Fortinet black logo

Administration Guide

Defining your web servers

Defining your web servers

To specify your back-end web servers, you must define a server pool. Pools contain one or more members that you specify using either their IP addresses or DNS domain names. FortiWeb protects these web servers and they are the recipients of traffic that is forwarded or allowed to pass through to by FortiWeb.

You can also define web servers to be FortiWeb’s virtual servers. This chains multiple policies together, which may be useful in more complex traffic routing or rewriting situations.
See also

Configuring server up/down checks

Tests for server availability (called “server health checks” in the web UI) poll web servers that are members of a server pool to determine their responsiveness before forwarding traffic. FortiWeb can check server health using the following methods:

  • TCP
  • ICMP ECHO_REQUEST (ping)
  • TCP Half Open
  • TCP SSL
  • HTTP/2
  • HTTPS
  • HTTP

FortiWeb polls the server at the frequency set in the Interval option. If the appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to unresponsive servers by disabling traffic to that server until it becomes responsive.

If all members of the pool are unresponsive and you have configured one or more members to be backup servers, FortiWeb sends traffic to a backup server.

If a web server will be unavailable for a long period, such as when a server is undergoing hardware repair, it is experiencing extended down time, or when you have removed a server from the server pool, you may improve the performance of your FortiWeb appliance by disabling connectivity to the web server, rather than allowing the server health check to continue to check for responsiveness. For details, see Enabling or disabling traffic forwarding to your servers.

You can create a health check, use one of the predefined health checks, or clone one of the predefined health checks to use as a starting point for a custom health check. You cannot modify the predefined health checks.

To simplify health check creation, FortiWeb provides predefined health checks for each of the available protocols. Each predefined health check contains a single rule that specifies one of the available protocols. For example, instead of creating a health check that uses ICMP, you can apply HLTHCK_ICMP.

HLTHCK_HTTP and HLTHCK_HTTPS health checks test server responsiveness using the HEAD method and listening for the response code 200.

Your health check can use more than protocol to check server responsiveness. You can specify that a server is available if it passes a single test in the list of tests or only if it passes all the tests.

To view the status currently detected by server health checks, use the Policy Status dashboard. For details, see Policy Status.

To configure a server health check
  1. Before configuring a server health check, if it requires a trigger, configure the trigger. For details, see Viewing log messages.
  2. Go to Server Objects > Server > Health Check.
  3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  4. Do one of the following:
  • To create a health check, click Create New.
  • To create a health check based on a predefined health check, select a predefined health check, click Clone, and then enter a name for the new health check.
  • Configure these settings:
  • Name

    Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.

    Note: The name cannot be changed after this part of the configuration is saved. To rename a part of the configuration, clone it, select it in all parts of the configuration that reference the old name, then delete the item with the old name.

    Relationship
    • And—FortiWeb considers the server to be responsive when it passes all the tests in the list.
    • Or—FortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
    Trigger Policy Select the name of a trigger, if any, that will be used to log or notify an administrator if a server becomes unresponsive.
  • Click OK.
  • In the rule list, do one of the following:
    • To add a rule, click Create New.
    • To modify a rule, select it and click Edit.
  • Configure these settings:
  • Type

    Select the protocol that the server health check uses to contact the server.

    • ICMP—Send ICMP type 8 (ECHO_REQUEST or “ping”) and listen for either ICMP type 0 (ECHO_RESPONSE or “pong”) indicating responsiveness, or timeout indicating that the host is not responsive.
    • TCP—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive. If the response is SYN ACK, send TCP ACK to complete the three-way handshake.
    • TCP Half Open—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive. If the response is SYN ACK, send TCP RST to terminate the connection. This type of health check requires fewer resources from the pool member than TCP.
    • TCP SSL—Send an HTTPS request. FortiWeb considers the host to be responsive if the SSL handshake is successful, and closes the connection once the handshake is complete. This type of health check requires fewer resources than HTTP/HTTPS.
    • HTTP—Send an HTTP or HTTPS request, depending on the real server type, and listen for a response that matches the values required by the specified Matched Content or a timeout that indicates that the host is not responsive.

      The protocol to use depends on whether you enable SSL for that server in the server pool. Contact occurs on the protocol and port number specified for that web server in the server pool.

    URL Path

    Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, /index.html). It's supported to add parameters after the URL. For example /collector.aspx:?Target=Site1.

    If the web server successfully returns this URL, and its content matches your expression in Matched Content, it is considered to be responsive.

    Available only if Type is HTTP or HTTPS. The maximum length is 127 characters.

    Timeout

    Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check.

    Valid values are 1 to 30. Default value is 3.

    Retry Times

    Type the number of times, if any, that FortiWeb retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive.

    Valid values are 1 to 10. Default value is 3.

    Interval

    Type the number of seconds between each server health check.

    Valid values are 1 to 300. Default value is 10.

    Method

    Specify whether the health check uses the HEAD, GET, or POST method.

    Available only if Type is HTTP or HTTPS.

    Match Type
    • Matched Content—If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, FortiWeb considers the server to be responsive.
    • Response Code—If the web server successfully returns the URL specified by URL Path and the code specified by Response Code, FortiWeb considers the server to be responsive.
    • All — If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, and the code specified by Response Code, FortiWeb considers the server to be responsive.

    Available only if Type is HTTP or HTTPS.

    Matched Content

    Enter one of the following values:

    • The exact reply that indicates that the server is available.
    • A regular expression that matches the required reply.

    This value prevents the test from falsely indicating that the server is available when it has actually replied with an error page, such as the one produced by Tomcat when a JSP application is not available.

    To create and test a regular expression, click the >> (test) icon. This opens a Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax

    Available only if Type is HTTP or HTTPS and Match Type is All or Matched Content.

    Response Code

    Enter the response code that you require the server to return to confirm that it is available.

    Available only if Type is HTTP or HTTPS and Match Type is All or Matched Content.

  • Click OK to save the settings and close the rule.
  • Add any additional tests you want to include in the health check by adding additional rules.
  • Click OK to save and close the health check.
  • To use the server health check, select it in a server pool or server pool member configuration. For details, see Creating an HTTP server pool.
  • See also

    Configuring session persistence

    After FortiWeb has forwarded the first packet from a client to a pool member, some protocols require that subsequent packets also be forwarded to the same back-end server until a period of time passes or the client indicates that it has finished transmission.

    A session persistence configuration specifies a persistence method and timeout. You apply the configuration to Server Balance server pools to apply the persistence setting to all members of the pool.

    To create a persistence configuration
    1. Go to Server Objects > Server > Persistence and click Create New.
    2. Configure these settings:
    3. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Type

      Specifies how FortiWeb determines the pool member to forward subsequent requests from a client to after its initial request. For the initial request, FortiWeb selects a pool member using the load balancing method specified in the server pool configuration.

      • Source IP—Forwards subsequent requests with the same client IP address and subnet as the initial request to the same pool member. To define how FortiWeb derives the appropriate subnet from the IP address, configure IPv4 Netmask and IPv6 Mask Length.
      • HTTP Header—Forwards subsequent requests with the same value for an HTTP header as the initial request to the same pool member. Also configure Header Name.
      • URL parameter—Forwards subsequent requests with the same value for a URL parameter as the initial request to the same pool member. Also configure Parameter Name.
      • Insert CookieFortiWeb adds a cookie with the name specified by Cookie Name to the initial request and forwards all subsequent requests with this cookie to the same pool member. FortiWeb uses this cookie for persistence only and does not forward it to the pool member. Also configure Cookie Path and Cookie Domain.
      • Rewrite Cookie—If the HTTP response has a Set-Cookie: value that matches the value specified by Cookie Name, FortiWeb replaces the value specified by the keyword with a randomly generated cookie value. FortiWeb forwards all subsequent requests with this generated cookie value to the same pool member.
      • Persistent Cookie—If an initial request contains a cookie with a name that matches the Cookie Name value, FortiWeb forwards subsequent requests that contain the same cookie value to the same pool member as the initial request.
      • Embedded Cookie—If the HTTP response contains a cookie with a name that matches the Cookie Name value, FortiWeb preserves the original cookie value and adds a randomly generated cookie value and a ~ (tilde) as a prefix. FortiWeb forwards all subsequent requests with this cookie and prefix to the same pool member.
      • ASP Session ID—If a cookie in the initial request contains an ASP .NET session ID value, FortiWeb forwards subsequent requests with the same session ID value to the same pool member as the initial request. FortiWeb preserves the original cookie name.
      • PHP Session ID—If a cookie in the initial request contains a PHP session ID value, FortiWeb forwards subsequent requests with the same session ID value to the same pool member as the initial request. FortiWeb preserves the original cookie name.
      • JSP Session IDFortiWeb forwards subsequent requests with the same JSP session ID as the initial request to the same pool member. FortiWeb preserves the original cookie name.
      • SSL Session ID—If a cookie in the initial request contains an SSL session ID value, FortiWeb forwards subsequent requests with the same session ID value to the same pool member as the initial request. FortiWeb preserves the original cookie name.
      IPv4 Netmask Specifies the IPv4 subnet used for session persistence.

      For example, if IPv4 Netmask is 255.255.255.255, FortiWeb can forward requests from IP addresses 192.168.1.1 and 192.168.1.2 to different server pool members.

      If IPv4 Netmask is 255.255.255.0, FortiWeb forwards requests from IP addresses 192.168.1.1 and 192.168.1.2 to the same pool member.

      Available only when Type is Source IP.
      IPv6 Mask Length Specifies the IPv6 network prefix used for session persistence.

      Available only when Type is Source IP.
      Header Name Specifies the name of the HTTP header that the persistence feature uses to route requests.

      Available only when Type is HTTP Header.
      Parameter Name Specifies the name of the URL parameter that the persistence feature uses to route requests.

      Available only when Type is URL Parameter.
      Cookie Name Specifies a value to match or the name of the cookie that FortiWeb inserts.

      Available only when Type uses a cookie.
      Cookie Path Specifies a path attribute for the cookie that FortiWeb inserts, if Type is Insert Cookie.
      Cookie Domain Specifies a domain attribute for the cookie that FortiWeb inserts, if Type is Insert Cookie.

      Secure Cookie

      Enable to add a secure flag to inserted cookies, which forces browsers to return the cookie only when they use HTTPS protocol.

      Available only when Type is Insert Cookie.

      Timeout

      Specifies the maximum amount of time between requests that FortiWeb maintains persistence, in seconds.

      FortiWeb stops forwarding requests according to the established persistence after this amount of time has elapsed since it last received a request from the client with the associated property (for example, an IP address or cookie). Instead, it again selects a pool member using the load balancing method specified in the server pool configuration.

    4. Click OK.

    For details about applying the configuration to a pool, see Creating an HTTP server pool.

    HTTPS://docs.fortinet.com/product/fortiweb/

    Configuring server-side SNI support

    FortiWeb supports server-side SNI (Server Name Indication). You use this feature when you have the following configuration requirements:

    • The operating mode is Reverse Proxy or True Transparent Proxy.
    • You offload SSL/TLS processing to FortiWeb and use SSL/TLS for connections between FortiWeb and the pool member (end-to-end encryption).
    • One or more server pool members require SNI support.

    In True Transparent Proxy mode, use the following CLI command to enable server-side SNI for the appropriate pool member:

    config server-policy server-pool

    edit <server-pool_name>

    config pserver-list

    edit <entry_index>

    set server-side-sni {enable | disable}

    In Reverse Proxy mode, use the following CLI command to enable server-side SNI in the appropriate server policy:

    config server-policy policy

    edit <policy_name>

    set server-side-sni {enable | disable}

    You cannot use the web UI to enable this option. For details, see the FortiWeb CLI Reference.

    Creating an HTTP server pool

    Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes connections among, or where the connections pass through to, depending on the operating mode. Reverse Proxy mode actively distributes connections; Offline Protection mode, both transparent modes, and WCCP mode do not.

    • Reverse Proxy mode—When the FortiWeb appliance receives traffic destined for a virtual server, it forwards the traffic to a server pool. If the pool has more than one member, the physical or domain server that receives the connection depends on your configuration of load-balancing algorithm, weight, and server health checking.

      For pools with multiple members, to prevent traffic from being forwarded to unavailable web servers, you can use a health check to verify the availability of members. The availability of other members and the Deployment Mode option in the policy determine whether the FortiWeb appliance redistributes or drops the connection when a physical or domain server in a server pool is unavailable.

