Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.3.15 CLI Reference
    6.3.15
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    server-policy vserver

    server-policy vserver

    Use this command to configure virtual servers.

    Before you can create a policy, you must first configure a virtual server which defines the network interface or bridge and IP address on which traffic destined for an individual physical server or server farm will arrive.

    When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a physical server or a server farm. The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

    • The traffic arrives on the network interface or bridge associated with the virtual server
    • For Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical with the physical server’s IP address)

    Virtual servers can be on the same subnet as physical servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 192.0.2.1/24 could forward to the physical server 192.0.2.2.

    However, this is not recommended. Unless your network’s routing configuration prevents it, it could allow attackers that are aware of the physical server’s IP address to bypass FortiWeb by accessing the physical server directly.

    To apply virtual servers, select them within a server policy. For details, see server-policy policy.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

    Syntax

    config server-policy vserver

    edit "<virtual-server_name>"

    config vip-list

    edit server-policy vserver

    set interface "<interface_name>"

    set status {enable | disable}

    set vip "<vip_str>"

    set use-interface-ip {enable | disable}

    next

    end

    next

    end

    Variable Description Default

    "<virtual-server_name>"

    Enter the name of the new or existing virtual server. The maximum length is 63 characters.

    To display the list of existing servers, enter:

    edit ?

    		disable

    "<vip-list_id>"

    Enter the sequence number of the virual IP in the table.

    No default.

    status {enable | disable}

    		 Enable to accept traffic destined for this virtual server. No default.

    interface "<interface_name>"

    Enter the name of the network interface or bridge, such as port1 or bridge1, to which the virtual server is bound, and on which traffic destined for the virtual server will arrive. The maximum length is 63 characters.

    To display the list of existing interfaces, enter:

    edit ?

    		No default.

    vip "<vip_str>"

    		 Enter the IPv4 or IPv6 address and subnet of the virtual server.

    0.0.0.0

    ::/0

    use-interface-ip {enable | disable}

    		 For FortiWeb-VM on Microsoft Azure, specify whether the virtual server uses the IP address of the specified interface, instead of an IP specified by vip or vip6. disable

    Example

    This example configures a virtual server named inline_vip1 on the network interface named port1.

    The port number on which the virtual server will receive traffic is defined separately, in the policies that use this virtual server definition.

    config server-policy vserver

    edit "inline_vip1"

    config vip-list

    edit 2

    set interface port1

    set status enable

    set vip "192.0.2.1 256.256.256.0"

    next

    end

    next

    end

    Related topics

    Previous
    Next

    server-policy vserver

    server-policy vserver

    Use this command to configure virtual servers.

    Before you can create a policy, you must first configure a virtual server which defines the network interface or bridge and IP address on which traffic destined for an individual physical server or server farm will arrive.

    When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a physical server or a server farm. The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

    • The traffic arrives on the network interface or bridge associated with the virtual server
    • For Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical with the physical server’s IP address)

    Virtual servers can be on the same subnet as physical servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 192.0.2.1/24 could forward to the physical server 192.0.2.2.

    However, this is not recommended. Unless your network’s routing configuration prevents it, it could allow attackers that are aware of the physical server’s IP address to bypass FortiWeb by accessing the physical server directly.

    To apply virtual servers, select them within a server policy. For details, see server-policy policy.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

    Syntax

    config server-policy vserver

    edit "<virtual-server_name>"

    config vip-list

    edit server-policy vserver

    set interface "<interface_name>"

    set status {enable | disable}

    set vip "<vip_str>"

    set use-interface-ip {enable | disable}

    next

    end

    next

    end

    Variable Description Default

    "<virtual-server_name>"

    Enter the name of the new or existing virtual server. The maximum length is 63 characters.

    To display the list of existing servers, enter:

    edit ?

    		disable

    "<vip-list_id>"

    Enter the sequence number of the virual IP in the table.

    No default.

    status {enable | disable}

    		 Enable to accept traffic destined for this virtual server. No default.

    interface "<interface_name>"

    Enter the name of the network interface or bridge, such as port1 or bridge1, to which the virtual server is bound, and on which traffic destined for the virtual server will arrive. The maximum length is 63 characters.

    To display the list of existing interfaces, enter:

    edit ?

    		No default.

    vip "<vip_str>"

    		 Enter the IPv4 or IPv6 address and subnet of the virtual server.

    0.0.0.0

    ::/0

    use-interface-ip {enable | disable}

    		 For FortiWeb-VM on Microsoft Azure, specify whether the virtual server uses the IP address of the specified interface, instead of an IP specified by vip or vip6. disable

    Example

    This example configures a virtual server named inline_vip1 on the network interface named port1.

    The port number on which the virtual server will receive traffic is defined separately, in the policies that use this virtual server definition.

    config server-policy vserver

    edit "inline_vip1"

    config vip-list

    edit 2

    set interface port1

    set status enable

    set vip "192.0.2.1 256.256.256.0"

    next

    end

    next

    end

    Related topics

    Previous
    Next