Fortinet black logo

CLI Reference

server-policy http-content-routing-policy

server-policy http-content-routing-policy

Use this command to configure HTTP header-based routing.

Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP layers, as basic load balancing does, you can forward them based on headers in the HTTP layer.

HTTP header-based routes define how FortiWeb routes requests to server pools. They are based on one or more of the following HTTP header elements:

  • Host
  • URL
  • Parameter
  • Referer
  • Cookie
  • Header
  • Source IP
  • X.509 certificate
  • Geo IP

This type of routing can be useful if, for example, a specific web server or group of servers on the back end support specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but specialized. For example:

  • 192.0.2.1—Hosts the website and blog
  • 192.0.2.2 and 192.0.2.3—Host movie clips and multimedia
  • 192.0.2.4 and 192.0.2.5—Host the shopping cart

If you have configured request rewriting, configure HTTP content-based routing using the original request URL and/or Host: name, as it appears before FortiWeb has rewritten it. For details about rewriting, see waf url-rewrite url-rewrite-policy.

To apply your HTTP-based routes, select them when you configure the server policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy http-content-routing-id

edit "<routing-policy_name>"

set server-pool "<server-pool_name>"

config content-routing-match-list

edit <entry_index>

set match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip}

set match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal}

set x509-subject-name {E | CN | OU | O | L | ST | C}

set match-expression "<match-expression_str>"

set name "<name_str>"

set name-match-condition {match-begin | match-end | match-sub | match-reg | equal}

set value "<value_str>"

set value-match-condition {match-begin | match-end | match-sub | match-reg | equal}

set start-ip "<start_ip>"

set end-ip "<end_ip>"

set reverse {enable | disable}

set concatenate {and | or}

set country-list <country-list_str>

next

end

next

end

Variable Description Default

"<routing-policy_name>"

Enter the name of the HTTP content routing policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

server-pool "<server-pool_name>"

Enter the name of the server pool to which FortiWeb forwards traffic when the traffic matches rules in this policy.

For details, see server-policy server-pool.

No default.

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip}

Enter the type of object that FortiWeb examines for matching values:

  • http-hostHost: field
  • http-request—A URL
  • url-parameter—A URL parameter and value
  • http-refererReferer: field
  • http-cookie—A cookie name and value
  • http-header—A header name and value
  • source-ip—An IPv4 address or address range or IPv6 address or address range
  • x509-certificate-Subject—A specified Relative Distinguished Name (RDN) in the X509 certificate Subject field. Also specify x509-subject-name.
  • x509-certificate-Extension—Additional fields that the extensions field adds to the X509 certificate
  • https-sni— Select this option so that FortiWeb will forward requests based on the SNI in the SSL handshake.
  • geo-ip— Select this option so that FortiWeb matches against the IP addresses from specified countries.
No default.

match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal}

Enter the type of value to match. Values can be a literal value that appears in the object or a regular expression.

The value of match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} determines which content types you can specify.

If match-object is http-host, http-request, http-referer, or x509-certificate-Extension:

  • match-begin—The object to match begins with the specified string.
  • match-end—The object to match ends with the specified string.
  • match-sub—The object to match contains the specified string.
  • equal—The object to match is the specified string.
No default.

If match-object is http-host only:

  • match-domain—The object to match contains the specified string between the periods in a domain name.

    For example, if match-expression is abc, the condition matches the following hostnames:

    dname1.abc.com
    dname1.dname2.abc.com

    However, the same Match Simple String value does not match the following hostnames:

    abc.com
    dname.abc

If match-object is http-request:

  • match-dir—The object to match contains the specified string between delimiting characters (slash) in a domain name.

    For example, if match-expression is abc, the condition matches the following hostnames:

    test.com/abc/
    test.com/dir1/abc/

    However, the same match-string value does not match the following hostnames:

    test.com/abc
    test.abc.com

If match-object is source-ip:

  • ip-range—The source IP to match is an IPv4 IP address or within a range of IPv4 IP addresses.
  • ip-range6—The source IP to match is an IPv6 IP address or within a range of IPv6 IP addresses.

If match-object is http-host, http-request, http-referer, source-ip, or x509-certificate-Extension:

  • match-reg—The object to match has a value that matches the specified regular expression.
No default.

x509-subject-name {E | CN | OU | O | L | ST | C}

Enter the attribute type to match.

Available when match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is x509-certificate-Subject.
No default.

match-expression "<match-expression_str>"

Enter a value to match in the object element specified by match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} and match-condition.

Examples:

  • A literal URL, such as /index.php, that a matching HTTP request contains.
  • An expression, such as ^/*.php, that matches a URL.

Tip: When you enter a regular expression using the web UI, you can validate its syntax.

No default.

name "<name_str>"

Enter the name of the object to match. The value can be a literal value or a regular expression.

