Fortinet black logo

User Guide

Origin Servers

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:42019
Download PDF

Origin Servers

Configure the origin servers which FortiWeb Cloud will send the traffic to. If there are multiple origin servers, configure Load Balancing rules to determine how the traffic should be distributed among servers.

note icon

You can lock your origin server's IP address to prevent other accounts on FortiWeb Cloud from setting up an application targeting malicious traffic at your origin server. Please contact the cloud provider to request for the Origin Server Lock setup.

To configure a Load Balancing rule:

  1. Navigate to Network > Origin Servers.
  2. Click the Edit icon for the Load Balancing rule.
  3. Configure the following settings.

    Server Balance

    After the application is onboarded, Server Balance is enabled by default to apply load balancing algorithm to origin servers.

    If you turn off this option, only one origin server is allowed, and both HTTPS and HTTP ports can be defined for this server. It's recommended to keep Server Balance on even if you have only one server, because switching the Server Balance status will delete all existing servers you have added.

    Turning off Server Balance only when you want FortiWeb Cloud to communicate with the origin server over both HTTP and HTTPS protocols.

    The following options are available only when Server Balance is on.

    Load Balancing Algorithm
    • Round Robin—Distributes new TCP connections to the next server, regardless of weight, response time, traffic load, or number of existing connections.
    • Weighted Round Robin—Distributes new TCP connections using the round-robin method, except that members with a higher weight value receive a larger percentage of connections.
    • Least Connection—Distributes new TCP connections to the member with the fewest number of existing, fully-formed TCP connections.

    When the status of a server is set to Disabled, or a health check indicates it is down. FortiWeb Cloud will transfer any remaining HTTP transactions in the TCP stream to an active server according to the Load Balancing Algorithm.

    Persistence

    After FortiWeb Cloud has forwarded the first packet from a client to a server, some protocols require that subsequent packets also be forwarded to the same server until a period of time passes or the client indicates that it has finished transmission.

    Persistence specifies how FortiWeb Cloud determines a request is the subsequent request from a client.

    • Source IP—The requests with the same client IP address and subnet as the initial request will be forwarded to the same server.
    • Insert Cookie—The requests with the same cookie name as the initial request will be forwarded to the same server.

    If you select None, the subsequent requests will be forwarded to random servers according to the Load Balancing Algorithm.

    Persistence Timeout
      Specifies the maximum amount of time between requests that FortiWeb Cloud maintains persistence, in seconds.
      FortiWeb Cloud stops forwarding requests according to the established persistence after this amount of time has elapsed since it last received a request from the client with the associated property (for example, an IP address or cookie). Instead, it again selects a server using the Load Balancing Algorithm.
    Cookie NameSpecifies a value to match or the name of the cookie that FortiWeb Cloud inserts.
    Available only when the Persistence is set to Insert Cookie.
    Cookie Path

    Specifies a path attribute for the cookie that FortiWeb Cloud inserts.

    Available only when the Persistence is set to Insert Cookie.

    Cookie Domain

    Specifies a domain attribute for the cookie that FortiWeb Cloud inserts.
    Available only when the Persistence is set to Insert Cookie.

    Health Check

    Enable to periodically test for server availability. If FortiWeb Cloud determines the server is unresponsive, it will not forward traffic to this server until it becomes responsive again.

    Enable Health Check only if there are more than one origin servers associated with this application.

    When Health Check is enabled, you can click the Test icon in the origin server list to get the real-time status of a single server.

    URL Path

    Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, /index.html).

    If the web server successfully returns this URL, and its content matches the Response Code, it is considered to be responsive.

    By default, FortiWeb Cloud uses the URL path "/" to test responsiveness of the server when you click Test Origin Server in the ADD APPLICATION wizard, then populates the response code received from the server in the Response Code field.

    Interval

    Type the number of seconds between each server health check.

    Valid values are 1 to 300. Default value is 10.

    Timeout

    Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check.

    Valid values are 1 to 30. Default value is 3.

    Retry Times

    Type the number of times, if any, that FortiWeb Cloud retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive.

    Valid values are 1 to 10. Default value is 3.

    Method

    Specify whether the health check uses the HEAD, GET, or POST method.

    Response Code

    Enter the response code that you require the server to return to confirm that it is available.