    • Offline Protection, True Transparent Proxy, Transparent Inspection, and WCCP mode—The FortiWeb appliance allows traffic to pass through to the server pool when it receives traffic that is:
      • passing through a bridge
      • directed to the FortiWeb (configured as a WCCP client) by a FortiGate acting as a WCCP server

    A server can belong to more than one server pool.

    To configure an HTTP server pool
    1. Before you configure an HTTP server pool, do the following:
    • If clients connect via HTTPS and FortiWeb is operating in a mode that performs SSL inspection instead of SSL offloading, upload the website’s server certificate. For details, see How to offload or inspect HTTPS.
    • If you want to use the pool for load balancing and want to monitor its members for responsiveness, configure one or more server health checks to use with it. For details, see Configuring server up/down checks.
    • If client connections require persistent sessions, create a persistence configuration. For details, see Configuring session persistence.
  • Go to Server Objects > Server > Server Pool.
  • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  • Click Create New.
  • Select Create HTTP Server Pool.
  • Configure these settings:
  • Name Type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Type

    The current type follows the operation mode set in system settings.

    For full information on the operating modes, see How to choose the operation mode.

    Single Server/Server Balance
    • Single Server—Specifies a pool that contains a single member.
    • Server Balance—Specifies a pool that contains multiple members. FortiWeb uses the specified load-balancing algorithm to distribute TCP connections among the members. If a member is unresponsive to the specified server health check, FortiWeb forwards subsequent connections to another member of the pool.

    Available only when Type is Reverse Proxy.

    Server Health Check

    Specifies a test for server availability. By default, this health check is used for all pool members, but you can use the pool member configuration to assign a different health check to a member.

    For details, see Configuring server up/down checks.

    Available only when Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Health Check Source IP

    If enabled, FortiWeb will execute health check to the back-end server with IPv4 address.

    Available only in True Transparent Proxy mode.

    Health Check Source IPv6

    If enabled, FortiWeb will execute health check to the back-end server with IPv6 address.

    Available only in True Transparent Proxy mode.

    Load Balancing Algorithm
    • Round Robin—Distributes new TCP connections to the next pool member, regardless of weight, response time, traffic load, or number of existing connections. FortiWeb avoids unresponsive servers.
    • Weighted Round Robin—Distributes new TCP connections using the round-robin method, except that members with a higher weight value receive a larger percentage of connections.
    • Least Connection—Distributes new TCP connections to the member with the fewest number of existing, fully-formed TCP connections. If there are multiple servers with the same least number of connections, FortiWeb will take turns and avoid always selecting the same member to distribute new connections.
    • URI Hash—Distributes new TCP connections using a hash algorithm based on the URI found in the HTTP header, excluding hostname.
    • Full URI Hash—Distributes new TCP connections using a hash algorithm based on the full URI string found in the HTTP header. The full URI string includes the hostname and path.
    • Host Hash—Distributes new TCP connections using a hash algorithm based on the hostname in the HTTP Request header Host field.
    • Host Domain Hash—Distributes new TCP connections using a hash algorithm based on the domain name in the HTTP Request header Host field.
    • Source IP Hash—Distributes new TCP connections using a hash algorithm based on the source IP address of the request.
    • Least Response Time—Distributes incoming traffic to the back-end servers by multiplying average response time by the number of concurrent connections. Servers with the lowest value will get the traffic. In this way the client can connect to the most efficient back-end server.
    • Probabilistic Weighted Least Response Time—For the Least Response Time, in extreme cases there might be a server consistently has relatively low response time compared to others, which causes most of traffic to be distributed to one server. As a solution to this case, Probabilistic Weighted Least Response Time distributes traffic based on least response time as well as probabilities. The least response time server is most likely to receive traffic, while the rest servers still have chance to process some of the traffic.

    When the status of a physical server in a server pool is disabled, a health check indicates it is down, or it is removed from the server pool, FortiWeb will transfer any remaining HTTP transactions in the TCP stream to an active physical server in the server pool according to the Load Balancing Algorithm.

    For hash-based methods, if you specify a persistence method for the server pool, after an initial client request, FortiWeb routes any subsequent requests according to the persistence method. Otherwise, it routes subsequent requests according to the hash-based algorithm.

    Available only when Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Persistence

    Select a configuration that specifies a session persistence method and timeout to apply to the pool members.

    For details, see Configuring session persistence.

    Available only when Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Comments Type a description of the server pool. The maximum length is 199 characters.

    Note: you can also configure to enable HTTP reuse function to determine how to reuse the existing connection without creating one. See FortiWeb 6.1.1 CLI Reference for details.

  • Click OK.
  • Click Create New.
  • Configure these settings:
  • ID

    The index number of the member entry within the server pool.

    FortiWeb automatically assigns the next available index number.

    For round robin-style load-balancing, the index number indicates the order in which FortiWeb distributes connections.

    The valid range is from 0 to 9223372036854775807 (the maximum possible value for a long integer).

    You can use the server-policy server-pool CLI command to change the index number value. For details, see the FortiWeb CLI Reference:

    HTTPS://docs.fortinet.com/product/fortiweb/

    Status
    • Enable—Specifies that this pool member can receive new sessions from FortiWeb.
    • Disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
    Server Type

    Select how you want to define the pool member.

    If your application servers are deployed on AWS or Azure, you can select Cloud Connector to authorize FortiWeb to access the VM instances in your public cloud account, in order to automatically obtain the IP addresses.

    IP

    or

    Domain

    Specify the IP address or fully-qualified domain name of the web server to include in the pool.

    For domain servers, FortiWeb queries a DNS server to query and resolve each web server’s domain name to an IP address. For improved performance, do one of the following:

    • Use physical servers instead
    • Ensure highly reliable, low-latency service to a DNS server on your local network

    Tip: The IP or domain server is usually not the same as a protected host names group. See .

    Warning: Server policies do not apply features that do not yet support IPv6 to servers specified using IPv6 addresses or domain servers whose DNS names resolve to IPv6 addresses.

    The Server Type value determines the name of this option.

    Note: FortiWeb continuously verifies the IP address paired with the domain name and if the IP address changes, FortiWeb automatically updates the origin server IP in its configuration. The frequency that FortiWeb updates the IP depends on the TTL of the DNS record, which is usually 60 seconds in AWS ALB/ELB.

    SDN address type

    Select whether you want FortiWeb to get the public or private addresses of your application's VM instances, or select All to get both the public and the private addresses.

    Note: If you are using private IP addresses, ensure that FortiWeb can successfully establish connections with your application's VM instances in order to forward the traffic.

    Available only if the Server Type is Cloud Connectors.

    SDN Connector

    Select the SDN connector you have created. See AWS Connector and Azure Connector.

    Available only if the Server Type is Cloud Connectors.

    Filter

    Once you select the SDN collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiWeb will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP.

    AWS

    • instance-id (e.g. instance-id=i-12345678)
    • image-id (e.g. image-id=ami-123456)
    • key-name (e.g. key-name=aws-key-name)
    • subnet-id (e.g. subnet-id=sub-123456)
    • tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.)

    Azure

    • vm-name (e.g. vm-name=myVM01)
    • tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.)

    Available only if the Server Type is Cloud Connectors.

    Port Type the TCP port number where the pool member listens for connections. The valid range is from 1 to 65,535.
    Connection Limit

    Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

    The default is 0 (disabled).

    The valid range is from 0 to 1,048,576.

    Available only if the Type is Reverse Proxy.

    Weight

    If the pool member is part of a pool that uses the weighted round-robin load-balancing algorithm, type the weight of the member when FortiWeb distributes TCP connections.

    Members with a greater weight receive a greater proportion of connections.

    Weighting members can be useful when, for example, some servers in the pool are more powerful or if a member is already receiving fewer or more connections due to its role in multiple websites.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Inherit Health Check

    Clear to use the health check specified by Server Health Check in this server pool rule instead of the one specified in the server pool configuration.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Server Health Check

    Specifies an availability test for this pool member.

    For details, see Configuring server up/down checks.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Health Check Domain Name

    Enter an HTTP host header name to test the availability of a specific host.

    This is useful if the pool member hosts multiple websites (virtual hosting environment).

    Available only if Type is HTTP.

    Backup Server

    When this option is selected and all the members of the server pool fail their server health check, FortiWeb routes any connections for the pool to this server.

    The backup server mechanism does not work if you do not specify server health checks for the pool members.

    If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Proxy Protocol

    If the back-end server enables proxy protocol, you need to enable the Proxy Protocol option on FortiWeb so that the TCP SSL and HTTP traffic can successfully go through. The real IP address of the client will be included in the proxy protocol header.

    Available only if the Type is Reverse Proxy, True Transparent Proxy, Offline Protection, or Transparent Inspection.

    Proxy Protocol Version

    Select the proxy protocol version for the back-end server.

    Available only if the Type is Reverse Proxy or True Transparent Proxy.

    HTTP/2

    Enable to allow HTTP/2 communication between the FortiWeb and this back-end web server.

    When FortiWeb's security services are applied to the HTTP/2 traffic between clients and this web server in Reverse Proxy mode:

    • Enabling this option makes sure the traffic is transferred in HTTP/2 between FortiWeb and this web server, if this web server supports HTTP/2.

      Note: Make sure that this back web server really supports HTTP/2 before you enable this, or connections will go failed.

    • Disabling this option makes FortiWeb to converse HTTP/2 to HTTP/1.x for this web server, or converse HTTP/1.x to HTTP/2 for the clients, if this web server does not support HTTP/2.

    In True Transparent Proxy mode, it requires this option be enabled and the SSL be well-configured to enable FortiWeb's HTTP/2 inspection. When HTTP/2 inspection is enabled in True Transparent Proxy mode, FortiWeb performs no protocol conversions between HTTP/1.x and HTTP/2, which means HTTP/2 connections will not be established between clients and back-end web servers if the web servers do not support HTTP/2. For details, see HTTP/2 support.

    Note: Please confirm the operation mode and HTTP versions your back-end web servers are running so that HTTP/2 inspection can work correctly with your web servers. If the Deployment Mode in the server policy configuration is HTTP Content Routing and HTTP/2 is enabled, keep HTTP/2 disabled in the server pool configuration.

    This option is available only when the Type is Reverse Proxy.

    SSL

    For Reverse Proxy, Offline Protection, and Transparent Inspection modes, specifies whether connections between FortiWeb and the pool member use SSL/TLS.

    For True Transparent Proxy and WCCP modes, specifies whether SSL/TLS processing is offloaded to FortiWeb and SSL/TLS is used for connections between FortiWeb and the pool member:

    For True Transparent Proxy mode, if the pool member requires SNI support, see Configuring server-side SNI support.

    For Offline Protection and Transparent Inspection mode, also configure Certificate File. FortiWeb uses the certificate to decrypt and scan connections before passing the encrypted traffic through to the pool members (SSL inspection).

    Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb appliance is operating in Transparent Inspection or Offline Protection mode.

    For True Transparent Proxy and WCCP mode, also configure Certificate File, Client Certificate, and the settings described in Defining your web servers. FortiWeb handles SSL negotiations and encryption and decryption instead of the pool member (SSL offloading).

    For Reverse Proxy mode:

    Note: When this option is enabled, the pool member must be configured to apply SSL.

    Note: This option and related settings are required to be well-configured for enabling FortiWeb's HTTP/2 support in True Transparent Proxy mode.

    Enable Multi-certificate

    Enable this option to allow FortiWeb to use multiple local certificates.

    Available when:

    Multi-certificate

    Select the local server certificate created in Server Objects > Certificates > Local > Multi-certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Defining your web servers. For details, see Defining your web servers.
    Certificate File

    Select the server certificate that FortiWeb uses to decrypt SSL-secured connections.

    For True Transparent Proxy and WCCP modes, also complete the settings described in described in Defining your web servers.

    Available when:

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients. An intermediate CA can complete the signing chain and validate the server certificate’s CA signature.

    Configure this option when clients receive certificate warnings that an intermediary CA has signed the server certificate specified by Certificate File, not a root CA or other CA currently trusted by the client directly.

    Alternatively, you can include the entire signing chain in the server certificate itself before you upload it to FortiWeb. For details, see How to offload or inspect HTTPS and How to offload or inspect HTTPS.

