Origin Servers

Origin Servers

Configure the origin servers which FortiAppSec Cloud will send the traffic to. If there are multiple origin servers, configure Load Balancing rules to determine how the traffic should be distributed among servers.

Create Server Pool
Create Server

You can lock your origin server's IP address to prevent other accounts on FortiAppSec Cloud from setting up an application targeting malicious traffic at your origin server. Please contact Fortinet Support or your sales engineer to request for the Origin Server Lock setup.

Create Server Pool

Navigate to Network > Origin Servers.
Click Create Server Pool.

Configure the following settings.

Field	Description
Pool Name	Supports letters (a-z, A-Z), numbers (0-9), dashes (-), and underscores (_). This cannot be changed after creation.
Server Balance	After the application is onboarded, Server Balance is enabled by default to apply load balancing algorithm to origin servers. If you disable this option, you can only configure one origin server, but both HTTP and HTTPS ports can be used for that server. We recommend keeping Server Balance on, even if you only have one server, because turning it off will delete all existing server settings. Additionally, server status monitoring won’t be available when Server Balance is off. Only disable Server Balance if you need to use both HTTP and HTTPS with your origin server.
The following options are only available when Server Balance is enabled.
Load Balancing Algorithm	Round Robin — Distributes new TCP connections to the next server, regardless of weight, response time, traffic load, or number of existing connections. Weighted Round Robin — Distributes new TCP connections using the round-robin method, except that members with a higher weight value receive a larger percentage of connections. Least Connection — Distributes new TCP connections to the member with the fewest number of existing, fully-formed TCP connections. Source IP Hash — Distributes new TCP connections using a hash algorithm based on the source IP address of the request. When the status of a server is set to Disabled, or a health check indicates it is down. FortiAppSec Cloud will transfer any remaining HTTP transactions in the TCP stream to an active server according to the Load Balancing Algorithm.
Persistence	After FortiAppSec Cloud has forwarded the first packet from a client to a server, some protocols require that subsequent packets also be forwarded to the same server until a period of time passes or the client indicates that it has finished transmission. Persistence specifies how FortiAppSec Cloud determines a request is the subsequent request from a client. Source IP—The requests with the same client IP address and subnet as the initial request will be forwarded to the same server. Insert Cookie—The requests with the same cookie name as the initial request will be forwarded to the same server. If you select None, the subsequent requests will be forwarded to random servers according to the Load Balancing Algorithm.
Persistence Timeout	Set the time, in seconds, after which an idle connection will cause FortiAppSec Cloud to select a new server from the pool.
Cookie Name	Specifies a value to match or the name of the cookie that FortiAppSec Cloud inserts. Available only when the Persistence is set to Insert Cookie.
Cookie Path	Specifies a path attribute for the cookie that FortiAppSec Cloud inserts. Available only when the Persistence is set to Insert Cookie.
Cookie Domain	Specifies a domain attribute for the cookie that FortiAppSec Cloud inserts. Available only when the Persistence is set to Insert Cookie.
Health Check	Enable to periodically test for server availability. If FortiAppSec Cloud determines the server is unresponsive, it will not forward traffic to this server until it becomes responsive again. Enable Health Check only if there are more than one origin servers associated with this application. When Health Check is enabled, you can click the Test icon in the origin server list to get the real-time status of a single server.
The following options are only available when Health Check is enabled
URL Path	Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, `/index.html`). If the web server successfully returns this URL, and its content matches the Response Code, it is considered to be responsive. By default, FortiAppSec Cloud uses the URL path "/" to test responsiveness of the server when you click Test Origin Server in the ADD APPLICATION wizard, then populates the response code received from the server in the Response Code field.
Interval	Type the number of seconds between each server health check. Valid values are 1 to 300. Default value is 10.
Timeout	Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check. Valid values are 1 to 30. Default value is 3.
Retry Times	Type the number of times, if any, that FortiAppSec Cloud retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive. Valid values are 1 to 10. Default value is 3.
Method	Specify whether the health check uses the HEAD, GET, or POST method.
Response Code	Enter the response code that you require the server to return to confirm that it is available.

Click OK to save the newly created server pool and return to the Origin Servers page, where you should see the newly added server pool in the Server Pools table. The server pool will be empty initially; follow the instructions below to add servers to this pool.
Click the Edit icon on one of the server pools to add servers to the server pool.