  4. Click OK.

To add a server:

  1. Navigate to Network > Origin Servers.
  2. Click Create Server.
  3. Configure the following settings.
    Status
    • Active—Specifies that this server can receive new sessions from FortiWeb Cloud.
    • Disable—Specifies that this server does not receive new sessions from FortiWeb Cloud and it closes any current sessions as soon as possible.
    • Maintenance—Specifies that this server does not receive new sessions from FortiWeb Cloud but it maintains any current connections.
    Server Type

    Select either IP or Domain to indicate how you want to define the server.

    Select Dynamic if the server's IP address dynamically changes. This applies only to servers on AWS, Azure, and Google Cloud.

    IP/Domain

    Specify the IP address or fully-qualified domain name (FQDN) of the server.

    For domain servers, FortiWeb Cloud queries a DNS server to resolve each web server’s domain name to an IP address/FQDN. For improved performance, it's recommended to use physical servers instead.

    Available only if the Server Type is IP or Domain.

    Cloud Connector

    Select the Cloud Connector so that FortiWeb Cloud can be authorized to access the resources in your public cloud account. See Cloud Connectors.

    Available only if the Server Type is Dynamic.

    Filter

    Once you select the fabric collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiWeb Cloud will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP.

    AWS

    • instance-id (e.g. instance-id=i-12345678)
    • image-id (e.g. image-id=ami-123456)
    • key-name (e.g. key-name=aws-key-name)
    • subnet-id (e.g. subnet-id=sub-123456)
    • tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.)

    Azure

    • vm-name (e.g. vm-name=myVM01)
    • tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.)

    GCP

    • instance-id (e.g. instance-id=3528415166015934407)
    • instance-name (e.g. instance-name=myInstance)
    • labels.LabelName(The label attached to the instance. LabelName is a variable. It can be any value you have named for the tag, e.g. labels.Type=appserver. Up to 8 labels are supported.)

    Available only if the Server Type is Dynamic.

    IP List

    Click Test button. FortiWeb Cloud will find the instances/virtual machines according to the filters selected above, then list their IP addresses.

    Available only if the Server Type is Dynamic.

    Protocol & Port

    Select whether this server connects with FortiWeb Cloud through HTTP or HTTPS, then type the port number for the HTTP or HTTP protocol. The valid range is from 1 to 65,535.

    Only available when the Server Balance is on.

    HTTPS Port & HTTP Port

    When the Server Balance is off, FortiWeb Cloud can communicate with the origin server over both HTTP and HTTPS protocols. Specify the port number for both HTTP and HTTPS protocols.

    Only available when the Server Balance is off.

    HTTP/2

    When HTTPS is enabled, you can enable HTTP/2.

    Weight

    If TCP connections are distributed among the servers using the Weighted Round Robin load-balancing algorithm, servers with a greater weight receive a greater proportion of connections.

    Weighting servers can be useful when, for example, some servers are more powerful or if a server is already receiving fewer or more connections due to its role in multiple websites.

    Backup

    When other servers fail their server health check, FortiWeb Cloud routes any connections for the failed server to this server.
    If you have enabled Backup for more than one server, FortiWeb Cloud uses the load balancing algorithm to determine which servers to use.
    The backup server mechanism does not work if you do not enable Health check in the loading balancing configurations.

    Sever Certificate Authentication

    Enable this option to secure the connection between FortiWeb Cloud and the server.

    Please note this option is available to configure only when you have successfully added the server.

    CA Certificate

    If Sever Certificate Authentication is enabled, then you need to click Import to upload the SSL certificate to encrypt the HTTPS connection.

    Certificate Revocation Lists

    Click Import to upload the Certificate Revocation Lists. To ensure that FortiWeb Cloud validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA).

    note icon

    FortiWeb Cloud continuously verifies the IP address paired with the domain name, and if the IP address changes, FortiWeb Cloud automatically updates the origin server IP in its configuration. The frequency that FortiWeb Cloud updates the IP depends on the TTL of the DNS record, which is usually 60 seconds in AWS ALB/ELB.

  4. If HTTPS protocol is selected, you need to configure which versions of TLS protocol to use and the SSL encryption level.
    • TLS Versions: Select which versions of TLS protocols are allowed for the HTTPS connections between FortiWeb Cloud and the server.
    • SSL Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers. SSL Encryption Level controls which ciphers are supported.
      • Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.
      • Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.

      • Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8.

      • Customized – Supports a customizable list of all ciphers.

  5. Click OK.
  6. For each created origin server, from the Action tab, you can delete the server, or edit the server information; also, you can click the Test icon to get the real-time server status.

    You can add at most 128 origin servers to the server pool of an application.

    note icon

    As the Health Check test packet is just a simulating one, the test result may not show the real server status.

