Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Creating an FTP server pool

Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes TCP connections among. When FortiWeb receives FTP traffic destined for a virtual server, it forwards the traffic to a server pool that you've created. If the pool has more than one member, FortiWeb uses the load balancing algorithm, weight, and server health check status of each member to distribute TCP connections.

To apply a server pool configuration, select it in an FTP server policy. For details, see Creating an FTP server policy.

Before you begin creating an FTP server pool, if you're using the pool for load balancing and want to monitor members for responsiveness, configure a server health check. You cannot configure a server health check while creating a server pool. For details, see Configuring server up/down checks.

To create a server pool
  1. Go to Server Objects > Server > Server Pool.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New. From the drop-down menu, select Create FTP Server Pool.
  4. Configure these settings:
  5. Name

    Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Single Server/Server Balance

    Select between the following:

    • Single Server—Specifies a pool that contains a single member.
    • Server Balance—Specifies a pool that contains multiple members. FortiWeb uses the specified Load Balancing Algorithm to distribute connections among the members. If a member is unresponsive to the specified Server Health Check, FortiWeb forwards subsequent connections to another member of the pool.

    Server Health Check

    Specify a test for server availability. By default, this health check is used for all pool members, but you can use the pool member configuration in a server pool rule to specify a different health check to a member. For details, see Inherit Health Check and Configuring server up/down checks.

    This option is available only when Single Server/Server Balance is Server Balance.

    Load Balancing Algorithm

    Specify how FortiWeb will distribute TCP connections to members in the server pool:

    • Round Robin—Distribute new connections to the next pool member, regardless of weight, response time, traffic load, or number of existing connections. FortiWeb will avoid unresponsive servers.
    • Weighted Round Robin—Distribute new connections using the round robin method, except that members with a higher weight value receive a larger proportion of connections.
    • Least Connection—Distribute new connections to the member with the fewest number of existing, fully-formed connections.
    • Source IP Hash—Distribute new connections using a hash algorithm based on the source IP address of the request.

    This option is available only when Single Server/Server Balance is Server Balance.

    Comments

    Optionally, enter a description for the server pool. The maximum length is 199 characters.

  6. Click OK.
  7. To add a server pool rule, click Create New under the settings you just configured.
  8. Configure these settings:
  9. Status

    Select between the following:

    • Enable—Specify that the pool member can receive new sessions from FortiWeb.
    • Disable—Specify that the pool member won't receive new sessions from FortiWeb, and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specify that the pool member doesn't receive new sessions from FortiWeb, but FortiWeb maintains any current connections.

    Server Type

    Select either IP or Domain to specify how you want to define the pool member.

    IP

    or

    Domain

    Enter the IP address of FQDN of the server to include in the pool, depending on your selection for Server Type.

    For domain servers, FortiWeb queries a DNS server to resolve the server's domain name to an IP address. For improved performance, do one of the following:

    • Use physical servers instead.
    • Ensure highly reliable, low-latency service to a DNS server on your local network.

    Tip: The IP or domain server is usually not the same as a protected host names group. For details, see Protected web servers vs. allowed/protected host names.

    Warning: Server policies do not apply features that do not yet support IPv6 to a server using IPv6 addresses or domain servers whose DNS names resolve to IPv6 addresses.

    Port

    Enter the TCP port number where the pool member listens for connections. The valid range is 1–65,535.

    Connection Limit

    Specify the maximum number of TCP connections that FortiWeb can forward to this pool member at a time.

    The default value is 0 (disabled). The valid range is 0–1,048,576.

    Weight

    Enter the weight of the pool member for when FortiWeb distributes TCP connections if the Load Balancing Algorithm is Weighted Round Robin. Members with a greater weight receive a greater proportion of connections.

    Weighting pool members can be useful when some servers in the pool are more powerful, or if a pool member is already receiving fewer or more connections due to its role in multiple websites.

    Inherit Health Check

    Enable to ignore the server health check for the server pool. Specify a Server Health Check below for the pool member.

    Server Health Check

    Specify an availability test for this pool member. For details, see Configuring server up/down checks.

    This option is available only when Inherit Health Check is disabled.

    Health Check Domain Name

    Enter the domain name of the server pool.

    Backup Server

    Enable so that FortiWeb will route any TCP connections for the server pool to this pool member when the other pool members fail their server health check.