    . Available only if the Type is True Transparent Proxy or WCCP and SSL is enabled.

    Client Certificate

    If connections to this pool member require a valid client certificate, select the client certificate that FortiWeb uses.

    Available when:

    • SSL is enabled, and
    • FortiWeb is operating in Reverse Proxy, True Transparent Proxy, or WCCP mode.

    Upload a client certificate for FortiWeb using the steps you use to upload a server certificate. For details, see How to offload or inspect HTTPS.

    Client Certificate Proxy

    Enable to configure seamless PKI integration. When this option is configured, FortiWeb attempts to verify client certificates when users make requests and resigns new certificates that it sends to the server.

    Also configure Client Certificate Proxy Sign CA.

    For details, see Seamless PKI integration.

    Enable Server Name Indication (SNI) Forwarding

    Enable so that FortiWeb forwards the client's server name in the SSL handshake to the server so that the server handles SNI instead of FortiWeb.

    Client Certificate Proxy Sign CA

    Select a Sign CA FortiWeb will use to verify and resign new client certificates.

    For details, see Seamless PKI integration.

    Add HSTS Header

    Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:

    Strict-Transport-Security: max-age=31536000;includeSubDomains;preload

    This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

    Available only when the Type is True Transparent Proxy or WCCP and SSL is enabled.

    Add HPKP Header

    Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

    HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. For details, see HTTP Public Key Pinning.

    Available only if SSL is enabled.

    Certificate Verification

    Select the name of a certificate verifier, if any, that FortiWeb uses to validate an HTTP client’s personal certificate.

    However, if you select Enable Server Name Indication (SNI) and the domain in the client request matches an entry in the specified SNI policy, FortiWeb uses the SNI configuration to determine which certificate verifier to use.

    If you do not select a verifier, clients are not required to present a personal certificate. For details, see How to apply PKI client authentication (personal certificates).

    Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication).

    You can require that clients present a certificate instead of, or in addition to, HTTP authentication. For details, see Offloading HTTP authentication & authorization.

    Note: The client must support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

    Available only when the Type is Reverse Proxy.

    Enable URL Based Client Certificate

    Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

    Note: This function is not supported for HTTP/2 communication between the Client and this back-end web server.

    URL Based Client Certificate Group

    Specifies the URL-based client certificate group that determines whether a client is required to present a personal certificate.

    If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

    For details about creating a group, see Use URLs to determine whether a client is required to present a certificate.

    Max HTTP Request Length

    Specifies the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group.

    FortiWeb blocks any matching requests that exceed the specified size.

    This setting prevents a request from exceeding the maximum buffer size.

    Client Certificate Forwarding

    Enable to configure FortiWeb to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an X-Client-Cert: HTTP header when it forwards the traffic to the protected web server.

    FortiWeb still validates the client certificate itself, but this forwarding action can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality.

    Custom Header of CCF Subject

    Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

    Available only when Client Certificate Forwarding is enabled.

    Custom Header of CCF Certificate

    Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

    Available only when Client Certificate Forwarding is enabled.

    Enable Server Name Indication (SNI)

    Select to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by Certificate File.

    The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the pool member based on the domain in the client request. For details, see How to offload or inspect HTTPS.

    If you specify both an SNI configuration and Certificate File, FortiWeb uses the certificate specified by the Certificate File when the domain in the client request does not match a value in the SNI configuration.

    If you select Enable Strict SNI, FortiWeb always ignores the value of the Certificate File.

    Enable Strict SNI

    Select to configure FortiWeb to ignore the value of Certificate File when it determines which certificate to present on behalf of the pool member, even if the domain in a client request does not match a value in the SNI configuration.

    Available only if Enable Server Name Indication (SNI) is selected.

    SNI Policy

    Select the Server Name Indication (SNI) configuration that FortiWeb uses to determine which certificate it presents on behalf of this pool member.

    Available only if Enable Server Name Indication (SNI) is selected.

    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols FortiWeb can use to connect securely to this pool member.

    TLS protocol changes a lot since version 1.3, including the handshake algorithm, the supported ciphers and certificates. Make sure you understand how it works before enabling TLS 1.3.

    Note: O-RTT in TLS 1.3 is disabled by default. You can use the following command to enable it:

    config server-policy setting

    set tls13-early-data-mode enable

    end

    For the supported ciphers of each TLS version, see Supported cipher suites & protocol versions.

    This option is available when:

    • SSL is enabled, and
    • The Type is Reverse Proxy, True Transparent Proxy, or WCCP.
    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

    For details, see Supported cipher suites & protocol versions.

    Available when:

    • SSL is enabled, and
    • The Type is Reverse Proxy, True Transparent Proxy, or WCCP.

    RFC-9719 Comply

    Enable to apply cipher suites that comply with RFC-9719.

    Supported Group

    Select the RFC-9719 ciphers to be supported. The Supported Group is Elliptic Curve Parameters, while SSL/TLS negotiation could choose different Elliptic Curve algorithms, so please make sure to choose the corresponding ciphers in SSL/TLS Encryption Level.

    • At least one FFDHE group should be selected.

    • At least one DHE cipher should be added.

      Due to design limitation, you need to select Customized in SSL/TLS Encryption Level and make sure to include at least one DHE cipher in the selected list. Using High or Medium together with RFC-9719 will lead to unexpected error. We will fix it in the future release.

    The system will return error if any of the above two conditions is not met.

    Please note RFC7919 does not comply with TLS 1.3, so if you have only enabled TLS 1.3 for SSL Protocols, then RFC7919 will not take effect even if it's enabled. To apply both TLS 1.3 and RFC7919, it's recommended to enable a non-TLS 1.3 protocol, then select at least one DHE cipher.

    Session Ticket Reuse

    Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

    Note: This option is available only when SSL is enabled.

    Session ID Reuse

    Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.

    Note: This option is available only when SSL is enabled.

    Disable Client-Initiated SSL Renegotiation

    Select to ignore requests from clients to renegotiate TLS or SSL.

    This setting protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

    Available only when the Type is Reverse Proxy or True Transparent Proxy.

    Recover

    Specifies the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

    The default is 0 (disabled). The valid range is 0 to 86,400 seconds.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified by Warm Rate.

    Examples of when the server experiences a recovery and warm-up period:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting Status to Maintenance.

    Warm Up

    Specifies for how long FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

    For example, when the pool member begins to respond but startup is not fully complete.

    The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

    Warm Rate

    Specifies the maximum connection rate while the pool member is starting up.

    The default is 10 connections per second. The valid range is 0 to 86,400 connections per second.

    The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

    For example, if Warm Up is 5 and Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  • Repeat the previous steps for each IP address or domain that you want to add to the server pool.
  • Click OK.
  • To apply the server pool configuration, do one of the following:
    • Select it in a server policy directly.
    • Select it in an HTTP content writing policy that you can, in turn, select in a server policy.

    For details, see Configuring an HTTP server policy and Routing based on HTTP content.

    See also
    Routing based on HTTP content

    Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP layers, as basic load balancing does, you can forward them based on the host, headers or other content in the HTTP layer.

    HTTP content routing policies define how FortiWeb routes requests to server pools. They are based on one or more of the following HTTP elements:

    • Host
    • URL
    • HTTP parameter
    • Referer
    • Source IP
    • Header
    • Cookie
    • X509 certificate field value
    • HTTPS SNI
    • Geo IP

    This type of routing can be useful if, for example, a specific web server or group of servers on the back end support specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but specialized. For example:

    • 192.168.0.1—Hosts the website and blog
    • 192.168.0.2 and 192.168.0.3—Host movie clips and multimedia
    • 192.168.0.4 and 192.168.0.5—Host the shopping cart

    Another example is a topology where back-end servers or a traffic controller (TC) server externally manage how FortiWeb routes and balances the traffic load. The TC embeds a cookie that indicates how to route the client’s next request. In the diagram, if a request has no cookie (that is, it initializes a session), FortiWeb’s HTTP content routing is configured to forward that request to the TC, Web Server 1. For subsequent requests, as long as the cookie exists, FortiWeb routes those requests to Web Server 2.

    When FortiWeb operates in Reverse Proxy mode, HTTP Content Routing is partially supported if HTTP/2 security inspection is enabled. In such cases, FortiWeb can handle HTTP/2 for client requests, but traffic between FortiWeb and the server(s) must use HTTP, so the HTTP/2setting in a server pool configuration would have to remain disabled. For details, see HTTP/2 support.

    To configure HTTP content routing
    1. Go to Server Objects > Server > HTTP Content Routing.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
    2. Click Create New.
    3. For Name, enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    4. For Server Pool, select a server pool. FortiWeb forwards traffic to this pool when the traffic matches rules in this policy.
      Select only one server pool for each HTTP content routing configuration. However, multiple HTTP content routing configurations can use the same server pool. For details, see Creating an HTTP server pool.
    5. Note: If the Deployment Mode in the server policy configuration is HTTP Content Routing and HTTP/2 is enabled, keep HTTP/2 disabled in the server pool configuration.

    6. Click OK, then click Create New.
    7. Configure these settings:
    8. If you've configured request rewriting, configure HTTP content-based routing based on the original request, as it appears before FortiWeb has rewritten it.

      For more information on rewriting, see Rewriting & redirecting.

      Match Object Select the object that FortiWeb examines for matching values.
      HTTP Host
      HTTP Host

      Specify one of the following values to match:

      • Match prefix—The host to match begins with the specified string.
      • Match suffix—The host to match ends with the specified string.
      • Match contains—The host to match contains the specified string.
      • Match domain—The host to match contains the specified string between the periods in a domain name.

        For example, if the value is abc, the condition matches the following hostnames:

        dname1.abc.com
        dname1.dname2.abc.com

        However, the same value does not match the following hostnames:

        abc.com
        dname.abc

      • Is equal to—The host to match is the specified string.
      • Regular expression—The host to match has a value that matches the specified regular expression.
      (value)

      Specifies a host value to match.

      If Regular Expression is selected, the value is an expression that matches the object.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP URL
      HTTP URL

      Specify one of the following values to match:

      • Match prefix—The URL to match begins with the specified string.
      • Match suffix—The URL to match ends with the specified string.
      • Match contains—The URL to match contains the specified string.
      • Match directory—The URL to match contains the specified string between delimiting characters (slash).

        For example, if the value is abc, the condition matches the following URLs:

        test.com/abc/
        test.com/dir1/abc/

        However, the same value does not match the following URLs:

        test.com/abc
        test.abc.com

      • Is equal to—The URL to match is the specified string.
      • Regular expression—The URL to match matches the specified regular expression.
      (value)

      Specifies a URL to match.

      For example, a literal URL, such as /index.php, that a matching HTTP request contains.

      For example, when Is equal to is selected, the value /dir1/abc/index.html matches the following URL:

      http://test.abc.com/dir1/abc/index.html

      If Regular Expression is selected, the value is an expression that matches the object. For example, ^/*.php.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Parameter

      Parameter Name

      Specify one of the following values to match:

      • Match prefix—The parameter name to match begins with the specified string.
      • Match suffix—The parameter name to match ends with the specified string.
      • Match contains—The parameter name to match contains the specified string.
      • Is equal to—The parameter name to match is the specified string.
      • Regular expression—The parameter name to match matches the specified regular expression.
      (value)

      Specifies a parameter name to match.

      If Regular Expression is selected, the value is an expression that matches the object.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Parameter Value

      Specify one of the following values to match:

      • Match prefix—The parameter value to match begins with the specified string.
      • Match suffix—The parameter value to match ends with the specified string.
      • Match contains—The parameter value to match contains the specified string.
      • Is equal to—The parameter value to match is the specified string.
      • Regular expression—The parameter value to match matches the specified regular expression.
      (value)

      Specifies a parameter value to match.

      If Regular Expression is selected, the value is an expression that matches the object.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Referer
      HTTP Referer

      Specify one of the following values to match:

      • Match prefix—The HTTP referer value to match begins with the specified string.
      • Match suffix—The HTTP referer value to match ends with the specified string.
      • Match contains—The HTTP referer value to match contains the specified string.
      • Is equal to—The HTTP referer value to match is the specified string.
      • Regular expression—The HTTP referer value to match matches the specified regular expression.
      (value)

      Specifies an HTTP referer value to match.