Origin Servers

Configure the origin servers which FortiWeb Cloud will send the traffic to. If there are multiple origin servers, configure Load Balancing rules to determine how the traffic should be distributed among servers.

note icon

You can lock your origin server's IP address to prevent other accounts on FortiWeb Cloud from setting up an application targeting malicious traffic at your origin server. Please contact the cloud provider to request for the Origin Server Lock setup.

To configure a Load Balancing rule:

  1. Navigate to Network > Origin Servers.
  2. Click the Edit icon for the Load Balancing rule.
  3. Configure the following settings.

    Server Balance

    After the application is onboarded, Server Balance is enabled by default to apply load balancing algorithm to origin servers.

    If you turn off this option, only one origin server is allowed, and both HTTPS and HTTP ports can be defined for this server. It's recommended to keep Server Balance on even if you have only one server, because switching the Server Balance status will delete all existing servers you have added.

    Turning off Server Balance only when you want FortiWeb Cloud to communicate with the origin server over both HTTP and HTTPS protocols.

    The following options are available only when Server Balance is on.

    Load Balancing Algorithm
    • Round Robin—Distributes new TCP connections to the next server, regardless of weight, response time, traffic load, or number of existing connections.
    • Weighted Round Robin—Distributes new TCP connections using the round-robin method, except that members with a higher weight value receive a larger percentage of connections.
    • Least Connection—Distributes new TCP connections to the member with the fewest number of existing, fully-formed TCP connections.

    When the status of a server is set to Disabled, or a health check indicates it is down. FortiWeb Cloud will transfer any remaining HTTP transactions in the TCP stream to an active server according to the Load Balancing Algorithm.

    Persistence

    After FortiWeb Cloud has forwarded the first packet from a client to a server, some protocols require that subsequent packets also be forwarded to the same server until a period of time passes or the client indicates that it has finished transmission.

    Persistence specifies how FortiWeb Cloud determines a request is the subsequent request from a client.

    • Source IP—The requests with the same client IP address and subnet as the initial request will be forwarded to the same server.
    • Insert Cookie—The requests with the same cookie name as the initial request will be forwarded to the same server.

    If you select None, the subsequent requests will be forwarded to random servers according to the Load Balancing Algorithm.

    Persistence Timeout
      Specifies the maximum amount of time between requests that FortiWeb Cloud maintains persistence, in seconds.
      FortiWeb Cloud stops forwarding requests according to the established persistence after this amount of time has elapsed since it last received a request from the client with the associated property (for example, an IP address or cookie). Instead, it again selects a server using the Load Balancing Algorithm.
    Cookie NameSpecifies a value to match or the name of the cookie that FortiWeb Cloud inserts.
    Available only when the Persistence is set to Insert Cookie.
    Cookie Path

    Specifies a path attribute for the cookie that FortiWeb Cloud inserts.

    Available only when the Persistence is set to Insert Cookie.

    Cookie Domain

    Specifies a domain attribute for the cookie that FortiWeb Cloud inserts.
    Available only when the Persistence is set to Insert Cookie.

    Health Check

    Enable to periodically test for server availability. If FortiWeb Cloud determines the server is unresponsive, it will not forward traffic to this server until it becomes responsive again.

    Enable Health Check only if there are more than one origin servers associated with this application.

    When Health Check is enabled, you can click the Test icon in the origin server list to get the real-time status of a single server.

    URL Path

    Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, /index.html).

    If the web server successfully returns this URL, and its content matches the Response Code, it is considered to be responsive.

    By default, FortiWeb Cloud uses the URL path "/" to test responsiveness of the server when you click Test Origin Server in the ADD APPLICATION wizard, then populates the response code received from the server in the Response Code field.

    Interval

    Type the number of seconds between each server health check.

    Valid values are 1 to 300. Default value is 10.

    Timeout

    Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check.

    Valid values are 1 to 30. Default value is 3.

    Retry Times

    Type the number of times, if any, that FortiWeb Cloud retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive.

    Valid values are 1 to 10. Default value is 3.

    Method

    Specify whether the health check uses the HEAD, GET, or POST method.

    Response Code

    Enter the response code that you require the server to return to confirm that it is available.

