Fortinet black logo

Handbook

Configuring virtual servers

Configuring virtual servers

The virtual server configuration supports three classes of application delivery control:

  • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.
Before you begin:
  • You must have a deep understanding of the backend servers and your load-balancing objectives.
  • You must have configured a real server pool and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, content routes and rewriting rules, error messages, authentication policies, and source IP address pools if you are deploying NAT.
  • You must have Read-Write permission for load-balance configurations.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you have configured them and set their status to Enable. You do not need to apply them by selecting them in a policy.

Two Options for virtual server configuration

FortiADC provides two options for configuring virtual servers—Basic Mode and Advanced Mode.

In Basic Mode, you are required to specify only the basic parameters needed to configure a virtual server. FortiADC automatically configures those advanced parameters using the default values when you click the Save button. The Basic Mode is for less experienced users who may not have the skills required to configure the advanced features on their own.

The Advanced Mode, on the other hand, is ideal for experienced or "power" users who are knowledgeable and comfortable enough to configure all the advanced features, in addition to the basic ones, on their own.

All virtual servers you have added, whether they are configured through Basic Mode or Advanced Mode, end up on the Load Balance > Virtual Server page. You can view the configuration details of a virtual server by clicking the entry.

Basic virtual server configuration

This option is used mostly for beginners who have less experience with FortiADC.

To configure a virtual server using Basic Mode:
  1. Click Server Load Balance > Virtual Server.
  2. Click Add >Basic Mode to open the Basic Mode configuration editor.
  3. Complete the configuration as described in Virtual server configuration Basic Mode.
  4. Click Save.

Virtual server configuration Basic Mode

Settings Guidelines

Name

Specify a unique name for the virtual server configuration object. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

Note: Once saved, the name of a virtual server configuration cannot be changed

Application

Select an application from the list menu:

  • Microsoft SharePoint Application
  • Microsoft Exchange Server Application
  • IIS
  • Apache
  • Windows Remote Desktop
  • HTTPS H2
  • HTTPS H2C
  • HTTP(S)
  • TCPS
  • HTTP Turbo
  • RADIUS
  • DNS
  • SIP
  • TCP
  • UDP
  • FTP
  • IP
  • RTSP
  • RTMP
  • SMTP
  • DIAMETER
  • ISO8583
  • L7 TCP

  • L7 UDP

Address

Specify the IP address provisioned for the virtual server.

Port

Accept the default port number (80) or specify a port , ports, or a range of ports of your preference.

Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

Interface

Select a network interface from the list menu, or specify a new one.

Real Server Pool

Select a real server pool (if you have one already configured) or create a new one.

SSL

Applicable to HTTP(S) applications only.

Note: SSL is disabled by default, you must check the check box to enable it. Once SSL is enabled, you must select an profile from the Client SSL Profile drop-down menu below.

Client SSL Profile

Note: This setting applies to HTTPS, TCPS, HTTP2 H2, and SMTP applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

Select a client SSL profile from the drop-down menu.

Protocol

Note: This setting becomes available only when Application is set to IP.

Enter up to eight numeric values or value ranges corresponding to the protocols you'd like to use, separated by space.

Domain Name

Note: This field becomes available only when Application is set to SMTP.

Specify the FQDN.

Advanced virtual server configuration

This option is used mostly by advanced users of FortiADC.

To configure a virtual server using the Advanced Mode:
  1. Go to Server Load Balance > Virtual Server.
  2. Click Add > Advanced Mode to display the configuration editor.
  3. Complete the configuration as described in Virtual server configuration in Advanced Mode.
  4. Save the configuration.

Virtual server configuration in Advanced Mode

Settings Description

Basic

Name

Enter a unique name for the virtual server. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

Note: Once you have saved the configuration, you cannot edit the virtual server name.

Status

  • Enable—The virtual server can receive new sessions.
  • Disable—The server does not receive new sessions and closes any current sessions as soon as possible.
  • Maintain—The server does not receive new sessions, but maintains its current connections.

Type

  • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

Address Type

  • IPv4
  • IPv6

Note: IPv6 is not supported for FTP, HTTP Turbo, RDP, or SIP profiles.

Comment

A string used to describe the purpose of the configuration

Traffic Group

Select the traffic group of your choice if you have one already configured, or create a new one by clicking Create New.

Note: FortiADC will use the "default" if you do not choose or create a traffic group of your own.

Specifics

Note: Some of the settings in this part of the GUI apply to both Layer-7 and Layer-4 virtual servers, and some apply to Layer-7 virtual servers only, but none of them applies to Layer-2 virtual servers.