      If Regular Expression is selected, the value is an expression that matches the HTTP referer value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Cookie
      HTTP Cookie

      Specify one of the following values to match:

      • Match prefix—The cookie name to match begins with the specified string.
      • Match suffix—The cookie name to match ends with the specified string.
      • Match contains—The cookie name to match contains the specified string.
      • Is equal to—The cookie name to match is the specified string.
      • Regular expression—The cookie name to match matches the specified regular expression.
      (value)

      Specifies a cookie name to match.

      If Regular Expression is selected, the value is an expression that matches the name.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Cookie Value

      Specify one of the following values to match:

      • Match prefix—The cookie value to match begins with the specified string.
      • Match suffix—The cookie value to match ends with the specified string.
      • Match contains—The cookie value to match contains the specified string.
      • Is equal to—The cookie value to match is the specified string.
      • Regular expression—The cookie value to match matches the specified regular expression.

        For example, hash[a-fA-F0-7]*.
      (value)

      Specifies a cookie value to match.

      If Regular Expression is selected, the value is an expression that matches the cookie value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Header
      Header Name

      Specify one of the following values to match:

      • Match prefix—The header name to match begins with the specified string.
      • Match suffix—The header name to match ends with the specified string.
      • Match contains—The header name to match contains the specified string.
      • Is equal to—The header name to match is the specified string.
      • Regular expression—The header name to match matches the specified regular expression.
      (value)

      Specifies a header name to match.

      If Regular Expression is selected, the value is an expression that matches the name.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Header Value

      Specify one of the following values to match:

      • Match prefix—The header value to match begins with the specified string.
      • Match suffix—The header value to match ends with the specified string.
      • Match contains—The header value to match contains the specified string.
      • Is equal to—The header value to match is the specified string.
      • Regular expression—The header value to match matches the specified regular expression.
      (value)

      Specifies a header value to match.

      If Regular Expression is selected, the value is an expression that matches the header value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      Source IP
      Source IP

      Specify one of the following values to match:

      • IPv4 Address/Range—The source IP to match is an IPv4 IP address or within a range of IPv4 IP addresses.
      • IPv6 Address/Range—The source IP to match is an IPv6 IP address or within a range of IPv6 IP addresses.
      • Regular expression—The source IP to match matches the specified regular expression.
      • Import From CSV File—The source IPs to match are multiple IP addresses or IP ranges included in the CSV file.
      (value)

      Specifies the source IP addresses to match. It's allowed to enter multiple IP addresses and IP ranges separated with comma.

      If Regular Expression is selected, the value is an expression that matches the source IP.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      X509 Certificate Subject

      Matches against a specified Relative Distinguished Name (RDN) in the X509 certificate Subject field. Use an attribute-value pair to specify the RDN.

      For example, an X509 certificate has the following Subject field content:

      C=CN, ST=Beijing, L=Haidian, O=fortinet, OU=fortiweb, CN=pc110

      The following settings match a certificate with this Subject field by matching the RDN O=fortinet:

      • X509 Field NameO
      • Value =fortinet
      X509 Field Name

      Select the attribute type to match: E, CN, OU, O, L, ST, C.

      X509 Field Value

      Specify one of the following values in the X509 extension to match:

      • Match prefix—The X509 subject value to match begins with the specified string.
      • Match suffix—The X509 subject value to match ends with the specified string.
      • Match contains—The X509 subject value to match contains the specified string.
      • Is equal to—The X509 subject value to match is the specified string.
      • Regular expression—The X509 subject value matches the specified regular expression.
      (value)

      Specifies an X509 Subject value to match.

      If Regular Expression is selected, the value is an expression that matches the X509 Subject value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      X509 Certificate Extension

      Matches against additional fields that the extensions field adds to the X509 certificate.

      For example, an X509 certificate has the following extensions:

      Extensions:

      X509v3 Basic Constraints: CA:TRUE

      X509v3 Subject Alternative Name: URI:aaaa

      X509v3 Issuer Alternative Name: URI:bbbb

      Full Name: URI:cccc

      The following settings match the extension X509v3 Basic Constraints by matching its value:

      • Match ObjectX509 Certificate Extension
      • X509 Field ValueIs equal to
      • (value)—CA:TRUE
      X509 Field Value

      Specify one of the following values in the X509 extension to match:

      • Match prefix—The X509 extension value to match begins with the specified string.
      • Match suffix—The X509 extension value to match ends with the specified string.
      • Match contains—The X509 extension value to match contains the specified string.
      • Is equal to—The X509 extension value to match is the specified string.
      • Regular expression—The X509 extension value matches the specified regular expression.
      (value)

      Specifies an X509 extension value to match.

      If Regular Expression is selected, the value is an expression that matches the X509 extension value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTPS SNI

      HTTPS SNI

      Specify one of the following values in the HTTPS SNI to match:

      • Match prefix—The HTTPS SNI value to match begins with the specified string.
      • Match suffix—The HTTPS SNI value to match ends with the specified string.
      • Match contains—The HTTPS SNI value to match contains the specified string.
      • Is equal to—The HTTPS SNI value to match is the specified string.
      • Regular expression—The HTTPS SNI value matches the specified regular expression.

      (value)

      Specifies an HTTPS SNI value to match.

      If Regular Expression is selected, the value is an expression that matches the HTTPS SNI value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      Geo IP Matches against the IP addresses from specified countries.
      Country Select one or more countries at left, then click the icon to move the selected countries to the right.
      Reverse Enable to match against the IP addresses from the countries not in the Selected Country list.

      ZTNA Tags

      ZTNA Tags

      Select the ZTNA tags to match. For more information on ZTNA, see Zero Trust Network Access (ZTNA).

      Match ZTNA Tags

      All means the request only matches if it has all tags specified;

      Any means the request matches if it has any of the tags specified.

      Reverse

      When Reverse is on, it means all the request will be matched except the ones that meet the Any or All condition.

      For example, if Tag_A and Tag_B are selected, and the Reverse is on, the matching logic will be:

      • When Match ZTNA Tags is Any, all the request will be matched except the ones having any of the Tag_A and Tag_B tags.

      • When Match ZTNA Tags is All, all the requests will be matched except the ones having both Tag_A and Tag_B tags.

    9. Click OK.
    10. Repeat the rule creation steps for each HTTP host, HTTP request, or other objects that you want to route to this server pool.
    11. If required, select an entry, and then click Move to adjust the rule sequence.
      For an example of how to add logic for the rules, see Example: Concatenating exceptions.
    12. Click OK.
    13. Repeat the policy creation procedure for each server pool, as required. You can also create additional policies that select the same server pool.
    14. To apply a HTTP content routing policy, select it in a server policy. When you add HTTP content routing polices to a policy, you also select a default policy. The default policy routes traffic that does not match any conditions found in the specified routing policies.

    For details, see Configuring an HTTP server policy.

    See also
    Example: Routing according to URL/path

    Your FortiWeb appliance might have one virtual server (the front end) protecting three physical web servers (the back end).

    From the perspective of clients connecting to the front end, there is one domain name: www.example.com. At this host name, there are three top-level URLs:

    • /games—Game application
    • /school—School application
    • /work—Work application

    In a client’s web browser, therefore, they might go to the location:

    http://www.example.com/games

    Behind the FortiWeb, however, each of those 3 web applications actually resides on separate back-end web servers with different IP addresses, and each has its own server pool:

    • 10.0.0.11/games—Game application
    • 10.0.0.12/school—School application
    • 10.0.0.13/work—Work application

    In this case, you configure HTTP content routing so FortiWeb routes HTTP requests to http://www.example.com/school to the server pool that contains 10.0.0.12. Similarly, requests for the URL /games go to a pool that contains 10.0.0.11, and requests for the URL /work go to a pool that contains 10.0.0.13.

    See also
    Example: Routing according to the HTTP “Host:” field

    Your FortiWeb appliance might have one virtual server (the front end) protecting three physical web servers (the back end).

    From the perspective of clients connecting to the front end, Example Company’s website has a few domain names:

    • http://www.example.com
    • http://www.example.cn
    • http://www.example.de
    • http://www.example.co.jp

    Public DNS resolves all of these domain names to one IP address: the virtual server on FortiWeb.

    At the data center, behind the FortiWeb, separate physical web servers host some region-specific websites. Other websites have lighter traffic and are maintained by the same person, and therefore a shared server hosts them. Each back-end web server has a DNS alias. When you configure the server pools, you define each pool member using its DNS alias, rather than its IP address:

    • www1.example.com—Hosts www.example.com, plus all other host names’ content, in case the other web servers fail or have scheduled down time
    • www2.example.com—Hosts www.example.de
    • www3.example.com—Hosts www.example.cn & www.example.co.jp

    While public DNS servers all resolve these aliases to the same IP address—FortiWeb’s virtual server—your private DNS server resolves these DNS names to separate IPs on your private network: the back-end web servers.

    • www1.example.com—Resolves to 192.168.0.1
    • www2.example.com—Resolves to 192.168.0.2
    • www3.example.com—Resolves to 192.168.0.3

    In this case, you configure HTTP content routing to route requests from clients based on the original Host: field in the HTTP header to a server pool that contains the appropriate DNS aliases. The destination back-end web server is determined at request time using server health check statuses, as well as private network DNS that resolves the DNS alias into its current private network IP address:

    • http://www.example.com/—Routes to a pool that contains www1.example.com
    • http://www.example.de/—Routes to a pool that contains members www2.example.com and www1.example.com. The www2.example.com pool member is first in the list and receives requests unless that web server is down, in which case FortiWeb routes requests to www1.example.com
    • http://www.example.cn/ & http://www.example.co.jp/—Routes to a pool that contains members www3.example.com and www1.example.com. The www3.example.com pool member is first in the list and receives requests unless that web server is down, in which case FortiWeb routes requests to www1.example.com

    If you need to maintain HTTP session continuity for web applications, ensure the pool have a persistence policy that forwards subsequent requests from a client to the same back-end web server as the initial request.

    See also
    Example: HTTP routing with full URL & host name rewriting

    In some cases, HTTP header-based routing is not enough. It must be, or should be, combined with request or response rewriting.

    Example.com hosts calendar, inventory, and customer relations management web applications separately: one app per specialized server. Each web application resides in its web server’s root folder ( / ). Each back-end web server is named after the only web application that it hosts:

    • calendar.example.com/
    • inventory.example.com/
    • crm.example.com/

    Therefore each request must be routed to a specific back-end web server. Requests for the calendar application forwarded to crm.example.com, for example, would result in an HTTP 404 error code.

    These back-end DNS names are publicly resolvable. However, for legacy reasons, clients may request pages as if all apps were hosted on a single domain, www.example.com:

    • www.example.com/calendar
    • www.example.com/inventory
    • www.example.com/crm

    Because the URLs requested by clients (prefixed by /calendar etc.) do not actually exist on the back-end servers, HTTP header-based routing is not enough. Alone, HTTP header-based routing with these older location structures would also result in HTTP 404 error codes, as if the clients’ requests were effectively for:

    • calendar.example.com/calendar
    • inventory.example.com/inventory
    • crm.example.com/crm

    To compensate for the new structure on the back end, request URLs must be rewritten: FortiWeb removes the application name prefix in the URL.

    URL and host name transformation to match HTTP routing

    For performance reasons, FortiWeb also rewrites the Host: field. All subsequent requests from the client use the correct host and URL and do not require any modification or HTTP-based routing. Otherwise, FortiWeb would need to rewrite every subsequent request in the session, and analyze the HTTP headers for routing every subsequent request in the session.

    See also

    Defining your web servers

    Defining your web servers

    To specify your back-end web servers, you must define a server pool. Pools contain one or more members that you specify using either their IP addresses or DNS domain names. FortiWeb protects these web servers and they are the recipients of traffic that is forwarded or allowed to pass through to by FortiWeb.

    You can also define web servers to be FortiWeb’s virtual servers. This chains multiple policies together, which may be useful in more complex traffic routing or rewriting situations.
    See also

    Configuring server up/down checks

    Tests for server availability (called “server health checks” in the web UI) poll web servers that are members of a server pool to determine their responsiveness before forwarding traffic. FortiWeb can check server health using the following methods:

    • TCP
    • ICMP ECHO_REQUEST (ping)
    • TCP Half Open
    • TCP SSL
    • HTTP/2
    • HTTPS
    • HTTP

    FortiWeb polls the server at the frequency set in the Interval option. If the appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to unresponsive servers by disabling traffic to that server until it becomes responsive.

