Fortinet white logo
Fortinet white logo

CLI Reference

server-policy vserver

server-policy vserver

Use this command to configure virtual servers.

Before you can create a policy, you must first configure a virtual server which defines the network interface or bridge and IP address on which traffic destined for an individual physical server or server farm will arrive.

When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a physical server or a server farm. The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

  • The traffic arrives on the network interface or bridge associated with the virtual server
  • For Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical with the physical server’s IP address)

Virtual servers can be on the same subnet as physical servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 192.0.2.1/24 could forward to the physical server 192.0.2.2.

However, this is not recommended. Unless your network’s routing configuration prevents it, it could allow attackers that are aware of the physical server’s IP address to bypass FortiWeb by accessing the physical server directly.

To apply virtual servers, select them within a server policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy vserver

edit "<virtual-server_name>"

config vip-list

edit server-policy vserver

set interface "<interface_name>"

set status {enable | disable}

set vip "<vip_str>"

set use-interface-ip {enable | disable}

next

end

next

end

Variable Description Default

"<virtual-server_name>"

Enter the name of the new or existing virtual server. The maximum length is 63 characters.

To display the list of existing servers, enter:

edit ?

disable

"<vip-list_id>"

Enter the sequence number of the virual IP in the table.

No default.

status {enable | disable}

Enable to accept traffic destined for this virtual server. No default.

interface "<interface_name>"

Enter the name of the network interface or bridge, such as port1 or bridge1, to which the virtual server is bound, and on which traffic destined for the virtual server will arrive. The maximum length is 63 characters.

To display the list of existing interfaces, enter:

edit ?

No default.

vip "<vip_str>"

Enter the IPv4 or IPv6 address and subnet of the virtual server.

0.0.0.0

::/0

use-interface-ip {enable | disable}

For FortiWeb-VM on Microsoft Azure, specify whether the virtual server uses the IP address of the specified interface, instead of an IP specified by vip or vip6. disable

Example

This example configures a virtual server named inline_vip1 on the network interface named port1.

The port number on which the virtual server will receive traffic is defined separately, in the policies that use this virtual server definition.

config server-policy vserver

edit "inline_vip1"

config vip-list

edit 2

set interface port1

set status enable

set vip "192.0.2.1 256.256.256.0"

next

end

next

end

Related topics

server-policy vserver

server-policy vserver

Use this command to configure virtual servers.

Before you can create a policy, you must first configure a virtual server which defines the network interface or bridge and IP address on which traffic destined for an individual physical server or server farm will arrive.

When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a physical server or a server farm. The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

  • The traffic arrives on the network interface or bridge associated with the virtual server
  • For Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical with the physical server’s IP address)

Virtual servers can be on the same subnet as physical servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 192.0.2.1/24 could forward to the physical server 192.0.2.2.

However, this is not recommended. Unless your network’s routing configuration prevents it, it could allow attackers that are aware of the physical server’s IP address to bypass FortiWeb by accessing the physical server directly.

To apply virtual servers, select them within a server policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy vserver

edit "<virtual-server_name>"

config vip-list

edit server-policy vserver

set interface "<interface_name>"

set status {enable | disable}

set vip "<vip_str>"

set use-interface-ip {enable | disable}

next

end

next

end

Variable Description Default

"<virtual-server_name>"

Enter the name of the new or existing virtual server. The maximum length is 63 characters.

To display the list of existing servers, enter:

edit ?

disable

"<vip-list_id>"

Enter the sequence number of the virual IP in the table.

No default.

status {enable | disable}

Enable to accept traffic destined for this virtual server. No default.

interface "<interface_name>"

Enter the name of the network interface or bridge, such as port1 or bridge1, to which the virtual server is bound, and on which traffic destined for the virtual server will arrive. The maximum length is 63 characters.

To display the list of existing interfaces, enter:

edit ?

No default.

vip "<vip_str>"

Enter the IPv4 or IPv6 address and subnet of the virtual server.

0.0.0.0

::/0

use-interface-ip {enable | disable}

For FortiWeb-VM on Microsoft Azure, specify whether the virtual server uses the IP address of the specified interface, instead of an IP specified by vip or vip6. disable

Example

This example configures a virtual server named inline_vip1 on the network interface named port1.

The port number on which the virtual server will receive traffic is defined separately, in the policies that use this virtual server definition.

config server-policy vserver

edit "inline_vip1"

config vip-list

edit 2

set interface port1

set status enable

set vip "192.0.2.1 256.256.256.0"

next

end

next

end

Related topics