Schedule Pool

OFF (disabled) by default. Click the button to enable it.

Schedule Pool List

Available only when Schedule Pool is enabled. (See above). Follow the instructions onscreen to:

  1. Select the schedule pool(s).
  2. Arrange them in a desired order.

Content Routing

OFF (disabled) by default. Click the button to enable it.
Note:

  • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
  • Content-routing rules override static or policy routes.
  • This option does NOT apply to SIP profiles.

Content Routing List

Available only when Content Routing is enabled. Follow the instructions onscreen to:

  1. Select the content-routing rules.
  2. Arrange them in a desired order.

Note: You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

See Configuring content routes.

Content Rewriting

OFF (disabled) by default. Click the button to enable it.

Note:

  • This option applies to Layer-7 only.
  • This option does NOT apply to SIP profiles.

Content Rewriting List

Available only when Content Rewriting is enabled. Follow the instructions onscreen to

  1. Select the content rewriting rules.
  2. Arrange them in a desired order.

Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

See Using content rewriting rules.

Transaction Rate Limit

Note: This setting applies to Layer-7 virtual servers only. It is not supported for HTTP Turbo profiles.

Set a limit to the number of HTTP requests per second that the virtual server can process. Valid values are from 0 to 1,048,567. The default is 0 (disabled).

The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

Packet Forwarding Method

Note: This setting applies to Layer-4 virtual servers only.

Select one of the following packet forwarding methods:

  • Direct Routing—Forwards the source and destination IP addresses with no changes.

Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.

  • DNAT—Replaces the destination IP address with the IP address of the backend server selected by the load balancer.

The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.

  • Full NAT—Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
  • Tunneling—(For Layer-4 IPv4 virtual servers) Allows FortiADC to send client requests to real servers through Layer-4 IP tunnels. See Layer-4 Virtual server IP tunneling.
  • NAT46—(If Address Tpye is IPv4) Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
  • NAT64—(If Address Type is IPv6) Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.

For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer

NAT Source Pool List

If you are configuring a Layer 4 virtual server and enable Full NAT or NAT46, select one or more source pool configuration objects. See Using source pools.

General

Configuration

Address

Enter the IP address provisioned of the virtual server.

Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

Port

Accept the default port or specify a port, ports, or port ranges of your preference.

Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified port range.

Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. Setting a port range is not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles.

Connection Limit

Set a limit to the number of concurrent connections. The default is 0 (disabled). Valid values are from 1 to 100,000,000.

You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: This feature is NOT supported for FTP or SIP profiles.

Connection Rate Limit

With Layer 4 profiles, and with the Layer-2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). Valid values are from 1 to 86,400.

You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: Not supported for FTP profiles.

Interface

Network interface that receives client traffic for this virtual server.

Resources

Profile

Select a predefined or user-defined profile configuration object. See Configuring Application profiles.

Client SSL Profile

Note: This setting applies to HTTPS, TCPS, HTTP2 H2, SMTP, and FTPS applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

Select a client SSL profile from the drop-down menu.

Note: If a ZTNA Profile is referenced in the VS, ensure the client SSL profile has enabled client certificate verification for the corresponding EMS CA certificate object. See Configuring client SSL profiles.

Persistence

Select a predefined or user-defined persistence configuration object. See Configuring persistence rules.

Note: The persistence rule with Match Across Virtual Servers enabled works only with L4 virtual servers or the L7 virtual server whose profile is LB_PROF_RADIUS.

Method

Select a predefined or user-defined method configuration object. See Configuring load-balancing (LB) methods.

Real Server Pool

Select a real server pool configuration object. See Configuring real server pools.

Clone Pool

Select a configuration object. See Configuring a clone pool.

Auth Policy

Select an authentication policy configuration object. HTTP/HTTPS only.

See Configuring authentication policies.

Scripting

Available only when Scripting is enabled. Follow the instructions on screen to:

  1. Select the scripting object
  2. Arrange them in desired order

Note: FortiADC allows you to combine multiple individual scripts into one combined script so that you can execute them all at once. In that situation, you can set the order in which the scripts are executed by assigning the scripts with different priorities. For more information, see Support for multiple scripts.

L2 Exception List

Select an exception configuration object. Layer 2 HTTPS/TCPS only. See Configuring an L2 exception list.

Note: This field is only available when Type is set to Layer 2.

HTTP Redirect to HTTPS

This option becomes available when an HTTPS server load-balancing profile is selected. It's disabled by default. Click the button to enable.

