Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you configure them and set status to enable. You do not apply them by selecting them in a policy. |
type | Specify the virtual server type: • l7-load-balance: Persistence, load balancing, and routing are based on Layer 7 objects, such as HTTP headers, cookies, and so on. • l4-load-balance: Persistence, load balancing, and network address translation are based on Layer 4 objects, such as source and destination IP address. • l2-load-balance: This feature is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways. After you have specified the type, the CLI commands are constrained to the ones that are applicable to the specified type, not all of the settings described in this table. |
addr-type | • IPv4 • IPv6 Note: IPv6 is not supported for FTP or HTTP Turbo profiles. |
alone | Enable/disable alone mode. When enabled, each virtual server is handled by a separate haproxy daemon. When disabled, all virtual servers are handled by one haproxy daemon. Note: HTTP, HTTPS, and TCPS only. |
auth-policy | Specify an auth policy configuration object. HTTP/HTTPS only. |
connection-limit | Limit the number of concurrent connections. The default is 0 (disabled). The valid range is 1 to 1,048,576 concurrent connections. You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted. Note: Not supported for FTP profiles. |
connection-pool | Specify a connection pool configuration object. |
connection-rate-limit | With all Layer 4 profiles, and with the Layer 2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). The valid range is 1 to 86,400 connections per second. You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted. Note: Not supported for FTP profiles. |
content-rewriting | Enable to rewrite HTTP headers. |
content-rewriting-list | Specify content rewriting rules. Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten. |
content-routing | Enable to route packets to backend servers based on IP address (Layer 4) or HTTP headers (Layer 7 content). Overrides static or policy routes. |
content-routing-list | Specify content route configuration objects. Note: You can specify multiple content routing rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content routing rule conditions specified in the virtual server configuration, the system behaves unexpectedly. Therefore, it is important that you create a “catch all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool. |
error-msg | Specify an error page configuration object. |
error-page | If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. |
geoip-blocklist | Specify a geography IP address block list configuration object. |
whitelist | Specify a geography IP address whitelist configuration object. |
id | Deprecated. |
interface | Network interface that receives client traffic for this virtual server. |
ip | IP address provisioned for the virtual server. Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port. |
port | Port number to listen for client requests. Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. |
port-range | Specify the number of ports in a port range. For example, if port is 80, and port-range is 254, then the virtual port range starts at 80 and goes to 334. The default is 0 (no range). The valid range is 0-255. The port-range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers. Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified range. Note: Not supported for HTTP Turbo, RADIUS, FTP, or Layer 2 TCP profiles. |
load-balance-method | Specify a predefined or user-defined method configuration object. |
load-balance-persistence | Specify a predefined or user-defined persistence configuration object. |
load-balance-pool | Specify a server pool configuration object. |
load-balance-profile | Specify a predefined or user-defined profile configuration object. |
multi-process | If your system has a multicore CPU, you can assign the number of CPU cores to handle traffic for a virtual server. The valid range is 1 to 15. Note: HTTP, HTTPS, and TCPS only. |
packet-forwarding-method | In Layer 4 virtual server deployments, select one of the following packet forwarding methods: • direct_routing — Forwards the source and destination IP addresses with no changes. Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method. • NAT — Replaces the destination IP address with the IP address of the backend server selected by the load balancer. The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated. • FullNAT —Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation. • NAT46—Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses. • NAT64—Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses. For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify with ippool. The destination IP address is replaced with the IP address of the backend server selected by the load balancer. |
ippool | If you are configuring a Layer 4 virtual server and enable Full NAT, NAT46, or NAT64, specify a source pool configuration object. |
scripting | Specify an auth policy configuration object. HTTP/HTTPS only. |
status | • enable—The server can receive new sessions. • disable—The server does not receive new sessions and closes any current sessions as soon as possible. • maintain—The server does not receive new sessions but maintains any current connections. |
traffic-log | Enable to record traffic logs for this virtual server. Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository. |
trans-rate-limit | Limit the number of HTTP requests per second. The default is 0 (disabled). The valid range is 1 to 1,048,567 transactions per second. The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client. Note: Not supported for HTTP Turbo profiles. |
waf-profile | Specify a web application firewall (WAF) profile configuration object. |
warm-rate | Maximum connection rate while the virtual server is starting up. The default is 10 connections per second. The valid range is 1 to 86,400 connections per second. If Warm Up is 5 and Warm Rate is 2, the number of allowed new connections increases at the following rate: • 1st second—Total of 2 new connections allowed (0+2). • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2). • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2). • 4th second—2 new connections added for a total of 8 new connections allowed (6+2). • 5th second—2 new connections added for a total of 10 new connections allowed (8+2). |
warm-up | If the server cannot initially handle full connection load when it begins to respond to health checks (for example, if it begins to respond when startup is not fully complete), indicate how long to forward traffic at a lesser rate. The default is 0 (disabled). The valid range is 1 to 86,400 seconds. |