For example, the name of a cookie embedded by traffic controller software on one of the servers.

Available only if match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is url-parameter, http-cookie, or http-header.

No default.

name-match-condition {match-begin | match-end | match-sub | match-reg | equal}

Enter the type of value to match. The value is specified by name and can be a literal value that appears in the object or a regular expression.

  • match-begin—The name to match begins with the specified string.
  • match-end—The name to match ends with the specified string.
  • match-sub—The name to match contains the specified string.
  • equal—The name to match is the specified string.
  • match-reg—The name to match matches the specified regular expression.
No default.

value "<value_str>"

Enter the object value to match. The value can be a literal value or a regular expression.

Available if match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is url-parameter, http-cookie, or http-header.

No default.

value-match-condition {match-begin | match-end | match-sub | match-reg | equal}

Enter the type of value to match. The value is specified by value and can be a literal value or a regular expression.

  • match-begin—The value to match begins with the specified string.
  • match-end—The value to match ends with the specified string.
  • match-sub—The value to match contains the specified string.
  • equal—The value to match is the specified string.
  • match-reg—The value to match matches the specified regular expression.
No default.

start-ip "<start_ip>"

Enter the first IP address in a range of IP addresses.

Available if match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal} is ip-range or ip-range6.

No default.

end-ip "<end_ip>"

Enter the last IP address in a range of IP addresses.

Available if match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is source-ip

No default.
reverse {enable | disable} When enabled, FortiWeb will route requests to the server pool that do not match the specified values for the Match Object. disable
country-list <country-list_str>

Select countries where the IP addresses originate.

No default.

concatenate {and | or}

Select either:

  • and—A matching request matches this entry in addition to other entries in the HTTP content routing list.
  • or—A matching request matches this entry or other entries in the list.
and

Example

This HTTP content routing policy routes requests for www.example.com/school to the server pool school-site.

The content routing has three rules: one matches the host (www.example.com), a second matches the sessid cookie, and a third matches the /school URL. In combination, the first and third rules match the request for www.example.com/school.

config server-policy http-content-routing-policy

edit "content_routing_policy1"

set server-pool school-site

config content-routing-match-list

edit 1

set match-condition match-reg

set match-expression "www.example.com "

next

edit 2

set match-object http-cookie

set name sessid

set value "hash[a-fA-F0-7]*"

set name-match-condition match-reg

set value-match-condition match-reg

next

edit 3

set match-object http-request

set match-expression "/school"

next

end

next

end

Related topics

server-policy http-content-routing-policy

Use this command to configure HTTP header-based routing.

Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP layers, as basic load balancing does, you can forward them based on headers in the HTTP layer.

HTTP header-based routes define how FortiWeb routes requests to server pools. They are based on one or more of the following HTTP header elements:

  • Host
  • URL
  • Parameter
  • Referer
  • Cookie
  • Header
  • Source IP
  • X.509 certificate
  • Geo IP

This type of routing can be useful if, for example, a specific web server or group of servers on the back end support specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but specialized. For example:

  • 192.0.2.1—Hosts the website and blog
  • 192.0.2.2 and 192.0.2.3—Host movie clips and multimedia
  • 192.0.2.4 and 192.0.2.5—Host the shopping cart

If you have configured request rewriting, configure HTTP content-based routing using the original request URL and/or Host: name, as it appears before FortiWeb has rewritten it. For details about rewriting, see waf url-rewrite url-rewrite-policy.

To apply your HTTP-based routes, select them when you configure the server policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy http-content-routing-id

edit "<routing-policy_name>"

set server-pool "<server-pool_name>"

config content-routing-match-list

edit <entry_index>

set match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip}

set match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal}

set x509-subject-name {E | CN | OU | O | L | ST | C}

set match-expression "<match-expression_str>"

set name "<name_str>"

set name-match-condition {match-begin | match-end | match-sub | match-reg | equal}

set value "<value_str>"

set value-match-condition {match-begin | match-end | match-sub | match-reg | equal}

set start-ip "<start_ip>"

set end-ip "<end_ip>"

set reverse {enable | disable}

set concatenate {and | or}

set country-list <country-list_str>

next

end

next

end

Variable Description Default

"<routing-policy_name>"

Enter the name of the HTTP content routing policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

server-pool "<server-pool_name>"

Enter the name of the server pool to which FortiWeb forwards traffic when the traffic matches rules in this policy.

For details, see server-policy server-pool.

No default.

