Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you configure them and set status to Enable. You do not apply them by selecting them in a policy. |
Settings | Guidelines |
Name | Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. This name appears in reports and in logs as the SLB “policy”. After you initially save the configuration, you cannot edit the name. |
Status | • Enable—The server can receive new sessions. • Disable—The server does not receive new sessions and closes any current sessions as soon as possible. • Maintain—The server does not receive new sessions but maintains any current connections. |
Type | • Layer 7—Persistence, load balancing, and routing are based on Layer 7 objects, such as HTTP headers, cookies, and so on. • Layer 4—Persistence, load balancing, and network address translation are based on Layer 4 objects, such as source and destination IP address. • Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways. |
Address Type | • IPv4 • IPv6 Note: IPv6 is not supported for FTP or HTTP Turbo profiles. |
Configuration | |
Address | IP address provisioned for the virtual server. Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port. |
Port | Port number to listen for client requests. Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. |
Port Range | Number of ports in a port range. For example, if Port is 80, and port-range is 254, then the virtual port range starts at 80 and goes to 334. The default is 0 (no range). The valid range is 0-255. The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers. Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified range. Note: Not supported for HTTP Turbo, RADIUS, FTP, or Layer 2 TCP profiles. |
Connection Limit | Limit the number of concurrent connections. The default is 0 (disabled). The valid range is 1 to 1,048,576 concurrent connections. You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted. Note: Not supported for FTP profiles. |
Connection Rate Limit | With Layer 4 profiles, and with the Layer 2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). The valid range is 1 to 86,400 connections per second. You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted. Note: Not supported for FTP profiles. |
Transaction Rate Limit | Limit the number of HTTP requests per second. The default is 0 (disabled). The valid range is 1 to 1,048,567 transactions per second. The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client. Note: Not supported for HTTP Turbo profiles. |
Interface | Network interface that receives client traffic for this virtual server. |
Specifics | |
Content Routing | Enable to route packets to backend servers based on IP address (Layer 4) or HTTP headers (Layer 7 content); select content route configuration objects and put them in order. Overrides static or policy routes. Note: You can select multiple content routing rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content routing rule conditions specified in the virtual server configuration, the system behaves unexpectedly. Therefore, it is important that you create a “catch all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool. |
Content Rewriting | Enable to rewrite HTTP headers; select content rewriting rules and put them in order. Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten. |
Layer 4 only | |
Packet Forwarding Method | For Layer 4 virtual servers, select one of the following packet forwarding methods: • Direct Routing—Forwards the source and destination IP addresses with no changes. Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method. • DNAT—Replaces the destination IP address with the IP address of the backend server selected by the load balancer. The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated. • Full NAT—Replaces both the destination and source IP addresses. IPv4 to IPv4 or IPv6 to IPv6 translation. • NAT46—Replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses. • NAT64—Replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses. For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer |
Source Pool | If you are configuring a Layer 4 virtual server and enable Full NAT, NAT46, or NAT64, select a source pool configuration object. See “Using source pools”. |
Resources | |
Profile | Select a predefined or user-defined profile configuration object. See “Configuring profiles”. |
Persistence | Select a predefined or user-defined persistence configuration object. See “Configuring persistence rules”. |
Method | Select a predefined or user-defined method configuration object. See “Configuring methods”. |
Real Server | Select a real server pool configuration object. See “Configuring pools of real servers”. |
Auth Policy | Select an auth policy configuration object. HTTP/HTTPS only. |
Scripting | Select a scripting configuration object. HTTP/HTTPS only. See “Using scripts”. |
WAF Profile | Select a predefined or user-defined WAF profile configuration object. Layer 7 HTTP/HTTPS only. See “Using web application firewall policies”. |
Error Page | |
Error Page | Select an error page configuration object. See “Configuring error pages”. |
Error Message | If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. |
Traffic Log | |
Log | Enable to record traffic logs for this virtual server. Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository. |