Create Server

On the Network > Origin Servers page, click the Edit icon on one of the server pools to view/edit its nested servers.
Click Create Server Pool
Configure the following settings.

Status	Enable—Specifies that this server can receive new sessions from FortiAppSec Cloud. Disable—Specifies that this server does not receive new sessions from FortiAppSec Cloud and it closes any current sessions as soon as possible. Maintenance—Specifies that this server does not receive new sessions from FortiAppSec Cloud but it maintains any current connections.
Server Type	Select either IP or Domain to indicate how you want to define the server. Select Dynamic if the server's IP address dynamically changes. This applies only to servers on AWS, Azure, and Google Cloud.
IP/Domain	Specify the IP address or fully-qualified domain name (FQDN) of the server. For domain servers, FortiAppSec Cloud queries a DNS server to resolve each web server’s domain name to an IP address/FQDN. For improved performance, it's recommended to use physical servers instead. Available only if the Server Type is IP or Domain.
Cloud Connector	Select the Cloud Connector so that FortiAppSec Cloud can be authorized to access the resources in your public cloud account. See Cloud Connectors. Available only if the Server Type is Dynamic.
Filter	Once you select the fabric collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiAppSec Cloud will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP. AWS instance-id (e.g. instance-id=i-12345678) image-id (e.g. image-id=ami-123456) key-name (e.g. key-name=aws-key-name) subnet-id (e.g. subnet-id=sub-123456) tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.) Azure vm-name (e.g. vm-name=myVM01) tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.) GCP instance-id (e.g. instance-id=3528415166015934407) instance-name (e.g. instance-name=myInstance) labels.LabelName(The label attached to the instance. LabelName is a variable. It can be any value you have named for the tag, e.g. labels.Type=appserver. Up to 8 labels are supported.) Available only if the Server Type is Dynamic.
IP List	Click Test button. FortiAppSec Cloud will find the instances/virtual machines according to the filters selected above, then list their IP addresses. Available only if the Server Type is Dynamic.
Protocol & Port	Select whether this server connects with FortiAppSec Cloud through HTTP or HTTPS, then type the port number for the HTTP or HTTP protocol. The valid range is from 1 to 65,535. Only available when the Origin Servers is on. If enabling HTTPS, see the next step for detailed configuration instructions.
HTTPS Port & HTTP Port	When the Origin Servers is off, FortiAppSec Cloud can communicate with the origin server over both HTTP and HTTPS protocols. Specify the port number for both HTTP and HTTPS protocols. Only available when the Origin Servers is off.
HTTP/2	When HTTPS is enabled, you can enable HTTP/2.
Weight	If TCP connections are distributed among the servers using the Weighted Round Robin load-balancing algorithm, servers with a greater weight receive a greater proportion of connections. Weighting servers can be useful when, for example, some servers are more powerful or if a server is already receiving fewer or more connections due to its role in multiple websites.
Backup	If enabled, when other servers fail their server health check, FortiAppSec Cloud routes any connections for the failed server to this server. If you have enabled Backup for more than one server, FortiAppSec Cloud uses the load balancing algorithm to determine which servers to use. The backup server mechanism does not work if you do not enable Health check in the loading balancing configurations.
Sever Certificate Authentication	Enable this option to secure the connection between FortiAppSec Cloud and the server. Please note this option is available to configure only when you have successfully added the server.
CA Certificate	If Sever Certificate Authentication is enabled, then you need to click Import to upload the SSL certificate to encrypt the HTTPS connection.
Certificate Revocation Lists	Click Import to upload the Certificate Revocation Lists. To ensure that FortiAppSec Cloud validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA).

FortiAppSec CloudWAF continuously verifies the IP address paired with the domain name, and if the IP address changes, WAF automatically updates the origin server IP in its configuration. The frequency that WAF updates the IP depends on the TTL of the DNS record, which is usually 60 seconds in AWS ALB/ELB.

If HTTPS protocol is selected, you need to configure which versions of TLS protocol to use and the SSL encryption level.
- TLS Versions: Select which versions of TLS protocols are allowed for the HTTPS connections between WAF and the server.
- SSL Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers. SSL Encryption Level controls which ciphers are supported.
  - Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.
  - Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.
  - Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8.
  - Customized – Supports a customizable list of all ciphers.
Click OK. This saves the new server under the selected server pool
For each created origin server, from the Action tab, you can delete the server, or edit the server information; also, you can click the Test icon to get the real-time server status.
You can add at most 128 origin servers to the server pool of an application.
As the Health Check test packet is just a simulating one, the test result may not show the real server status.

