Fortinet black logo

Administration Guide

Configuring virtual servers on your FortiWeb

Configuring virtual servers on your FortiWeb

Before you can create a server policy, you must first configure a virtual server that defines the network interface or bridge and IP address where traffic destined for a server pool arrives. When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a single web server (for Single Server server pools) or distribute sessions/connections among servers in a server pool.

A virtual server on your FortiWeb is not the same as a virtual host on your web server. A virtual server is more similar to a virtual IP on a FortiGate. It is not an actual server, but simply defines the listening network interface. Unlike a FortiGate VIP, it includes a specialized proxy that only picks up HTTP and HTTPS.

By default, in Reverse Proxy mode, FortiWeb’s virtual servers do not forward non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (It only forwards traffic picked up and allowed by the HTTP Reverse Proxy.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. For details, see Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference:

https://docs.fortinet.com/document/fortiweb/

The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

  • the traffic arrives on the network interface or bridge associated with the virtual server
  • for Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical to the web server’s IP address)

Virtual servers can be on the same subnet as real web servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the web server 10.0.0.2.

However, this is not usually recommended. Unless your network’s routing configuration prevents it, it would allow clients that are aware of the web server’s IP address to bypass the FortiWeb appliance by accessing the back-end web server directly. The topology may be required in some cases, however, such as IP-based forwarding, mentioned above.

To configure a virtual server
  1. Go to Server Objects > Server > Virtual Server.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Enter a name for the virtual server.
  5. Click OK.
  6. Click Create New.
  7. Configure these settings:
  8. Name Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Use Interface IP

    Select to use the IP address of the specified network interface as the address of the virtual server.

    Interface

    Available only if Use Interface IP is enabled.

    Select the network interface or bridge the virtual server is bound to and where traffic destined for the virtual server arrives.

    To configure an interface or bridge, see To configure a network interface or bridge.

    Virtual IP

    Available only if Use Interface IP is disabled.

    Select the virtual IP which you wan to attach to this virtual server.

    Status

    If enabled, FortiWeb will accept traffic destined for this virtual IP or interface.

  9. Click OK.
  10. Repeat step 5 to 7 if you want to attach more virtual IPs or bind more interfaces to this virtual server. When you create server policy and then reference this virtual server in it, the web protection profile will be applied to all the virtual IPs and interfaces in this virtual server.
  11. To define the listening port of the virtual server, create a custom service. For details, see Defining your network services.
  12. To use the virtual server, select both it and the custom service in a server policy. For details, see Configuring an HTTP server policy.
See also

Configuring virtual servers on your FortiWeb

Before you can create a server policy, you must first configure a virtual server that defines the network interface or bridge and IP address where traffic destined for a server pool arrives. When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a single web server (for Single Server server pools) or distribute sessions/connections among servers in a server pool.

A virtual server on your FortiWeb is not the same as a virtual host on your web server. A virtual server is more similar to a virtual IP on a FortiGate. It is not an actual server, but simply defines the listening network interface. Unlike a FortiGate VIP, it includes a specialized proxy that only picks up HTTP and HTTPS.

By default, in Reverse Proxy mode, FortiWeb’s virtual servers do not forward non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (It only forwards traffic picked up and allowed by the HTTP Reverse Proxy.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. For details, see Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference:

https://docs.fortinet.com/document/fortiweb/

The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

  • the traffic arrives on the network interface or bridge associated with the virtual server
  • for Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical to the web server’s IP address)

Virtual servers can be on the same subnet as real web servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the web server 10.0.0.2.

However, this is not usually recommended. Unless your network’s routing configuration prevents it, it would allow clients that are aware of the web server’s IP address to bypass the FortiWeb appliance by accessing the back-end web server directly. The topology may be required in some cases, however, such as IP-based forwarding, mentioned above.

To configure a virtual server
  1. Go to Server Objects > Server > Virtual Server.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Enter a name for the virtual server.
  5. Click OK.
  6. Click Create New.
  7. Configure these settings:
  8. Name Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Use Interface IP

    Select to use the IP address of the specified network interface as the address of the virtual server.

    Interface

    Available only if Use Interface IP is enabled.

    Select the network interface or bridge the virtual server is bound to and where traffic destined for the virtual server arrives.

    To configure an interface or bridge, see To configure a network interface or bridge.

    Virtual IP

    Available only if Use Interface IP is disabled.

    Select the virtual IP which you wan to attach to this virtual server.

    Status

    If enabled, FortiWeb will accept traffic destined for this virtual IP or interface.

  9. Click OK.
  10. Repeat step 5 to 7 if you want to attach more virtual IPs or bind more interfaces to this virtual server. When you create server policy and then reference this virtual server in it, the web protection profile will be applied to all the virtual IPs and interfaces in this virtual server.
  11. To define the listening port of the virtual server, create a custom service. For details, see Defining your network services.
  12. To use the virtual server, select both it and the custom service in a server policy. For details, see Configuring an HTTP server policy.
See also