    If all members of the pool are unresponsive and you have configured one or more members to be backup servers, FortiWeb sends traffic to a backup server.

    If a web server will be unavailable for a long period, such as when a server is undergoing hardware repair, it is experiencing extended down time, or when you have removed a server from the server pool, you may improve the performance of your FortiWeb appliance by disabling connectivity to the web server, rather than allowing the server health check to continue to check for responsiveness. For details, see Enabling or disabling traffic forwarding to your servers.

    You can create a health check, use one of the predefined health checks, or clone one of the predefined health checks to use as a starting point for a custom health check. You cannot modify the predefined health checks.

    To simplify health check creation, FortiWeb provides predefined health checks for each of the available protocols. Each predefined health check contains a single rule that specifies one of the available protocols. For example, instead of creating a health check that uses ICMP, you can apply HLTHCK_ICMP.

    HLTHCK_HTTP and HLTHCK_HTTPS health checks test server responsiveness using the HEAD method and listening for the response code 200.

    Your health check can use more than protocol to check server responsiveness. You can specify that a server is available if it passes a single test in the list of tests or only if it passes all the tests.

    To view the status currently detected by server health checks, use the Policy Status dashboard. For details, see Policy Status.

    To configure a server health check
    1. Before configuring a server health check, if it requires a trigger, configure the trigger. For details, see Viewing log messages.
    2. Go to Server Objects > Server > Health Check.
    3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

    4. Do one of the following:
    • To create a health check, click Create New.
    • To create a health check based on a predefined health check, select a predefined health check, click Clone, and then enter a name for the new health check.
  • Configure these settings:
  • Name

    Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.

    Note: The name cannot be changed after this part of the configuration is saved. To rename a part of the configuration, clone it, select it in all parts of the configuration that reference the old name, then delete the item with the old name.

    Relationship
    • And—FortiWeb considers the server to be responsive when it passes all the tests in the list.
    • Or—FortiWeb considers the server to be responsive when it passes at least one of the tests in the list.
    Trigger Policy Select the name of a trigger, if any, that will be used to log or notify an administrator if a server becomes unresponsive.
  • Click OK.
  • In the rule list, do one of the following:
    • To add a rule, click Create New.
    • To modify a rule, select it and click Edit.
  • Configure these settings:
  • Type

    Select the protocol that the server health check uses to contact the server.

    • ICMP—Send ICMP type 8 (ECHO_REQUEST or “ping”) and listen for either ICMP type 0 (ECHO_RESPONSE or “pong”) indicating responsiveness, or timeout indicating that the host is not responsive.
    • TCP—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive. If the response is SYN ACK, send TCP ACK to complete the three-way handshake.
    • TCP Half Open—Send TCP SYN and listen for either TCP SYN ACK indicating responsiveness, or timeout indicating that the host is not responsive. If the response is SYN ACK, send TCP RST to terminate the connection. This type of health check requires fewer resources from the pool member than TCP.
    • TCP SSL—Send an HTTPS request. FortiWeb considers the host to be responsive if the SSL handshake is successful, and closes the connection once the handshake is complete. This type of health check requires fewer resources than HTTP/HTTPS.
    • HTTP—Send an HTTP or HTTPS request, depending on the real server type, and listen for a response that matches the values required by the specified Matched Content or a timeout that indicates that the host is not responsive.

      The protocol to use depends on whether you enable SSL for that server in the server pool. Contact occurs on the protocol and port number specified for that web server in the server pool.

    URL Path

    Type the URL that the HTTP or HTTPS request uses to verify the responsiveness of the server (for example, /index.html). It's supported to add parameters after the URL. For example /collector.aspx:?Target=Site1.

    If the web server successfully returns this URL, and its content matches your expression in Matched Content, it is considered to be responsive.

    Available only if Type is HTTP or HTTPS. The maximum length is 127 characters.

    Timeout

    Type the maximum number of seconds that can pass after the server health check. If the web server exceeds this limit, it will indicate a failed health check.

    Valid values are 1 to 30. Default value is 3.

    Retry Times

    Type the number of times, if any, that FortiWeb retries a server health check after failure. If the web server fails the server health check this number of times consecutively, it is considered to be unresponsive.

    Valid values are 1 to 10. Default value is 3.

    Interval

    Type the number of seconds between each server health check.

    Valid values are 1 to 300. Default value is 10.

    Method

    Specify whether the health check uses the HEAD, GET, or POST method.

    Available only if Type is HTTP or HTTPS.

    Match Type
    • Matched Content—If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, FortiWeb considers the server to be responsive.
    • Response Code—If the web server successfully returns the URL specified by URL Path and the code specified by Response Code, FortiWeb considers the server to be responsive.
    • All — If the web server successfully returns the URL specified by URL Path and its content matches the Matched Content value, and the code specified by Response Code, FortiWeb considers the server to be responsive.

    Available only if Type is HTTP or HTTPS.

    Matched Content

    Enter one of the following values:

    • The exact reply that indicates that the server is available.
    • A regular expression that matches the required reply.

    This value prevents the test from falsely indicating that the server is available when it has actually replied with an error page, such as the one produced by Tomcat when a JSP application is not available.

    To create and test a regular expression, click the >> (test) icon. This opens a Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax

    Available only if Type is HTTP or HTTPS and Match Type is All or Matched Content.

    Response Code

    Enter the response code that you require the server to return to confirm that it is available.

    Available only if Type is HTTP or HTTPS and Match Type is All or Matched Content.

  • Click OK to save the settings and close the rule.
  • Add any additional tests you want to include in the health check by adding additional rules.
  • Click OK to save and close the health check.
  • To use the server health check, select it in a server pool or server pool member configuration. For details, see Creating an HTTP server pool.
  • See also

    Configuring session persistence

    After FortiWeb has forwarded the first packet from a client to a pool member, some protocols require that subsequent packets also be forwarded to the same back-end server until a period of time passes or the client indicates that it has finished transmission.

    A session persistence configuration specifies a persistence method and timeout. You apply the configuration to Server Balance server pools to apply the persistence setting to all members of the pool.

    To create a persistence configuration
    1. Go to Server Objects > Server > Persistence and click Create New.
    2. Configure these settings:
    3. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Type

      Specifies how FortiWeb determines the pool member to forward subsequent requests from a client to after its initial request. For the initial request, FortiWeb selects a pool member using the load balancing method specified in the server pool configuration.

      • Source IP—Forwards subsequent requests with the same client IP address and subnet as the initial request to the same pool member. To define how FortiWeb derives the appropriate subnet from the IP address, configure IPv4 Netmask and IPv6 Mask Length.
      • HTTP Header—Forwards subsequent requests with the same value for an HTTP header as the initial request to the same pool member. Also configure Header Name.
      • URL parameter—Forwards subsequent requests with the same value for a URL parameter as the initial request to the same pool member. Also configure Parameter Name.
      • Insert CookieFortiWeb adds a cookie with the name specified by Cookie Name to the initial request and forwards all subsequent requests with this cookie to the same pool member. FortiWeb uses this cookie for persistence only and does not forward it to the pool member. Also configure Cookie Path and Cookie Domain.
      • Rewrite Cookie—If the HTTP response has a Set-Cookie: value that matches the value specified by Cookie Name, FortiWeb replaces the value specified by the keyword with a randomly generated cookie value. FortiWeb forwards all subsequent requests with this generated cookie value to the same pool member.
      • Persistent Cookie—If an initial request contains a cookie with a name that matches the Cookie Name value, FortiWeb forwards subsequent requests that contain the same cookie value to the same pool member as the initial request.
      • Embedded Cookie—If the HTTP response contains a cookie with a name that matches the Cookie Name value, FortiWeb preserves the original cookie value and adds a randomly generated cookie value and a ~ (tilde) as a prefix. FortiWeb forwards all subsequent requests with this cookie and prefix to the same pool member.
      • ASP Session ID—If a cookie in the initial request contains an ASP .NET session ID value, FortiWeb forwards subsequent requests with the same session ID value to the same pool member as the initial request. FortiWeb preserves the original cookie name.
      • PHP Session ID—If a cookie in the initial request contains a PHP session ID value, FortiWeb forwards subsequent requests with the same session ID value to the same pool member as the initial request. FortiWeb preserves the original cookie name.
      • JSP Session IDFortiWeb forwards subsequent requests with the same JSP session ID as the initial request to the same pool member. FortiWeb preserves the original cookie name.
      • SSL Session ID—If a cookie in the initial request contains an SSL session ID value, FortiWeb forwards subsequent requests with the same session ID value to the same pool member as the initial request. FortiWeb preserves the original cookie name.
      IPv4 Netmask Specifies the IPv4 subnet used for session persistence.

      For example, if IPv4 Netmask is 255.255.255.255, FortiWeb can forward requests from IP addresses 192.168.1.1 and 192.168.1.2 to different server pool members.

      If IPv4 Netmask is 255.255.255.0, FortiWeb forwards requests from IP addresses 192.168.1.1 and 192.168.1.2 to the same pool member.

      Available only when Type is Source IP.
      IPv6 Mask Length Specifies the IPv6 network prefix used for session persistence.

      Available only when Type is Source IP.
      Header Name Specifies the name of the HTTP header that the persistence feature uses to route requests.

      Available only when Type is HTTP Header.
      Parameter Name Specifies the name of the URL parameter that the persistence feature uses to route requests.

      Available only when Type is URL Parameter.
      Cookie Name Specifies a value to match or the name of the cookie that FortiWeb inserts.

      Available only when Type uses a cookie.
      Cookie Path Specifies a path attribute for the cookie that FortiWeb inserts, if Type is Insert Cookie.
      Cookie Domain Specifies a domain attribute for the cookie that FortiWeb inserts, if Type is Insert Cookie.

      Secure Cookie

      Enable to add a secure flag to inserted cookies, which forces browsers to return the cookie only when they use HTTPS protocol.

      Available only when Type is Insert Cookie.

      Timeout

      Specifies the maximum amount of time between requests that FortiWeb maintains persistence, in seconds.

      FortiWeb stops forwarding requests according to the established persistence after this amount of time has elapsed since it last received a request from the client with the associated property (for example, an IP address or cookie). Instead, it again selects a pool member using the load balancing method specified in the server pool configuration.

    4. Click OK.

    For details about applying the configuration to a pool, see Creating an HTTP server pool.

    HTTPS://docs.fortinet.com/product/fortiweb/

    Configuring server-side SNI support

    FortiWeb supports server-side SNI (Server Name Indication). You use this feature when you have the following configuration requirements:

    • The operating mode is Reverse Proxy or True Transparent Proxy.
    • You offload SSL/TLS processing to FortiWeb and use SSL/TLS for connections between FortiWeb and the pool member (end-to-end encryption).
    • One or more server pool members require SNI support.

    In True Transparent Proxy mode, use the following CLI command to enable server-side SNI for the appropriate pool member:

    config server-policy server-pool

    edit <server-pool_name>

    config pserver-list

    edit <entry_index>

    set server-side-sni {enable | disable}

    In Reverse Proxy mode, use the following CLI command to enable server-side SNI in the appropriate server policy:

    config server-policy policy

    edit <policy_name>

    set server-side-sni {enable | disable}

    You cannot use the web UI to enable this option. For details, see the FortiWeb CLI Reference.

    Creating an HTTP server pool

    Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes connections among, or where the connections pass through to, depending on the operating mode. Reverse Proxy mode actively distributes connections; Offline Protection mode, both transparent modes, and WCCP mode do not.

    • Reverse Proxy mode—When the FortiWeb appliance receives traffic destined for a virtual server, it forwards the traffic to a server pool. If the pool has more than one member, the physical or domain server that receives the connection depends on your configuration of load-balancing algorithm, weight, and server health checking.

      For pools with multiple members, to prevent traffic from being forwarded to unavailable web servers, you can use a health check to verify the availability of members. The availability of other members and the Deployment Mode option in the policy determine whether the FortiWeb appliance redistributes or drops the connection when a physical or domain server in a server pool is unavailable.