Origin Servers

Create Server Pool
Create Server

Create Server Pool

Navigate to Network > Origin Servers.
Click Create Server Pool.

Configure the following settings.

Field	Description
Pool Name	Supports letters (a-z, A-Z), numbers (0-9), dashes (-), and underscores (_). This cannot be changed after creation.
Server Balance	After the application is onboarded, Server Balance is enabled by default to apply load balancing algorithm to origin servers. If you disable this option, you can only configure one origin server, but both HTTP and HTTPS ports can be used for that server. We recommend keeping Server Balance on, even if you only have one server, because turning it off will delete all existing server settings. Additionally, server status monitoring won’t be available when Server Balance is off. Only disable Server Balance if you need to use both HTTP and HTTPS with your origin server.
The following options are only available when Server Balance is enabled.
Load Balancing Algorithm	Round Robin — Distributes new TCP connections to the next server, regardless of weight, response time, traffic load, or number of existing connections. Weighted Round Robin — Distributes new TCP connections using the round-robin method, except that members with a higher weight value receive a larger percentage of connections. Least Connection — Distributes new TCP connections to the member with the fewest number of existing, fully-formed TCP connections. Source IP Hash — Distributes new TCP connections using a hash algorithm based on the source IP address of the request. When the status of a server is set to Disabled, or a health check indicates it is down. FortiAppSec Cloud will transfer any remaining HTTP transactions in the TCP stream to an active server according to the Load Balancing Algorithm.
Persistence	After FortiAppSec Cloud has forwarded the first packet from a client to a server, some protocols require that subsequent packets also be forwarded to the same server until a period of time passes or the client indicates that it has finished transmission. Persistence specifies how FortiAppSec Cloud determines a request is the subsequent request from a client. Source IP—The requests with the same client IP address and subnet as the initial request will be forwarded to the same server. Insert Cookie—The requests with the same cookie name as the initial request will be forwarded to the same server. If you select None, the subsequent requests will be forwarded to random servers according to the Load Balancing Algorithm.
Persistence Timeout	Set the time, in seconds, after which an idle connection will cause FortiAppSec Cloud to select a new server from the pool.
Cookie Name	Specifies a value to match or the name of the cookie that FortiAppSec Cloud inserts. Available only when the Persistence is set to Insert Cookie.
Cookie Path	Specifies a path attribute for the cookie that FortiAppSec Cloud inserts. Available only when the Persistence is set to Insert Cookie.
Cookie Domain	Specifies a domain attribute for the cookie that FortiAppSec Cloud inserts. Available only when the Persistence is set to Insert Cookie.
Health Check	Enable to periodically test for server availability. If FortiAppSec Cloud determines the server is unresponsive, it will not forward traffic to this server until it becomes responsive again. Enable Health Check only if there are more than one origin servers associated with this application. When Health Check is enabled, you can click the Test icon in the origin server list to get the real-time status of a single server.
The following options are only available when Health Check is enabled
URL Path	Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, `/index.html`). If the web server successfully returns this URL, and its content matches the Response Code, it is considered to be responsive. By default, FortiAppSec Cloud uses the URL path "/" to test responsiveness of the server when you click Test Origin Server in the ADD APPLICATION wizard, then populates the response code received from the server in the Response Code field.
Interval	Type the number of seconds between each server health check. Valid values are 1 to 300. Default value is 10.
Timeout	Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check. Valid values are 1 to 30. Default value is 3.
Retry Times	Type the number of times, if any, that FortiAppSec Cloud retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive. Valid values are 1 to 10. Default value is 3.
Method	Specify whether the health check uses the HEAD, GET, or POST method.
Response Code	Enter the response code that you require the server to return to confirm that it is available.

Click OK to save the newly created server pool and return to the Origin Servers page, where you should see the newly added server pool in the Server Pools table. The server pool will be empty initially; follow the instructions below to add servers to this pool.
Click the Edit icon on one of the server pools to add servers to the server pool.

Create Server

On the Network > Origin Servers page, click the Edit icon on one of the server pools to view/edit its nested servers.
Click Create Server Pool
Configure the following settings.