    The backup server mechanism doesn't work if you don't specify server health checks for the pool members. For details, see Server Health Check and Inherit Health Check.

    If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use first.

    SSL

    Enable so that connections between FortiWeb and the pool member use SSL/TLS.

    If you want to configure SSL offloading for all members of a server pool, you can configure it in a server policy instead. For details, see Creating an FTP server policy.

    Implicit SSL

    Enable so that FortiWeb will communicate with the pool member using implicit SSL.

    Advanced SSL settings

    Configure additional SSL settings, including supported SSL protocols and encryption levels. You can apply these settings to all pool members in a server policy. For details, see Creating an FTP server policy.

    Supported SSL Protocols

    Specify which versions of the TLS cryptographic protocols clients can use to connect securely to FortiWeb or the pool member. For details about which protocols to enable, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or customized security configuration.

    If you specify Customized, you can select a cipher and then use the arrow keys to move it to the appropriate list.

    For details about cipher suites, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    Show advanced settings

     

    Recover

    Specify the amount of time (in seconds) that FortiWeb waits before it forwards traffic to the pool member after a health check indicates that the pool member is available.

    The default value is 0 (disabled). The valid range is 0–86,400.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified in Warm Rate.

    A server experiences a recovery and warm-up period when:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing, and the server is using more CPU and memory resources than when startup is completed.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting the Status to Maintenance.

    Warm Up

    Specify for how long (in seconds) FortiWeb forwards traffic at a reduced rate after a health check indicates that the pool member is available again but cannot yet handle a full connection load.

    A server may not be able to handle a full connection load when the startup process is not fully completed.

    The default value is 0 (disabled). The valid range is 0–86,400.

    Warm Rate

    Specify the maximum connection rate while the pool member is starting up.

    Warm up calibration is useful for servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are utilized more than during normal operations. For these servers, you can define separate rates based on warm up and recovery behavior.

    For example, if Warm Up is 5 and the Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  10. Click OK.
  11. Repeat steps 5–7 for as many rules as you need to add to the server pool.

Creating an FTP server pool

Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes TCP connections among. When FortiWeb receives FTP traffic destined for a virtual server, it forwards the traffic to a server pool that you've created. If the pool has more than one member, FortiWeb uses the load balancing algorithm, weight, and server health check status of each member to distribute TCP connections.

To apply a server pool configuration, select it in an FTP server policy. For details, see Creating an FTP server policy.

Before you begin creating an FTP server pool, if you're using the pool for load balancing and want to monitor members for responsiveness, configure a server health check. You cannot configure a server health check while creating a server pool. For details, see Configuring server up/down checks.

To create a server pool
  1. Go to Server Objects > Server > Server Pool.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New. From the drop-down menu, select Create FTP Server Pool.
  4. Configure these settings:
  5. Name

    Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

    Single Server/Server Balance

    Select between the following:

    • Single Server—Specifies a pool that contains a single member.
    • Server Balance—Specifies a pool that contains multiple members. FortiWeb uses the specified Load Balancing Algorithm to distribute connections among the members. If a member is unresponsive to the specified Server Health Check, FortiWeb forwards subsequent connections to another member of the pool.

    Server Health Check

    Specify a test for server availability. By default, this health check is used for all pool members, but you can use the pool member configuration in a server pool rule to specify a different health check to a member. For details, see Inherit Health Check and Configuring server up/down checks.

    This option is available only when Single Server/Server Balance is Server Balance.

    Load Balancing Algorithm

    Specify how FortiWeb will distribute TCP connections to members in the server pool:

    • Round Robin—Distribute new connections to the next pool member, regardless of weight, response time, traffic load, or number of existing connections. FortiWeb will avoid unresponsive servers.
    • Weighted Round Robin—Distribute new connections using the round robin method, except that members with a higher weight value receive a larger proportion of connections.
    • Least Connection—Distribute new connections to the member with the fewest number of existing, fully-formed connections.
    • Source IP Hash—Distribute new connections using a hash algorithm based on the source IP address of the request.

    This option is available only when Single Server/Server Balance is Server Balance.

    Comments

    Optionally, enter a description for the server pool. The maximum length is 199 characters.