    • Offline Protection, True Transparent Proxy, Transparent Inspection, and WCCP mode—The FortiWeb appliance allows traffic to pass through to the server pool when it receives traffic that is:
      • passing through a bridge
      • directed to the FortiWeb (configured as a WCCP client) by a FortiGate acting as a WCCP server

    A server can belong to more than one server pool.

    To configure an HTTP server pool
    1. Before you configure an HTTP server pool, do the following:
    • If clients connect via HTTPS and FortiWeb is operating in a mode that performs SSL inspection instead of SSL offloading, upload the website’s server certificate. For details, see How to offload or inspect HTTPS.
    • If you want to use the pool for load balancing and want to monitor its members for responsiveness, configure one or more server health checks to use with it. For details, see Configuring server up/down checks.
    • If client connections require persistent sessions, create a persistence configuration. For details, see Configuring session persistence.
  • Go to Server Objects > Server > Server Pool.
  • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  • Click Create New.
  • Select Create HTTP Server Pool.
  • Configure these settings:
  • Name Type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Type

    The current type follows the operation mode set in system settings.

    For full information on the operating modes, see How to choose the operation mode.

    Single Server/Server Balance
    • Single Server—Specifies a pool that contains a single member.
    • Server Balance—Specifies a pool that contains multiple members. FortiWeb uses the specified load-balancing algorithm to distribute TCP connections among the members. If a member is unresponsive to the specified server health check, FortiWeb forwards subsequent connections to another member of the pool.

    Available only when Type is Reverse Proxy.

    Server Health Check

    Specifies a test for server availability. By default, this health check is used for all pool members, but you can use the pool member configuration to assign a different health check to a member.

    For details, see Configuring server up/down checks.

    Available only when Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Health Check Source IP

    If enabled, FortiWeb will execute health check to the back-end server with IPv4 address.

    Available only in True Transparent Proxy mode.

    Health Check Source IPv6

    If enabled, FortiWeb will execute health check to the back-end server with IPv6 address.

    Available only in True Transparent Proxy mode.

    Load Balancing Algorithm
    • Round Robin—Distributes new TCP connections to the next pool member, regardless of weight, response time, traffic load, or number of existing connections. FortiWeb avoids unresponsive servers.
    • Weighted Round Robin—Distributes new TCP connections using the round-robin method, except that members with a higher weight value receive a larger percentage of connections.
    • Least Connection—Distributes new TCP connections to the member with the fewest number of existing, fully-formed TCP connections. If there are multiple servers with the same least number of connections, FortiWeb will take turns and avoid always selecting the same member to distribute new connections.
    • URI Hash—Distributes new TCP connections using a hash algorithm based on the URI found in the HTTP header, excluding hostname.
    • Full URI Hash—Distributes new TCP connections using a hash algorithm based on the full URI string found in the HTTP header. The full URI string includes the hostname and path.
    • Host Hash—Distributes new TCP connections using a hash algorithm based on the hostname in the HTTP Request header Host field.
    • Host Domain Hash—Distributes new TCP connections using a hash algorithm based on the domain name in the HTTP Request header Host field.
    • Source IP Hash—Distributes new TCP connections using a hash algorithm based on the source IP address of the request.
    • Least Response Time—Distributes incoming traffic to the back-end servers by multiplying average response time by the number of concurrent connections. Servers with the lowest value will get the traffic. In this way the client can connect to the most efficient back-end server.
    • Probabilistic Weighted Least Response Time—For the Least Response Time, in extreme cases there might be a server consistently has relatively low response time compared to others, which causes most of traffic to be distributed to one server. As a solution to this case, Probabilistic Weighted Least Response Time distributes traffic based on least response time as well as probabilities. The least response time server is most likely to receive traffic, while the rest servers still have chance to process some of the traffic.

    When the status of a physical server in a server pool is disabled, a health check indicates it is down, or it is removed from the server pool, FortiWeb will transfer any remaining HTTP transactions in the TCP stream to an active physical server in the server pool according to the Load Balancing Algorithm.

    For hash-based methods, if you specify a persistence method for the server pool, after an initial client request, FortiWeb routes any subsequent requests according to the persistence method. Otherwise, it routes subsequent requests according to the hash-based algorithm.

    Available only when Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Persistence

    Select a configuration that specifies a session persistence method and timeout to apply to the pool members.

    For details, see Configuring session persistence.

    Available only when Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Comments Type a description of the server pool. The maximum length is 199 characters.

    Note: you can also configure to enable HTTP reuse function to determine how to reuse the existing connection without creating one. See FortiWeb 6.1.1 CLI Reference for details.

  • Click OK.
  • Click Create New.
  • Configure these settings:
  • ID

    The index number of the member entry within the server pool.

    FortiWeb automatically assigns the next available index number.

    For round robin-style load-balancing, the index number indicates the order in which FortiWeb distributes connections.

    The valid range is from 0 to 9223372036854775807 (the maximum possible value for a long integer).

    You can use the server-policy server-pool CLI command to change the index number value. For details, see the FortiWeb CLI Reference:

    HTTPS://docs.fortinet.com/product/fortiweb/

    Status
    • Enable—Specifies that this pool member can receive new sessions from FortiWeb.
    • Disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
    Server Type

    Select how you want to define the pool member.

    If your application servers are deployed on AWS or Azure, you can select Cloud Connector to authorize FortiWeb to access the VM instances in your public cloud account, in order to automatically obtain the IP addresses.

    IP

    or

    Domain

    Specify the IP address or fully-qualified domain name of the web server to include in the pool.

    For domain servers, FortiWeb queries a DNS server to query and resolve each web server’s domain name to an IP address. For improved performance, do one of the following:

    • Use physical servers instead
    • Ensure highly reliable, low-latency service to a DNS server on your local network

    Tip: The IP or domain server is usually not the same as a protected host names group. See .

    Warning: Server policies do not apply features that do not yet support IPv6 to servers specified using IPv6 addresses or domain servers whose DNS names resolve to IPv6 addresses.

    The Server Type value determines the name of this option.

    Note: FortiWeb continuously verifies the IP address paired with the domain name and if the IP address changes, FortiWeb automatically updates the origin server IP in its configuration. The frequency that FortiWeb updates the IP depends on the TTL of the DNS record, which is usually 60 seconds in AWS ALB/ELB.

    SDN address type

    Select whether you want FortiWeb to get the public or private addresses of your application's VM instances, or select All to get both the public and the private addresses.

    Note: If you are using private IP addresses, ensure that FortiWeb can successfully establish connections with your application's VM instances in order to forward the traffic.

    Available only if the Server Type is Cloud Connectors.

    SDN Connector

    Select the SDN connector you have created. See AWS Connector and Azure Connector.

    Available only if the Server Type is Cloud Connectors.

    Filter

    Once you select the SDN collector that you have created, the available filter options for your VMs in your public cloud account will be listed here. You can select multiple filter options among instance IDs, image IDs, tags, etc. FortiWeb will find the VM instance, for example, whose instance ID is i-12345678 in your AWS account, then obtain the IP address of this instance and record it as the origin server's IP.

    AWS

    • instance-id (e.g. instance-id=i-12345678)
    • image-id (e.g. image-id=ami-123456)
    • key-name (e.g. key-name=aws-key-name)
    • subnet-id (e.g. subnet-id=sub-123456)
    • tag:TagName (The tag attached to the instance. TagName is a variable. It can be any value you have named for the tag. e.g. tag:Type=appserver. Up to 8 tags are supported.)

    Azure

    • vm-name (e.g. vm-name=myVM01)
    • tag:TagName (The tag attached to the virtual machine. TagName is a variable. It can be any value you have named for the tag, e.g. tag:Type=appserver. Up to 8 tags are supported.)

    Available only if the Server Type is Cloud Connectors.

    Port Type the TCP port number where the pool member listens for connections. The valid range is from 1 to 65,535.
    Connection Limit

    Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

    The default is 0 (disabled).

    The valid range is from 0 to 1,048,576.

    Available only if the Type is Reverse Proxy.

    Weight

    If the pool member is part of a pool that uses the weighted round-robin load-balancing algorithm, type the weight of the member when FortiWeb distributes TCP connections.

    Members with a greater weight receive a greater proportion of connections.

    Weighting members can be useful when, for example, some servers in the pool are more powerful or if a member is already receiving fewer or more connections due to its role in multiple websites.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Inherit Health Check

    Clear to use the health check specified by Server Health Check in this server pool rule instead of the one specified in the server pool configuration.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Server Health Check

    Specifies an availability test for this pool member.

    For details, see Configuring server up/down checks.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Health Check Domain Name

    Enter an HTTP host header name to test the availability of a specific host.

    This is useful if the pool member hosts multiple websites (virtual hosting environment).

    Available only if Type is HTTP.

    Backup Server

    When this option is selected and all the members of the server pool fail their server health check, FortiWeb routes any connections for the pool to this server.

    The backup server mechanism does not work if you do not specify server health checks for the pool members.

    If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use.

    Available only if the Type is Reverse Proxy and Single Server/Server Balance is Server Balance.

    Proxy Protocol

    If the back-end server enables proxy protocol, you need to enable the Proxy Protocol option on FortiWeb so that the TCP SSL and HTTP traffic can successfully go through. The real IP address of the client will be included in the proxy protocol header.

    Available only if the Type is Reverse Proxy, True Transparent Proxy, Offline Protection, or Transparent Inspection.

    Proxy Protocol Version

    Select the proxy protocol version for the back-end server.

    Available only if the Type is Reverse Proxy or True Transparent Proxy.

    HTTP/2

    Enable to allow HTTP/2 communication between the FortiWeb and this back-end web server.

    When FortiWeb's security services are applied to the HTTP/2 traffic between clients and this web server in Reverse Proxy mode:

    • Enabling this option makes sure the traffic is transferred in HTTP/2 between FortiWeb and this web server, if this web server supports HTTP/2.

      Note: Make sure that this back web server really supports HTTP/2 before you enable this, or connections will go failed.

    • Disabling this option makes FortiWeb to converse HTTP/2 to HTTP/1.x for this web server, or converse HTTP/1.x to HTTP/2 for the clients, if this web server does not support HTTP/2.

    In True Transparent Proxy mode, it requires this option be enabled and the SSL be well-configured to enable FortiWeb's HTTP/2 inspection. When HTTP/2 inspection is enabled in True Transparent Proxy mode, FortiWeb performs no protocol conversions between HTTP/1.x and HTTP/2, which means HTTP/2 connections will not be established between clients and back-end web servers if the web servers do not support HTTP/2. For details, see HTTP/2 support.

    Note: Please confirm the operation mode and HTTP versions your back-end web servers are running so that HTTP/2 inspection can work correctly with your web servers. If the Deployment Mode in the server policy configuration is HTTP Content Routing and HTTP/2 is enabled, keep HTTP/2 disabled in the server pool configuration.

    This option is available only when the Type is Reverse Proxy.

    SSL

    For Reverse Proxy, Offline Protection, and Transparent Inspection modes, specifies whether connections between FortiWeb and the pool member use SSL/TLS.

    For True Transparent Proxy and WCCP modes, specifies whether SSL/TLS processing is offloaded to FortiWeb and SSL/TLS is used for connections between FortiWeb and the pool member:

    For True Transparent Proxy mode, if the pool member requires SNI support, see Configuring server-side SNI support.

    For Offline Protection and Transparent Inspection mode, also configure Certificate File. FortiWeb uses the certificate to decrypt and scan connections before passing the encrypted traffic through to the pool members (SSL inspection).

    Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb appliance is operating in Transparent Inspection or Offline Protection mode.

    For True Transparent Proxy and WCCP mode, also configure Certificate File, Client Certificate, and the settings described in Defining your web servers. FortiWeb handles SSL negotiations and encryption and decryption instead of the pool member (SSL offloading).

    For Reverse Proxy mode:

    Note: When this option is enabled, the pool member must be configured to apply SSL.

    Note: This option and related settings are required to be well-configured for enabling FortiWeb's HTTP/2 support in True Transparent Proxy mode.

    Enable Multi-certificate

    Enable this option to allow FortiWeb to use multiple local certificates.

    Available when:

    Multi-certificate

    Select the local server certificate created in Server Objects > Certificates > Local > Multi-certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Defining your web servers. For details, see Defining your web servers.
    Certificate File

    Select the server certificate that FortiWeb uses to decrypt SSL-secured connections.

    For True Transparent Proxy and WCCP modes, also complete the settings described in described in Defining your web servers.

