.

content-routing-list

Specify content route configuration objects.

Note: You can specify multiple content routing rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content routing rule conditions specified in the virtual server configuration, the system behaves unexpectedly. Therefore, it is important that you create a “catch all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

error-msg

Specify an error page configuration object.

Note: Not supported for SIP profiles.

error-page

If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available.

Note: Not supported for SIP profiles.

geoip-blocklist

Specify a geography IP address block list configuration object.

allowlist

Specify a geography IP address allowlist configuration object.

interface

Network interface that receives client traffic for this virtual server.

ip

IP address provisioned for the virtual server.

Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

port

Port number to listen for client requests.

Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface.

Note: A L7 virtual server can have up to 256 ports, but there is no such a limit for L4 virtual servers.

Note: Port number can be set to 0 if load-balance type is L4 or L2 and the profile is TCP or UDP.

port range

Specify the number of ports in a port range. For example, if port is 80, and port-range is 254, then the virtual port range starts at 80 and goes to 334.

The default is 0 (no range). The valid range is 0-255. For SIP, the valid range is 0-5.

The port-range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified range.

Note: Not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles

Note: You can define up to eight port ranges.

load-balance-method

Specify a predefined or user-defined method configuration object.

load-balance-persistence

Specify a predefined or user-defined persistence configuration object.

load-balance-pool

Specify a server pool configuration object.

load-balance-profile

Specify a predefined or user-defined profile configuration object.

After you have specified the profile, the CLI commands are constrained to the ones that are applicable to the specified profile type, not all of the settings described in this table.

client-ssl-profile

Specify a predefined or user-defined client SSL profile configuration object.

Note:

  • This setting applies to HTTPS, TCPS, HTTP2 H2, SMTP, and FTPS applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

  • If a ZTNA Profile is referenced in the VS, ensure the client SSL profile has enabled client certificate verification for the corresponding EMS CA certificate object. See config load-balance client-ssl-profile.

l2-exception-list

Specify a user-defined SSL forward proxy exception configuration object.

multi-process

If your system has a multicore CPU, you can assign the number of CPU cores to handle traffic for a virtual server. The valid range is 1 to 15.

Note: HTTP, HTTPS, and TCPS only.

packet-forwarding-method

In Layer 4 virtual server deployments, select one of the following packet forwarding methods:

  • direct_routing — Forwards the source and destination IP addresses with no changes.

    Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.

  • NAT— Replaces the destination IP address with the IP address of the backend server selected by the load balancer. The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.
  • FullNAT—Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
  • NAT46—Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
  • NAT64—Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.
  • Tunneling- In tunnel mode, the load balancer sends requests to real servers through an IP tunnel. When a user accesses the virtual server, a packet destined for the virtual IP address arrives, a real server is chosen from the cluster according to the connection scheduling algorithm. Then the load balancer encapsulates the packet within an IP datagram and forwards it to the chosen server.

Note: For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify with ippool. The destination IP address is replaced with the IP address of the backend server selected by the load balancer.

ippool-list

If you are configuring a Layer 4 virtual server and enable Full NAT, NAT46, or NAT64, specify a space-separated list of IP address pool configuration objects to be used for SNAT.

Note:

By default, the same IP pool cannot be set up in different virtual servers. However, you can enable IP address sharing through the CLI to allow the source pool to be set up in different virtual servers.

To enable IP address sharing:

config system global

set share-ip-address enable

end

scripting-flag

Enable by default.

scripting-list

Specify a scripting policy configuration object. HTTP/HTTPS only.

Note: The maximum number of scripts in "set scripting-list <>" is 256.

status

  • enable—The server can receive new sessions.
  • disable—The server does not receive new sessions and closes any current sessions as soon as possible.
  • maintain—The server does not receive new sessions but maintains any current connections.

traffic-log

Enable to record traffic logs for this virtual server.

Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

event-log

Enable to record event logs for this virtual server.

trans-rate-limit

Limit the number of HTTP or SIP requests per second. The default is 0 (disabled). The valid range is 1 to 1,048,567 transactions per second.

The system counts each client request against the limit. When the request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

Note: Not supported for HTTP Turbo profiles.

waf-profile

Specify a web application firewall (WAF) profile configuration object. HTTP/HTTPS only.

warm-rate

Maximum connection rate while the virtual server is starting up. The default is 100 connections per second. The valid range is 1 to 86,400 connections per second.