  4. Click OK.

To add a server:

  1. Navigate to Network > Origin Servers.
  2. Click Create Server.
  3. Configure the following settings.
    Status
    • Active—Specifies that this server can receive new sessions from FortiWeb Cloud.
    • Disable—Specifies that this server does not receive new sessions from FortiWeb Cloud and it closes any current sessions as soon as possible.
    • Maintenance—Specifies that this server does not receive new sessions from FortiWeb Cloud but it maintains any current connections.
    Server Type

    Select either IP or Domain to indicate how you want to define the server.

    Select Dynamic if the server's IP address dynamically changes. This applies only to servers on AWS, Azure, and Google Cloud.

    IP/Domain

    Specify the IP address or fully-qualified domain name (FQDN) of the server.

    For domain servers, FortiWeb Cloud queries a DNS server to resolve each web server’s domain name to an IP address/FQDN. For improved performance, it's recommended to use physical servers instead.

    Available only if the Server Type is IP or Domain.

    Cloud Connector

    Select the Cloud Connector so that FortiWeb Cloud can be authorized to access the resources in your public cloud account. See Cloud Connectors.

    Available only if the Server Type is Dynamic.

    Filter

    Once you select the fabric collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiWeb Cloud will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP.

    AWS

    • instance-id (e.g. instance-id=i-12345678)
    • image-id (e.g. image-id=ami-123456)
    • key-name (e.g. key-name=aws-key-name)
    • subnet-id (e.g. subnet-id=sub-123456)
    • tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.)

    Azure

    • vm-name (e.g. vm-name=myVM01)
    • tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.)

    GCP

    • instance-id (e.g. instance-id=3528415166015934407)
    • instance-name (e.g. instance-name=myInstance)
    • labels.LabelName(The label attached to the instance. LabelName is a variable. It can be any value you have named for the tag, e.g. labels.Type=appserver. Up to 8 labels are supported.)

    Available only if the Server Type is Dynamic.

    IP List

    Click Test button. FortiWeb Cloud will find the instances/virtual machines according to the filters selected above, then list their IP addresses.

    Available only if the Server Type is Dynamic.

    Protocol & Port

    Select whether this server connects with FortiWeb Cloud through HTTP or HTTPS, then type the port number for the HTTP or HTTP protocol. The valid range is from 1 to 65,535.

    Only available when the Server Balance is on.

    HTTPS Port & HTTP Port

    When the Server Balance is off, FortiWeb Cloud can communicate with the origin server over both HTTP and HTTPS protocols. Specify the port number for both HTTP and HTTPS protocols.

    Only available when the Server Balance is off.

    HTTP/2

    When HTTPS is enabled, you can enable HTTP/2.

    Weight

    If TCP connections are distributed among the servers using the Weighted Round Robin load-balancing algorithm, servers with a greater weight receive a greater proportion of connections.

    Weighting servers can be useful when, for example, some servers are more powerful or if a server is already receiving fewer or more connections due to its role in multiple websites.

    Backup

    When other servers fail their server health check, FortiWeb Cloud routes any connections for the failed server to this server.
    If you have enabled Backup for more than one server, FortiWeb Cloud uses the load balancing algorithm to determine which servers to use.
    The backup server mechanism does not work if you do not enable Health check in the loading balancing configurations.

    Sever Certificate Authentication

    Enable this option to secure the connection between FortiWeb Cloud and the server.

    Please note this option is available to configure only when you have successfully added the server.

    CA Certificate

    If Sever Certificate Authentication is enabled, then you need to click Import to upload the SSL certificate to encrypt the HTTPS connection.

    Certificate Revocation Lists

    Click Import to upload the Certificate Revocation Lists. To ensure that FortiWeb Cloud validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA).

    note icon

    FortiWeb Cloud continuously verifies the IP address paired with the domain name, and if the IP address changes, FortiWeb Cloud automatically updates the origin server IP in its configuration. The frequency that FortiWeb Cloud updates the IP depends on the TTL of the DNS record, which is usually 60 seconds in AWS ALB/ELB.

  4. If HTTPS protocol is selected, you need to configure which versions of TLS protocol to use and the SSL encryption level.
    • TLS Versions: Select which versions of TLS protocols are allowed for the HTTPS connections between FortiWeb Cloud and the server.
    • SSL Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers. SSL Encryption Level controls which ciphers are supported.
      • Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.
      • Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.

      • Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8.

      • Customized – Supports a customizable list of all ciphers.

  5. Click OK.
  6. For each created origin server, from the Action tab, you can delete the server, or edit the server information; also, you can click the Test icon to get the real-time server status.

    You can add at most 128 origin servers to the server pool of an application.

    note icon

    As the Health Check test packet is just a simulating one, the test result may not show the real server status.