    Available when:

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients. An intermediate CA can complete the signing chain and validate the server certificate’s CA signature.

    Configure this option when clients receive certificate warnings that an intermediary CA has signed the server certificate specified by Certificate File, not a root CA or other CA currently trusted by the client directly.

    Alternatively, you can include the entire signing chain in the server certificate itself before you upload it to FortiWeb. For details, see How to offload or inspect HTTPS and How to offload or inspect HTTPS.

    . Available only if the Type is True Transparent Proxy or WCCP and SSL is enabled.

    Client Certificate

    If connections to this pool member require a valid client certificate, select the client certificate that FortiWeb uses.

    Available when:

    • SSL is enabled, and
    • FortiWeb is operating in Reverse Proxy, True Transparent Proxy, or WCCP mode.

    Upload a client certificate for FortiWeb using the steps you use to upload a server certificate. For details, see How to offload or inspect HTTPS.

    Client Certificate Proxy

    Enable to configure seamless PKI integration. When this option is configured, FortiWeb attempts to verify client certificates when users make requests and resigns new certificates that it sends to the server.

    Also configure Client Certificate Proxy Sign CA.

    For details, see Seamless PKI integration.

    Enable Server Name Indication (SNI) Forwarding

    Enable so that FortiWeb forwards the client's server name in the SSL handshake to the server so that the server handles SNI instead of FortiWeb.

    Client Certificate Proxy Sign CA

    Select a Sign CA FortiWeb will use to verify and resign new client certificates.

    For details, see Seamless PKI integration.

    Add HSTS Header

    Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:

    Strict-Transport-Security: max-age=31536000;includeSubDomains;preload

    This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

    Available only when the Type is True Transparent Proxy or WCCP and SSL is enabled.

    Add HPKP Header

    Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

    HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. For details, see HTTP Public Key Pinning.

    Available only if SSL is enabled.

    Certificate Verification

    Select the name of a certificate verifier, if any, that FortiWeb uses to validate an HTTP client’s personal certificate.

    However, if you select Enable Server Name Indication (SNI) and the domain in the client request matches an entry in the specified SNI policy, FortiWeb uses the SNI configuration to determine which certificate verifier to use.

    If you do not select a verifier, clients are not required to present a personal certificate. For details, see How to apply PKI client authentication (personal certificates).

    Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication).

    You can require that clients present a certificate instead of, or in addition to, HTTP authentication. For details, see Offloading HTTP authentication & authorization.

    Note: The client must support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

    Available only when the Type is Reverse Proxy.

    Enable URL Based Client Certificate

    Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

    Note: This function is not supported for HTTP/2 communication between the Client and this back-end web server.

    URL Based Client Certificate Group

    Specifies the URL-based client certificate group that determines whether a client is required to present a personal certificate.

    If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

    For details about creating a group, see Use URLs to determine whether a client is required to present a certificate.

    Max HTTP Request Length

    Specifies the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group.

    FortiWeb blocks any matching requests that exceed the specified size.

    This setting prevents a request from exceeding the maximum buffer size.

    Client Certificate Forwarding

    Enable to configure FortiWeb to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an X-Client-Cert: HTTP header when it forwards the traffic to the protected web server.

    FortiWeb still validates the client certificate itself, but this forwarding action can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality.

    Custom Header of CCF Subject

    Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

    Available only when Client Certificate Forwarding is enabled.

    Custom Header of CCF Certificate

    Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

    Available only when Client Certificate Forwarding is enabled.

    Enable Server Name Indication (SNI)

    Select to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by Certificate File.

    The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the pool member based on the domain in the client request. For details, see How to offload or inspect HTTPS.

    If you specify both an SNI configuration and Certificate File, FortiWeb uses the certificate specified by the Certificate File when the domain in the client request does not match a value in the SNI configuration.

    If you select Enable Strict SNI, FortiWeb always ignores the value of the Certificate File.

    Enable Strict SNI

    Select to configure FortiWeb to ignore the value of Certificate File when it determines which certificate to present on behalf of the pool member, even if the domain in a client request does not match a value in the SNI configuration.

    Available only if Enable Server Name Indication (SNI) is selected.

    SNI Policy

    Select the Server Name Indication (SNI) configuration that FortiWeb uses to determine which certificate it presents on behalf of this pool member.

    Available only if Enable Server Name Indication (SNI) is selected.

    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols FortiWeb can use to connect securely to this pool member.

    TLS protocol changes a lot since version 1.3, including the handshake algorithm, the supported ciphers and certificates. Make sure you understand how it works before enabling TLS 1.3.

    Note: O-RTT in TLS 1.3 is disabled by default. You can use the following command to enable it:

    config server-policy setting

    set tls13-early-data-mode enable

    end

    For the supported ciphers of each TLS version, see Supported cipher suites & protocol versions.

    This option is available when:

    • SSL is enabled, and
    • The Type is Reverse Proxy, True Transparent Proxy, or WCCP.
    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

    For details, see Supported cipher suites & protocol versions.

    Available when:

    • SSL is enabled, and
    • The Type is Reverse Proxy, True Transparent Proxy, or WCCP.

    RFC-9719 Comply

    Enable to apply cipher suites that comply with RFC-9719.

    Supported Group

    Select the RFC-9719 ciphers to be supported. The Supported Group is Elliptic Curve Parameters, while SSL/TLS negotiation could choose different Elliptic Curve algorithms, so please make sure to choose the corresponding ciphers in SSL/TLS Encryption Level.

    • At least one FFDHE group should be selected.

    • At least one DHE cipher should be added.

      Due to design limitation, you need to select Customized in SSL/TLS Encryption Level and make sure to include at least one DHE cipher in the selected list. Using High or Medium together with RFC-9719 will lead to unexpected error. We will fix it in the future release.

    The system will return error if any of the above two conditions is not met.

    Please note RFC7919 does not comply with TLS 1.3, so if you have only enabled TLS 1.3 for SSL Protocols, then RFC7919 will not take effect even if it's enabled. To apply both TLS 1.3 and RFC7919, it's recommended to enable a non-TLS 1.3 protocol, then select at least one DHE cipher.

    Session Ticket Reuse

    Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

    Note: This option is available only when SSL is enabled.

    Session ID Reuse

    Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.

    Note: This option is available only when SSL is enabled.

    Disable Client-Initiated SSL Renegotiation

    Select to ignore requests from clients to renegotiate TLS or SSL.

    This setting protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

    Available only when the Type is Reverse Proxy or True Transparent Proxy.

    Recover

    Specifies the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

    The default is 0 (disabled). The valid range is 0 to 86,400 seconds.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified by Warm Rate.

    Examples of when the server experiences a recovery and warm-up period:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting Status to Maintenance.

    Warm Up

    Specifies for how long FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

    For example, when the pool member begins to respond but startup is not fully complete.

    The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

    Warm Rate

    Specifies the maximum connection rate while the pool member is starting up.

    The default is 10 connections per second. The valid range is 0 to 86,400 connections per second.

    The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

    For example, if Warm Up is 5 and Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  • Repeat the previous steps for each IP address or domain that you want to add to the server pool.
  • Click OK.
  • To apply the server pool configuration, do one of the following:
    • Select it in a server policy directly.
    • Select it in an HTTP content writing policy that you can, in turn, select in a server policy.

    For details, see Configuring an HTTP server policy and Routing based on HTTP content.

    See also
    Routing based on HTTP content

    Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP layers, as basic load balancing does, you can forward them based on the host, headers or other content in the HTTP layer.

    HTTP content routing policies define how FortiWeb routes requests to server pools. They are based on one or more of the following HTTP elements:

    • Host
    • URL
    • HTTP parameter
    • Referer
    • Source IP
    • Header
    • Cookie
    • X509 certificate field value
    • HTTPS SNI
    • Geo IP

    This type of routing can be useful if, for example, a specific web server or group of servers on the back end support specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but specialized. For example:

    • 192.168.0.1—Hosts the website and blog
    • 192.168.0.2 and 192.168.0.3—Host movie clips and multimedia
    • 192.168.0.4 and 192.168.0.5—Host the shopping cart

    Another example is a topology where back-end servers or a traffic controller (TC) server externally manage how FortiWeb routes and balances the traffic load. The TC embeds a cookie that indicates how to route the client’s next request. In the diagram, if a request has no cookie (that is, it initializes a session), FortiWeb’s HTTP content routing is configured to forward that request to the TC, Web Server 1. For subsequent requests, as long as the cookie exists, FortiWeb routes those requests to Web Server 2.

    When FortiWeb operates in Reverse Proxy mode, HTTP Content Routing is partially supported if HTTP/2 security inspection is enabled. In such cases, FortiWeb can handle HTTP/2 for client requests, but traffic between FortiWeb and the server(s) must use HTTP, so the HTTP/2setting in a server pool configuration would have to remain disabled. For details, see HTTP/2 support.

    To configure HTTP content routing
    1. Go to Server Objects > Server > HTTP Content Routing.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
    2. Click Create New.
    3. For Name, enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    4. For Server Pool, select a server pool. FortiWeb forwards traffic to this pool when the traffic matches rules in this policy.
      Select only one server pool for each HTTP content routing configuration. However, multiple HTTP content routing configurations can use the same server pool. For details, see Creating an HTTP server pool.
    5. Note: If the Deployment Mode in the server policy configuration is HTTP Content Routing and HTTP/2 is enabled, keep HTTP/2 disabled in the server pool configuration.

    6. Click OK, then click Create New.
    7. Configure these settings:
    8. If you've configured request rewriting, configure HTTP content-based routing based on the original request, as it appears before FortiWeb has rewritten it.

      For more information on rewriting, see Rewriting & redirecting.

      Match Object Select the object that FortiWeb examines for matching values.
      HTTP Host
      HTTP Host

      Specify one of the following values to match:

      • Match prefix—The host to match begins with the specified string.
      • Match suffix—The host to match ends with the specified string.
      • Match contains—The host to match contains the specified string.
      • Match domain—The host to match contains the specified string between the periods in a domain name.

        For example, if the value is abc, the condition matches the following hostnames:

        dname1.abc.com
        dname1.dname2.abc.com

        However, the same value does not match the following hostnames:

        abc.com
        dname.abc

      • Is equal to—The host to match is the specified string.
      • Regular expression—The host to match has a value that matches the specified regular expression.
      (value)

      Specifies a host value to match.

      If Regular Expression is selected, the value is an expression that matches the object.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP URL
      HTTP URL

      Specify one of the following values to match:

      • Match prefix—The URL to match begins with the specified string.
      • Match suffix—The URL to match ends with the specified string.
      • Match contains—The URL to match contains the specified string.
      • Match directory—The URL to match contains the specified string between delimiting characters (slash).

        For example, if the value is abc, the condition matches the following URLs:

        test.com/abc/
        test.com/dir1/abc/

        However, the same value does not match the following URLs:

        test.com/abc
        test.abc.com

      • Is equal to—The URL to match is the specified string.
      • Regular expression—The URL to match matches the specified regular expression.
      (value)

      Specifies a URL to match.

      For example, a literal URL, such as /index.php, that a matching HTTP request contains.

      For example, when Is equal to is selected, the value /dir1/abc/index.html matches the following URL:

      http://test.abc.com/dir1/abc/index.html

      If Regular Expression is selected, the value is an expression that matches the object. For example, ^/*.php.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Parameter

      Parameter Name

      Specify one of the following values to match:

      • Match prefix—The parameter name to match begins with the specified string.
      • Match suffix—The parameter name to match ends with the specified string.
      • Match contains—The parameter name to match contains the specified string.
      • Is equal to—The parameter name to match is the specified string.
      • Regular expression—The parameter name to match matches the specified regular expression.
      (value)

      Specifies a parameter name to match.

      If Regular Expression is selected, the value is an expression that matches the object.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Parameter Value

      Specify one of the following values to match:

      • Match prefix—The parameter value to match begins with the specified string.
      • Match suffix—The parameter value to match ends with the specified string.
      • Match contains—The parameter value to match contains the specified string.
      • Is equal to—The parameter value to match is the specified string.
      • Regular expression—The parameter value to match matches the specified regular expression.
      (value)

      Specifies a parameter value to match.