Note: If enabled, it opens HTTP service on an HTTPS virtual server which redirects traffic to an HTTP virtual server.

Redirect Service Port

This option becomes available when HTTP Redirect to HTTPS is enabled for an HTTPS type of server load-balancing profile, as described above.

You can either accept the default port (80), or specify up to eight ports or ranges of ports of your preference.

Error Page

Error Page

Select an error page configuration object. See Configuring error pages.

Note: Not supported for SIP profiles.

Error Message

If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. Maximum 1023 bytes.

Note: Not supported for SIP profiles.

FortiGSLB

Public IP Type

IPv4 or IPv6

Set the Public IP type for the virtual server.

Public IPv4

Virtual server public IP address.

One Click GSLB Server

FortiGSLB One Click GSLB server

Host Name

The hostname part of the FQDN, such as www.

Note: You can specify the @ symbol to denote the zone root. The value substitute for @ is the preceding $ORIGIN directive.

Domain Name

The domain name must end with a period. e.g. example.com.

Security

AV profile can support HTTP/HTTPS/SMTP

WAF Profile

Select a WAF profile configuration object or create a new one. See Configuring a WAF Profile.

AV Profile

Select an existing AV profile from the drop-down menu or create a new one. See Creating an AV profile.

DoS Protection Profile

Select a DoS protection profile configuration object or create a new one. See Configuring DoS Protection Profile.

Captcha Profile

Select a Captcha configuration object. See Configuring Captcha.

ZTNA Profile

Note: This setting applies to Layer 7 HTTPS and TCPS applications only.

Select a ZTNA Profile object. See Configuring a ZTNA Profile

SSL Traffic Mirror

This field applies to HTTPS and TCPS only.

SSL Traffic Mirror

Select the check box to enable it. Then select the ports from the list of Available Items.

Application Optimization

Page Speed

Select a page speed optimization profile.

Monitoring

Traffic Log

Enable to record traffic logs for this virtual server.

Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

FortiView

Enable the view virtual server from FortiView

WCP

Web Cache Communications Protocol

Configuring virtual servers

Configuring virtual servers

The virtual server configuration supports three classes of application delivery control:

  • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.
Before you begin:
  • You must have a deep understanding of the backend servers and your load-balancing objectives.
  • You must have configured a real server pool and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, content routes and rewriting rules, error messages, authentication policies, and source IP address pools if you are deploying NAT.
  • You must have Read-Write permission for load-balance configurations.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you have configured them and set their status to Enable. You do not need to apply them by selecting them in a policy.

Two Options for virtual server configuration

FortiADC provides two options for configuring virtual servers—Basic Mode and Advanced Mode.

In Basic Mode, you are required to specify only the basic parameters needed to configure a virtual server. FortiADC automatically configures those advanced parameters using the default values when you click the Save button. The Basic Mode is for less experienced users who may not have the skills required to configure the advanced features on their own.

The Advanced Mode, on the other hand, is ideal for experienced or "power" users who are knowledgeable and comfortable enough to configure all the advanced features, in addition to the basic ones, on their own.

All virtual servers you have added, whether they are configured through Basic Mode or Advanced Mode, end up on the Load Balance > Virtual Server page. You can view the configuration details of a virtual server by clicking the entry.

Basic virtual server configuration

This option is used mostly for beginners who have less experience with FortiADC.

To configure a virtual server using Basic Mode:
  1. Click Server Load Balance > Virtual Server.
  2. Click Add >Basic Mode to open the Basic Mode configuration editor.
  3. Complete the configuration as described in Virtual server configuration Basic Mode.
  4. Click Save.

Virtual server configuration Basic Mode

Settings Guidelines

Name

Specify a unique name for the virtual server configuration object. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

Note: Once saved, the name of a virtual server configuration cannot be changed

Application

Select an application from the list menu:

  • Microsoft SharePoint Application
  • Microsoft Exchange Server Application
  • IIS
  • Apache
  • Windows Remote Desktop
  • HTTPS H2
  • HTTPS H2C
  • HTTP(S)
  • TCPS
  • HTTP Turbo
  • RADIUS
  • DNS
  • SIP
  • TCP
  • UDP
  • FTP
  • IP
  • RTSP
  • RTMP
  • SMTP
  • DIAMETER
  • ISO8583
  • L7 TCP

  • L7 UDP

Address

Specify the IP address provisioned for the virtual server.

Port

Accept the default port number (80) or specify a port , ports, or a range of ports of your preference.

Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

Interface

Select a network interface from the list menu, or specify a new one.

Real Server Pool

Select a real server pool (if you have one already configured) or create a new one.

SSL

Applicable to HTTP(S) applications only.

Note: SSL is disabled by default, you must check the check box to enable it. Once SSL is enabled, you must select an profile from the Client SSL Profile drop-down menu below.

Client SSL Profile

Note: This setting applies to HTTPS, TCPS, HTTP2 H2, and SMTP applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

Select a client SSL profile from the drop-down menu.

Protocol

Note: This setting becomes available only when Application is set to IP.

Enter up to eight numeric values or value ranges corresponding to the protocols you'd like to use, separated by space.

Domain Name

Note: This field becomes available only when Application is set to SMTP.

Specify the FQDN.

Advanced virtual server configuration

This option is used mostly by advanced users of FortiADC.

To configure a virtual server using the Advanced Mode:
  1. Go to Server Load Balance > Virtual Server.
  2. Click Add > Advanced Mode to display the configuration editor.
  3. Complete the configuration as described in Virtual server configuration in Advanced Mode.
  4. Save the configuration.

Virtual server configuration in Advanced Mode

Settings Description

Basic

Name

Enter a unique name for the virtual server. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed. This name appears in reports and in logs as the SLB “policy”.

Note: Once you have saved the configuration, you cannot edit the virtual server name.

Status

  • Enable—The virtual server can receive new sessions.
  • Disable—The server does not receive new sessions and closes any current sessions as soon as possible.
  • Maintain—The server does not receive new sessions, but maintains its current connections.

Type

  • Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
  • Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
  • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.

Address Type

  • IPv4
  • IPv6

Note: IPv6 is not supported for FTP, HTTP Turbo, RDP, or SIP profiles.

Comment

A string used to describe the purpose of the configuration

Traffic Group

Select the traffic group of your choice if you have one already configured, or create a new one by clicking Create New.

Note: FortiADC will use the "default" if you do not choose or create a traffic group of your own.

Specifics

Note: Some of the settings in this part of the GUI apply to both Layer-7 and Layer-4 virtual servers, and some apply to Layer-7 virtual servers only, but none of them applies to Layer-2 virtual servers.

Schedule Pool

OFF (disabled) by default. Click the button to enable it.

Schedule Pool List

Available only when Schedule Pool is enabled. (See above). Follow the instructions onscreen to:

  1. Select the schedule pool(s).
  2. Arrange them in a desired order.

Content Routing

OFF (disabled) by default. Click the button to enable it.
Note:

  • When content routing is enabled, FortiADC will route packets to backend servers based on IP address (Layer-4 content) or HTTP header (Layer-7 content).
  • Content-routing rules override static or policy routes.
  • This option does NOT apply to SIP profiles.

Content Routing List

Available only when Content Routing is enabled. Follow the instructions onscreen to:

  1. Select the content-routing rules.
  2. Arrange them in a desired order.

Note: You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

See Configuring content routes.

Content Rewriting

OFF (disabled) by default. Click the button to enable it.

Note:

  • This option applies to Layer-7 only.
  • This option does NOT apply to SIP profiles.

Content Rewriting List

Available only when Content Rewriting is enabled. Follow the instructions onscreen to

  1. Select the content rewriting rules.
  2. Arrange them in a desired order.

Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

See Using content rewriting rules.

Transaction Rate Limit

Note: This setting applies to Layer-7 virtual servers only. It is not supported for HTTP Turbo profiles.

Set a limit to the number of HTTP requests per second that the virtual server can process. Valid values are from 0 to 1,048,567. The default is 0 (disabled).

The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client.

Packet Forwarding Method

Note: This setting applies to Layer-4 virtual servers only.

Select one of the following packet forwarding methods:

  • Direct Routing—Forwards the source and destination IP addresses with no changes.

Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.

  • DNAT—Replaces the destination IP address with the IP address of the backend server selected by the load balancer.

The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.

  • Full NAT—Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation.
  • Tunneling—(For Layer-4 IPv4 virtual servers) Allows FortiADC to send client requests to real servers through Layer-4 IP tunnels. See Layer-4 Virtual server IP tunneling.
  • NAT46—(If Address Tpye is IPv4) Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses.
  • NAT64—(If Address Type is IPv6) Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses.

For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer

NAT Source Pool List

If you are configuring a Layer 4 virtual server and enable Full NAT or NAT46, select one or more source pool configuration objects. See Using source pools.