  6. Click OK.
  7. To add a server pool rule, click Create New under the settings you just configured.
  8. Configure these settings:
  9. Status

    Select between the following:

    • Enable—Specify that the pool member can receive new sessions from FortiWeb.
    • Disable—Specify that the pool member won't receive new sessions from FortiWeb, and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specify that the pool member doesn't receive new sessions from FortiWeb, but FortiWeb maintains any current connections.

    Server Type

    Select either IP or Domain to specify how you want to define the pool member.

    IP

    or

    Domain

    Enter the IP address of FQDN of the server to include in the pool, depending on your selection for Server Type.

    For domain servers, FortiWeb queries a DNS server to resolve the server's domain name to an IP address. For improved performance, do one of the following:

    • Use physical servers instead.
    • Ensure highly reliable, low-latency service to a DNS server on your local network.

    Tip: The IP or domain server is usually not the same as a protected host names group. For details, see Protected web servers vs. allowed/protected host names.

    Warning: Server policies do not apply features that do not yet support IPv6 to a server using IPv6 addresses or domain servers whose DNS names resolve to IPv6 addresses.

    Port

    Enter the TCP port number where the pool member listens for connections. The valid range is 1–65,535.

    Connection Limit

    Specify the maximum number of TCP connections that FortiWeb can forward to this pool member at a time.

    The default value is 0 (disabled). The valid range is 0–1,048,576.

    Weight

    Enter the weight of the pool member for when FortiWeb distributes TCP connections if the Load Balancing Algorithm is Weighted Round Robin. Members with a greater weight receive a greater proportion of connections.

    Weighting pool members can be useful when some servers in the pool are more powerful, or if a pool member is already receiving fewer or more connections due to its role in multiple websites.

    Inherit Health Check

    Enable to ignore the server health check for the server pool. Specify a Server Health Check below for the pool member.

    Server Health Check

    Specify an availability test for this pool member. For details, see Configuring server up/down checks.

    This option is available only when Inherit Health Check is disabled.

    Health Check Domain Name

    Enter the domain name of the server pool.

    Backup Server

    Enable so that FortiWeb will route any TCP connections for the server pool to this pool member when the other pool members fail their server health check.

    The backup server mechanism doesn't work if you don't specify server health checks for the pool members. For details, see Server Health Check and Inherit Health Check.

    If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use first.

    SSL

    Enable so that connections between FortiWeb and the pool member use SSL/TLS.

    If you want to configure SSL offloading for all members of a server pool, you can configure it in a server policy instead. For details, see Creating an FTP server policy.

    Implicit SSL

    Enable so that FortiWeb will communicate with the pool member using implicit SSL.

    Advanced SSL settings

    Configure additional SSL settings, including supported SSL protocols and encryption levels. You can apply these settings to all pool members in a server policy. For details, see Creating an FTP server policy.

    Supported SSL Protocols

    Specify which versions of the TLS cryptographic protocols clients can use to connect securely to FortiWeb or the pool member. For details about which protocols to enable, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or customized security configuration.

    If you specify Customized, you can select a cipher and then use the arrow keys to move it to the appropriate list.

    For details about cipher suites, see Supported cipher suites & protocol versions.

    This option is available only if you enable SSL.

    Show advanced settings

     

    Recover

    Specify the amount of time (in seconds) that FortiWeb waits before it forwards traffic to the pool member after a health check indicates that the pool member is available.

    The default value is 0 (disabled). The valid range is 0–86,400.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified in Warm Rate.

    A server experiences a recovery and warm-up period when:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing, and the server is using more CPU and memory resources than when startup is completed.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting the Status to Maintenance.

    Warm Up

    Specify for how long (in seconds) FortiWeb forwards traffic at a reduced rate after a health check indicates that the pool member is available again but cannot yet handle a full connection load.

    A server may not be able to handle a full connection load when the startup process is not fully completed.

    The default value is 0 (disabled). The valid range is 0–86,400.

    Warm Rate

    Specify the maximum connection rate while the pool member is starting up.

    Warm up calibration is useful for servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are utilized more than during normal operations. For these servers, you can define separate rates based on warm up and recovery behavior.

    For example, if Warm Up is 5 and the Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  10. Click OK.
  11. Repeat steps 5–7 for as many rules as you need to add to the server pool.