If Warm Up is 5 and Warm Rate is 2, the number of allowed new connections increases at the following rate:

  • 1st second—Total of 2 new connections allowed (0+2).
  • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
  • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
  • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
  • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).

Note: Not supported for SIP profiles.

warm-up

If the server cannot initially handle full connection load when it begins to respond to health checks (for example, if it begins to respond when startup is not fully complete), indicate how long to forward traffic at a lesser rate. The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

Note: Not supported for SIP profiles.

ssl-mirror

Enable/disable SSL mirroring. When ssl-mirror is enabled, FortiADC will mirror the client HTTPS/TCPS packets traffic by the SSL-mirror-interface port after decrypting the SSL.

Note: Use this command send mirror packets of HTTPS or TCPS virtual servers to third-party solutions via the designated network interfaces. See below.

ssl-miror-intf

Specify the outgoing interfaces be ssl-mirror interfaces. You can set up to four outgoing interfaces.

pagespeed Set PageSpeed to let FortiADC speed up HTTP responses using its Web Performance Optimization solutions.
http2https Enable/disable redirect HTTP request to HTTPS
http2https-port

HTTP service port list for redirecting HTTP to HTTPS.

Format: portA-portB portC portD.

max-persistence-entries Maximum persistence entries size. This command only works if load-balance-persistence is enabled with type source-address.
schedule-list Enable/disable schedule pool list.
schedule-pool-list Specify the schedule-pool.
clone-pool Specify the clone-pool.
clone-traffic-type Specify the clone-traffic-type.

dos-profile

LB process will get all the configurations of this profile and write the parameters to the configuration file of HTTProxy.

ztna-profile

Specify a ZTNA profile configuration object.

Note: This setting applies to Layer 7 HTTPS and TCPS applications only.

one-click-gslb-server-option

Enable/disable the FortiGSLB function.

Example

FortiADC-VM # config load-balance virtual-server

FortiADC-VM (virtual-server) # edit lb-vs1

Add new entry 'lb-vs1' for node 1775

config load-balance virtual-server

edit “l7vs”

set type l7-load-balance

set interface port1

set ip 172.1.1.2

set traffic-group traffic-group-1

next

end

config load-balance virtual-server

edit "VS"

set type l7-load-balance

set interface port3

set ip 192.168.1.1

set load-balance-profile LB_PROF_HTTPS

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool pool

set scripting-flag enable

set scripting-list HTTP_2_HTTPS_REDIRECTION REWRITE_HOST_n_PATH REDIRECTION_by_STATUS_CODE

set traffic-group default

set clone-pool 1

set clone-traffic-type both-sides

set dos-profile dos-profile

set ztna-profile ztna-profile

next

end

FortiADC-VM (lb-vs1) # get

status : enable

type : l4-load-balance

multi-process : 1

packet-forwarding-method: NAT

interface :

addr-type : ipv4

ip : 0.0.0.0

port : 80

connection-limit : 10000

load-balance-profile:

content-routing : disable

load-balance-persistence:

load-balance-method :

load-balance-pool :

traffic-log : disable

warm-up : 0

warm-rate : 10

connection-rate-limit: 0

id : 0

clone-pool : 1

clone-traffic-type : both-sides

FortiADC-VM (lb-vs1) # set ip 192.168.200.1

FortiADC-VM (lb-vs1) # set interface port4

FortiADC-VM (lb-vs1) # set load-balance-profile LB_PROF_TCP

FortiADC-VM (lb-vs1) # set load-balance-method LB_METHOD_ROUND_ROBIN

FortiADC-VM (lb-vs1) # set load-balance-pool lb-pool

FortiADC-VM (lb-vs1) # end

FortiADC-VM # get load-balance virtual-server lb-vs1

status : enable

type : l4-load-balance

multi-process : 1

packet-forwarding-method: NAT

interface : port4

addr-type : ipv4

ip : 192.168.200.1

port : 80

connection-limit : 10000

load-balance-profile: LB_PROF_TCP

content-routing : disable

load-balance-persistence:

load-balance-method : LB_METHOD_ROUND_ROBIN

load-balance-pool : lb-pool

traffic-log : disable

warm-up : 0

warm-rate : 10

connection-rate-limit: 0

id : 1