      If Regular Expression is selected, the value is an expression that matches the object.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Referer
      HTTP Referer

      Specify one of the following values to match:

      • Match prefix—The HTTP referer value to match begins with the specified string.
      • Match suffix—The HTTP referer value to match ends with the specified string.
      • Match contains—The HTTP referer value to match contains the specified string.
      • Is equal to—The HTTP referer value to match is the specified string.
      • Regular expression—The HTTP referer value to match matches the specified regular expression.
      (value)

      Specifies an HTTP referer value to match.

      If Regular Expression is selected, the value is an expression that matches the HTTP referer value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Cookie
      HTTP Cookie

      Specify one of the following values to match:

      • Match prefix—The cookie name to match begins with the specified string.
      • Match suffix—The cookie name to match ends with the specified string.
      • Match contains—The cookie name to match contains the specified string.
      • Is equal to—The cookie name to match is the specified string.
      • Regular expression—The cookie name to match matches the specified regular expression.
      (value)

      Specifies a cookie name to match.

      If Regular Expression is selected, the value is an expression that matches the name.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Cookie Value

      Specify one of the following values to match:

      • Match prefix—The cookie value to match begins with the specified string.
      • Match suffix—The cookie value to match ends with the specified string.
      • Match contains—The cookie value to match contains the specified string.
      • Is equal to—The cookie value to match is the specified string.
      • Regular expression—The cookie value to match matches the specified regular expression.

        For example, hash[a-fA-F0-7]*.
      (value)

      Specifies a cookie value to match.

      If Regular Expression is selected, the value is an expression that matches the cookie value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTP Header
      Header Name

      Specify one of the following values to match:

      • Match prefix—The header name to match begins with the specified string.
      • Match suffix—The header name to match ends with the specified string.
      • Match contains—The header name to match contains the specified string.
      • Is equal to—The header name to match is the specified string.
      • Regular expression—The header name to match matches the specified regular expression.
      (value)

      Specifies a header name to match.

      If Regular Expression is selected, the value is an expression that matches the name.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Header Value

      Specify one of the following values to match:

      • Match prefix—The header value to match begins with the specified string.
      • Match suffix—The header value to match ends with the specified string.
      • Match contains—The header value to match contains the specified string.
      • Is equal to—The header value to match is the specified string.
      • Regular expression—The header value to match matches the specified regular expression.
      (value)

      Specifies a header value to match.

      If Regular Expression is selected, the value is an expression that matches the header value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      Source IP
      Source IP

      Specify one of the following values to match:

      • IPv4 Address/Range—The source IP to match is an IPv4 IP address or within a range of IPv4 IP addresses.
      • IPv6 Address/Range—The source IP to match is an IPv6 IP address or within a range of IPv6 IP addresses.
      • Regular expression—The source IP to match matches the specified regular expression.
      • Import From CSV File—The source IPs to match are multiple IP addresses or IP ranges included in the CSV file.
      (value)

      Specifies the source IP addresses to match. It's allowed to enter multiple IP addresses and IP ranges separated with comma.

      If Regular Expression is selected, the value is an expression that matches the source IP.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      X509 Certificate Subject

      Matches against a specified Relative Distinguished Name (RDN) in the X509 certificate Subject field. Use an attribute-value pair to specify the RDN.

      For example, an X509 certificate has the following Subject field content:

      C=CN, ST=Beijing, L=Haidian, O=fortinet, OU=fortiweb, CN=pc110

      The following settings match a certificate with this Subject field by matching the RDN O=fortinet:

      • X509 Field NameO
      • Value =fortinet
      X509 Field Name

      Select the attribute type to match: E, CN, OU, O, L, ST, C.

      X509 Field Value

      Specify one of the following values in the X509 extension to match:

      • Match prefix—The X509 subject value to match begins with the specified string.
      • Match suffix—The X509 subject value to match ends with the specified string.
      • Match contains—The X509 subject value to match contains the specified string.
      • Is equal to—The X509 subject value to match is the specified string.
      • Regular expression—The X509 subject value matches the specified regular expression.
      (value)

      Specifies an X509 Subject value to match.

      If Regular Expression is selected, the value is an expression that matches the X509 Subject value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      X509 Certificate Extension

      Matches against additional fields that the extensions field adds to the X509 certificate.

      For example, an X509 certificate has the following extensions:

      Extensions:

      X509v3 Basic Constraints: CA:TRUE

      X509v3 Subject Alternative Name: URI:aaaa

      X509v3 Issuer Alternative Name: URI:bbbb

      Full Name: URI:cccc

      The following settings match the extension X509v3 Basic Constraints by matching its value:

      • Match ObjectX509 Certificate Extension
      • X509 Field ValueIs equal to
      • (value)—CA:TRUE
      X509 Field Value

      Specify one of the following values in the X509 extension to match:

      • Match prefix—The X509 extension value to match begins with the specified string.
      • Match suffix—The X509 extension value to match ends with the specified string.
      • Match contains—The X509 extension value to match contains the specified string.
      • Is equal to—The X509 extension value to match is the specified string.
      • Regular expression—The X509 extension value matches the specified regular expression.
      (value)

      Specifies an X509 extension value to match.

      If Regular Expression is selected, the value is an expression that matches the X509 extension value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      HTTPS SNI

      HTTPS SNI

      Specify one of the following values in the HTTPS SNI to match:

      • Match prefix—The HTTPS SNI value to match begins with the specified string.
      • Match suffix—The HTTPS SNI value to match ends with the specified string.
      • Match contains—The HTTPS SNI value to match contains the specified string.
      • Is equal to—The HTTPS SNI value to match is the specified string.
      • Regular expression—The HTTPS SNI value matches the specified regular expression.

      (value)

      Specifies an HTTPS SNI value to match.

      If Regular Expression is selected, the value is an expression that matches the HTTPS SNI value.

      To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

      Reverse

      Enable so that the condition is met when the value you specify to match is not matched.

      Relationship with previous rule
      • And—Matching requests match this entry in addition to other entries in the HTTP content routing list.
      • Or—Matching requests match either this entry or other entries in the list.

      Later, you can use the HTTP content routing list options to adjust the matching sequence for entries.

      Geo IP Matches against the IP addresses from specified countries.
      Country Select one or more countries at left, then click the icon to move the selected countries to the right.
      Reverse Enable to match against the IP addresses from the countries not in the Selected Country list.

      ZTNA Tags

      ZTNA Tags

      Select the ZTNA tags to match. For more information on ZTNA, see Zero Trust Network Access (ZTNA).

      Match ZTNA Tags

      All means the request only matches if it has all tags specified;

      Any means the request matches if it has any of the tags specified.

      Reverse

      When Reverse is on, it means all the request will be matched except the ones that meet the Any or All condition.

      For example, if Tag_A and Tag_B are selected, and the Reverse is on, the matching logic will be:

      • When Match ZTNA Tags is Any, all the request will be matched except the ones having any of the Tag_A and Tag_B tags.

      • When Match ZTNA Tags is All, all the requests will be matched except the ones having both Tag_A and Tag_B tags.

    9. Click OK.
    10. Repeat the rule creation steps for each HTTP host, HTTP request, or other objects that you want to route to this server pool.
    11. If required, select an entry, and then click Move to adjust the rule sequence.
      For an example of how to add logic for the rules, see Example: Concatenating exceptions.
    12. Click OK.
    13. Repeat the policy creation procedure for each server pool, as required. You can also create additional policies that select the same server pool.
    14. To apply a HTTP content routing policy, select it in a server policy. When you add HTTP content routing polices to a policy, you also select a default policy. The default policy routes traffic that does not match any conditions found in the specified routing policies.

    For details, see Configuring an HTTP server policy.

    See also
    Example: Routing according to URL/path

    Your FortiWeb appliance might have one virtual server (the front end) protecting three physical web servers (the back end).

    From the perspective of clients connecting to the front end, there is one domain name: www.example.com. At this host name, there are three top-level URLs:

    • /games—Game application
    • /school—School application
    • /work—Work application

    In a client’s web browser, therefore, they might go to the location:

    http://www.example.com/games

    Behind the FortiWeb, however, each of those 3 web applications actually resides on separate back-end web servers with different IP addresses, and each has its own server pool:

    • 10.0.0.11/games—Game application
    • 10.0.0.12/school—School application
    • 10.0.0.13/work—Work application

    In this case, you configure HTTP content routing so FortiWeb routes HTTP requests to http://www.example.com/school to the server pool that contains 10.0.0.12. Similarly, requests for the URL /games go to a pool that contains 10.0.0.11, and requests for the URL /work go to a pool that contains 10.0.0.13.

    See also
    Example: Routing according to the HTTP “Host:” field

    Your FortiWeb appliance might have one virtual server (the front end) protecting three physical web servers (the back end).

    From the perspective of clients connecting to the front end, Example Company’s website has a few domain names:

    • http://www.example.com
    • http://www.example.cn
    • http://www.example.de
    • http://www.example.co.jp

    Public DNS resolves all of these domain names to one IP address: the virtual server on FortiWeb.

    At the data center, behind the FortiWeb, separate physical web servers host some region-specific websites. Other websites have lighter traffic and are maintained by the same person, and therefore a shared server hosts them. Each back-end web server has a DNS alias. When you configure the server pools, you define each pool member using its DNS alias, rather than its IP address:

    • www1.example.com—Hosts www.example.com, plus all other host names’ content, in case the other web servers fail or have scheduled down time
    • www2.example.com—Hosts www.example.de
    • www3.example.com—Hosts www.example.cn & www.example.co.jp

    While public DNS servers all resolve these aliases to the same IP address—FortiWeb’s virtual server—your private DNS server resolves these DNS names to separate IPs on your private network: the back-end web servers.

    • www1.example.com—Resolves to 192.168.0.1
    • www2.example.com—Resolves to 192.168.0.2
    • www3.example.com—Resolves to 192.168.0.3

    In this case, you configure HTTP content routing to route requests from clients based on the original Host: field in the HTTP header to a server pool that contains the appropriate DNS aliases. The destination back-end web server is determined at request time using server health check statuses, as well as private network DNS that resolves the DNS alias into its current private network IP address:

    • http://www.example.com/—Routes to a pool that contains www1.example.com
    • http://www.example.de/—Routes to a pool that contains members www2.example.com and www1.example.com. The www2.example.com pool member is first in the list and receives requests unless that web server is down, in which case FortiWeb routes requests to www1.example.com
    • http://www.example.cn/ & http://www.example.co.jp/—Routes to a pool that contains members www3.example.com and www1.example.com. The www3.example.com pool member is first in the list and receives requests unless that web server is down, in which case FortiWeb routes requests to www1.example.com

    If you need to maintain HTTP session continuity for web applications, ensure the pool have a persistence policy that forwards subsequent requests from a client to the same back-end web server as the initial request.

    See also
    Example: HTTP routing with full URL & host name rewriting

    In some cases, HTTP header-based routing is not enough. It must be, or should be, combined with request or response rewriting.

    Example.com hosts calendar, inventory, and customer relations management web applications separately: one app per specialized server. Each web application resides in its web server’s root folder ( / ). Each back-end web server is named after the only web application that it hosts:

    • calendar.example.com/
    • inventory.example.com/
    • crm.example.com/

    Therefore each request must be routed to a specific back-end web server. Requests for the calendar application forwarded to crm.example.com, for example, would result in an HTTP 404 error code.

    These back-end DNS names are publicly resolvable. However, for legacy reasons, clients may request pages as if all apps were hosted on a single domain, www.example.com:

    • www.example.com/calendar
    • www.example.com/inventory
    • www.example.com/crm

    Because the URLs requested by clients (prefixed by /calendar etc.) do not actually exist on the back-end servers, HTTP header-based routing is not enough. Alone, HTTP header-based routing with these older location structures would also result in HTTP 404 error codes, as if the clients’ requests were effectively for:

    • calendar.example.com/calendar
    • inventory.example.com/inventory
    • crm.example.com/crm

    To compensate for the new structure on the back end, request URLs must be rewritten: FortiWeb removes the application name prefix in the URL.

    URL and host name transformation to match HTTP routing

    For performance reasons, FortiWeb also rewrites the Host: field. All subsequent requests from the client use the correct host and URL and do not require any modification or HTTP-based routing. Otherwise, FortiWeb would need to rewrite every subsequent request in the session, and analyze the HTTP headers for routing every subsequent request in the session.

    See also