General

Configuration

Address

Enter the IP address provisioned of the virtual server.

Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port.

Port

Accept the default port or specify a port, ports, or port ranges of your preference.

Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only,

The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers.

Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified port range.

Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. Setting a port range is not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles.

Connection Limit

Set a limit to the number of concurrent connections. The default is 0 (disabled). Valid values are from 1 to 100,000,000.

You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: This feature is NOT supported for FTP or SIP profiles.

Connection Rate Limit

With Layer 4 profiles, and with the Layer-2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). Valid values are from 1 to 86,400.

You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted.

Note: Not supported for FTP profiles.

Interface

Network interface that receives client traffic for this virtual server.

Resources

Profile

Select a predefined or user-defined profile configuration object. See Configuring Application profiles.

Client SSL Profile

Note: This setting applies to HTTPS, TCPS, HTTP2 H2, SMTP, and FTPS applications only. In the case of HTTPS, it becomes available only when SSL is enabled.

Select a client SSL profile from the drop-down menu.

Note: If a ZTNA Profile is referenced in the VS, ensure the client SSL profile has enabled client certificate verification for the corresponding EMS CA certificate object. See Configuring client SSL profiles.

Persistence

Select a predefined or user-defined persistence configuration object. See Configuring persistence rules.

Note: The persistence rule with Match Across Virtual Servers enabled works only with L4 virtual servers or the L7 virtual server whose profile is LB_PROF_RADIUS.

Method

Select a predefined or user-defined method configuration object. See Configuring load-balancing (LB) methods.

Real Server Pool

Select a real server pool configuration object. See Configuring real server pools.

Clone Pool

Select a configuration object. See Configuring a clone pool.

Auth Policy

Select an authentication policy configuration object. HTTP/HTTPS only.

See Configuring authentication policies.

Scripting

Available only when Scripting is enabled. Follow the instructions on screen to:

  1. Select the scripting object
  2. Arrange them in desired order

Note: FortiADC allows you to combine multiple individual scripts into one combined script so that you can execute them all at once. In that situation, you can set the order in which the scripts are executed by assigning the scripts with different priorities. For more information, see Support for multiple scripts.

L2 Exception List

Select an exception configuration object. Layer 2 HTTPS/TCPS only. See Configuring an L2 exception list.

Note: This field is only available when Type is set to Layer 2.

HTTP Redirect to HTTPS

This option becomes available when an HTTPS server load-balancing profile is selected. It's disabled by default. Click the button to enable.

Note: If enabled, it opens HTTP service on an HTTPS virtual server which redirects traffic to an HTTP virtual server.

Redirect Service Port

This option becomes available when HTTP Redirect to HTTPS is enabled for an HTTPS type of server load-balancing profile, as described above.

You can either accept the default port (80), or specify up to eight ports or ranges of ports of your preference.

Error Page

Error Page

Select an error page configuration object. See Configuring error pages.

Note: Not supported for SIP profiles.

Error Message

If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. Maximum 1023 bytes.

Note: Not supported for SIP profiles.

FortiGSLB

Public IP Type

IPv4 or IPv6

Set the Public IP type for the virtual server.

Public IPv4

Virtual server public IP address.

One Click GSLB Server

FortiGSLB One Click GSLB server

Host Name

The hostname part of the FQDN, such as www.

Note: You can specify the @ symbol to denote the zone root. The value substitute for @ is the preceding $ORIGIN directive.

Domain Name

The domain name must end with a period. e.g. example.com.

Security

AV profile can support HTTP/HTTPS/SMTP

WAF Profile

Select a WAF profile configuration object or create a new one. See Configuring a WAF Profile.

AV Profile

Select an existing AV profile from the drop-down menu or create a new one. See Creating an AV profile.

DoS Protection Profile

Select a DoS protection profile configuration object or create a new one. See Configuring DoS Protection Profile.

Captcha Profile

Select a Captcha configuration object. See Configuring Captcha.

ZTNA Profile

Note: This setting applies to Layer 7 HTTPS and TCPS applications only.

Select a ZTNA Profile object. See Configuring a ZTNA Profile

SSL Traffic Mirror

This field applies to HTTPS and TCPS only.

SSL Traffic Mirror

Select the check box to enable it. Then select the ports from the list of Available Items.

Application Optimization

Page Speed

Select a page speed optimization profile.

Monitoring

Traffic Log

Enable to record traffic logs for this virtual server.

Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository.

FortiView

Enable the view virtual server from FortiView

WCP

Web Cache Communications Protocol