Status	Enable—Specifies that this server can receive new sessions from FortiAppSec Cloud. Disable—Specifies that this server does not receive new sessions from FortiAppSec Cloud and it closes any current sessions as soon as possible. Maintenance—Specifies that this server does not receive new sessions from FortiAppSec Cloud but it maintains any current connections.
Server Type	Select either IP or Domain to indicate how you want to define the server. Select Dynamic if the server's IP address dynamically changes. This applies only to servers on AWS, Azure, and Google Cloud.
IP/Domain	Specify the IP address or fully-qualified domain name (FQDN) of the server. For domain servers, FortiAppSec Cloud queries a DNS server to resolve each web server’s domain name to an IP address/FQDN. For improved performance, it's recommended to use physical servers instead. Available only if the Server Type is IP or Domain.
Cloud Connector	Select the Cloud Connector so that FortiAppSec Cloud can be authorized to access the resources in your public cloud account. See Cloud Connectors. Available only if the Server Type is Dynamic.
Filter	Once you select the fabric collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiAppSec Cloud will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP. AWS instance-id (e.g. instance-id=i-12345678) image-id (e.g. image-id=ami-123456) key-name (e.g. key-name=aws-key-name) subnet-id (e.g. subnet-id=sub-123456) tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.) Azure vm-name (e.g. vm-name=myVM01) tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.) GCP instance-id (e.g. instance-id=3528415166015934407) instance-name (e.g. instance-name=myInstance) labels.LabelName(The label attached to the instance. LabelName is a variable. It can be any value you have named for the tag, e.g. labels.Type=appserver. Up to 8 labels are supported.) Available only if the Server Type is Dynamic.
IP List	Click Test button. FortiAppSec Cloud will find the instances/virtual machines according to the filters selected above, then list their IP addresses. Available only if the Server Type is Dynamic.
Protocol & Port	Select whether this server connects with FortiAppSec Cloud through HTTP or HTTPS, then type the port number for the HTTP or HTTP protocol. The valid range is from 1 to 65,535. Only available when the Origin Servers is on. If enabling HTTPS, see the next step for detailed configuration instructions.
HTTPS Port & HTTP Port	When the Origin Servers is off, FortiAppSec Cloud can communicate with the origin server over both HTTP and HTTPS protocols. Specify the port number for both HTTP and HTTPS protocols. Only available when the Origin Servers is off.
HTTP/2	When HTTPS is enabled, you can enable HTTP/2.
Weight	If TCP connections are distributed among the servers using the Weighted Round Robin load-balancing algorithm, servers with a greater weight receive a greater proportion of connections. Weighting servers can be useful when, for example, some servers are more powerful or if a server is already receiving fewer or more connections due to its role in multiple websites.
Backup	If enabled, when other servers fail their server health check, FortiAppSec Cloud routes any connections for the failed server to this server. If you have enabled Backup for more than one server, FortiAppSec Cloud uses the load balancing algorithm to determine which servers to use. The backup server mechanism does not work if you do not enable Health check in the loading balancing configurations.
Sever Certificate Authentication	Enable this option to secure the connection between FortiAppSec Cloud and the server. Please note this option is available to configure only when you have successfully added the server.
CA Certificate	If Sever Certificate Authentication is enabled, then you need to click Import to upload the SSL certificate to encrypt the HTTPS connection.
Certificate Revocation Lists	Click Import to upload the Certificate Revocation Lists. To ensure that FortiAppSec Cloud validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA).

If HTTPS protocol is selected, you need to configure which versions of TLS protocol to use and the SSL encryption level.
- TLS Versions: Select which versions of TLS protocols are allowed for the HTTPS connections between WAF and the server.
- SSL Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers. SSL Encryption Level controls which ciphers are supported.
  - Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.
  - Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.
  - Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8.
  - Customized – Supports a customizable list of all ciphers.
Click OK. This saves the new server under the selected server pool
For each created origin server, from the Action tab, you can delete the server, or edit the server information; also, you can click the Test icon to get the real-time server status.
You can add at most 128 origin servers to the server pool of an application.
As the Health Check test packet is just a simulating one, the test result may not show the real server status.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

User Guide

Origin Servers

Create Server Pool

Create Server

Origin Servers

Origin Servers

Create Server Pool

Create Server