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip}

Enter the type of object that FortiWeb examines for matching values:

  • http-hostHost: field
  • http-request—A URL
  • url-parameter—A URL parameter and value
  • http-refererReferer: field
  • http-cookie—A cookie name and value
  • http-header—A header name and value
  • source-ip—An IPv4 address or address range or IPv6 address or address range
  • x509-certificate-Subject—A specified Relative Distinguished Name (RDN) in the X509 certificate Subject field. Also specify x509-subject-name.
  • x509-certificate-Extension—Additional fields that the extensions field adds to the X509 certificate
  • https-sni— Select this option so that FortiWeb will forward requests based on the SNI in the SSL handshake.
  • geo-ip— Select this option so that FortiWeb matches against the IP addresses from specified countries.
No default.

match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal}

Enter the type of value to match. Values can be a literal value that appears in the object or a regular expression.

The value of match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} determines which content types you can specify.

If match-object is http-host, http-request, http-referer, or x509-certificate-Extension:

  • match-begin—The object to match begins with the specified string.
  • match-end—The object to match ends with the specified string.
  • match-sub—The object to match contains the specified string.
  • equal—The object to match is the specified string.
No default.

If match-object is http-host only:

  • match-domain—The object to match contains the specified string between the periods in a domain name.

    For example, if match-expression is abc, the condition matches the following hostnames:

    dname1.abc.com
    dname1.dname2.abc.com

    However, the same Match Simple String value does not match the following hostnames:

    abc.com
    dname.abc

If match-object is http-request:

  • match-dir—The object to match contains the specified string between delimiting characters (slash) in a domain name.

    For example, if match-expression is abc, the condition matches the following hostnames:

    test.com/abc/
    test.com/dir1/abc/

    However, the same match-string value does not match the following hostnames:

    test.com/abc
    test.abc.com

If match-object is source-ip:

  • ip-range—The source IP to match is an IPv4 IP address or within a range of IPv4 IP addresses.
  • ip-range6—The source IP to match is an IPv6 IP address or within a range of IPv6 IP addresses.

If match-object is http-host, http-request, http-referer, source-ip, or x509-certificate-Extension:

  • match-reg—The object to match has a value that matches the specified regular expression.
No default.

x509-subject-name {E | CN | OU | O | L | ST | C}

Enter the attribute type to match.

Available when match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is x509-certificate-Subject.
No default.

match-expression "<match-expression_str>"

Enter a value to match in the object element specified by match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} and match-condition.

Examples:

  • A literal URL, such as /index.php, that a matching HTTP request contains.
  • An expression, such as ^/*.php, that matches a URL.

Tip: When you enter a regular expression using the web UI, you can validate its syntax.

No default.

name "<name_str>"

Enter the name of the object to match. The value can be a literal value or a regular expression.

For example, the name of a cookie embedded by traffic controller software on one of the servers.

Available only if match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is url-parameter, http-cookie, or http-header.

No default.

name-match-condition {match-begin | match-end | match-sub | match-reg | equal}

Enter the type of value to match. The value is specified by name and can be a literal value that appears in the object or a regular expression.

  • match-begin—The name to match begins with the specified string.
  • match-end—The name to match ends with the specified string.
  • match-sub—The name to match contains the specified string.
  • equal—The name to match is the specified string.
  • match-reg—The name to match matches the specified regular expression.
No default.

value "<value_str>"

Enter the object value to match. The value can be a literal value or a regular expression.

Available if match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is url-parameter, http-cookie, or http-header.

No default.

value-match-condition {match-begin | match-end | match-sub | match-reg | equal}

Enter the type of value to match. The value is specified by value and can be a literal value or a regular expression.

  • match-begin—The value to match begins with the specified string.
  • match-end—The value to match ends with the specified string.
  • match-sub—The value to match contains the specified string.
  • equal—The value to match is the specified string.
  • match-reg—The value to match matches the specified regular expression.
No default.

start-ip "<start_ip>"

Enter the first IP address in a range of IP addresses.

Available if match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal} is ip-range or ip-range6.

No default.

end-ip "<end_ip>"

Enter the last IP address in a range of IP addresses.

Available if match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is source-ip

No default.
reverse {enable | disable} When enabled, FortiWeb will route requests to the server pool that do not match the specified values for the Match Object. disable
country-list <country-list_str>

Select countries where the IP addresses originate.

No default.

concatenate {and | or}

Select either:

  • and—A matching request matches this entry in addition to other entries in the HTTP content routing list.
  • or—A matching request matches this entry or other entries in the list.
and

Example

This HTTP content routing policy routes requests for www.example.com/school to the server pool school-site.

The content routing has three rules: one matches the host (www.example.com), a second matches the sessid cookie, and a third matches the /school URL. In combination, the first and third rules match the request for www.example.com/school.

config server-policy http-content-routing-policy

edit "content_routing_policy1"

set server-pool school-site

config content-routing-match-list

edit 1

set match-condition match-reg

set match-expression "www.example.com "

next

edit 2

set match-object http-cookie

set name sessid

set value "hash[a-fA-F0-7]*"

set name-match-condition match-reg

set value-match-condition match-reg

next

edit 3

set match-object http-request

set match-expression "/school"

next

end

next

end

Related topics