firewall : vip
 
vip
Use this command to configure virtual IPs and their associated address and port mappings (NAT).
Virtual IPs can be used to allow connections through a FortiGate unit using network address translation (NAT) firewall policies. Virtual IPs can use proxy ARP so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network. Proxy ARP is defined in RFC 1027.
For example, you can add a virtual IP to an external FortiGate unit interface so that the external interface can respond to connection requests for users who are actually connecting to a server on the DMZ or internal network.
Depending on your configuration of the virtual IP, its mapping may involve port address translation (PAT), also known as port forwarding or network address port translation (NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your selection of:
static vs. dynamic NAT mapping
the dynamic NAT’s load balancing style, if using dynamic NAT mapping
full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall policy with a virtual IP.
Static NAT
Static, one-to-one NAT mapping: an external IP address is always translated to the same mapped IP address.
If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range.
Static NAT with Port Forwarding
Static, one-to-one NAT mapping with port forwarding: an external IP address is always translated to the same mapped IP address, and an external port number is always translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range. If using port number ranges, the external port number range corresponds to a mapped port number range containing an equal number of port numbers, and each port number in the external range is always translated to the same port number in the mapped range.
Load Balancing
Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses. For each session, a load balancing algorithm dynamically selects an IP address from the mapped IP address range to provide more even traffic distribution. The external IP address is not always translated to the same mapped IP address.
Load Balancing with Port Forwarding
Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is translated to one of the mapped IP addresses. For each session, a load balancing algorithm dynamically selects an IP address from the mapped IP address range to provide more even traffic distribution. The external IP address is not always translated to the same mapped IP address.
Dynamic Virtual IPs
Dynamic, one-to-one NAT mapping for an interface with dynamically assigned IP address. If you set the external IP address of a virtual IP to 0.0.0.0, the interface maps traffic destined for the interface IP address, and is dynamically translated to a mapped IP address or address range.
Server Load Balancing
Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses, as determined by the selected load balancing algorithm for more even traffic distribution. The external IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but can use up to eight (8) real servers per virtual IP (VIP). Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.
Server Load Balancing with Port Forwarding
Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is translated to one of the mapped IP addresses, as determined by the selected load balancing algorithm for more even traffic distribution.The external IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but can use up to eight (8) real servers per virtual IP (VIP). Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.
 
If the NAT check box is not selected when building the firewall policy, the resulting policy does not perform full (source and destination) NAT; instead, it performs destination network address translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP address, but does not translate the source address. The private network is aware of the source’s public IP address. For reply traffic, the FortiGate unit translates packets’ private network source IP address to match the destination address of the originating packets, which is maintained in the session table.
The following limitations apply when adding virtual IPs, Load balancing virtual servers, and load balancing real servers. Load balancing virtual servers are actually server load balancing virtual IPs. You can add server load balance virtual IPs from the CLI.
Virtual IP extip entries or ranges cannot overlap with each other unless src-filter is used.
A virtual IP mappedip cannot be 0.0.0.0 or 255.255.255.255.
A real server IP cannot be 0.0.0.0 or 255.255.255.255.
If a static NAT virtual IP extip is 0.0.0.0, the mappedip must be a single IP address.
If a load balance virtual IP extip is 0.0.0.0, the mappedip can be an address range.
When port forwarding, the count of mappedport and extport numbers must be the same. The web‑based manager does this automatically but the CLI does not.
Virtual IP names must be different from firewall address or address group names.
Syntax
config firewall vip
edit <name_str>
set arp-reply {enable | disable}
set comment <comment_str>
set dns-mapping-ttl <int>
set extintf <name_str>
set extip <address_ipv4>[-<address_ipv4>]
set extport <port_int>
set gratuitous-arp-interval <interval_seconds>
set http-cookie-age <age_int>
set http-cookie-domain <domain_str>
set http-cookie-domain-from-host {enable | disable}
set http-cookie-generation <generation_int>
set http-cookie-path <path_str>
set http-cookie-share {disable | same-ip}
set http-ip-header {enable | disable}
set http-ip-header-name <ip‑header‑name>
set http-multiplex {enable | disable}
set https-cookie-secure {disable | enable}
set id <id_num_str>
set ldb-method {first-alive | http-host | least-rtt | least‑session | round‑robin | static | weighted}
set mappedip [<start_ipv4>-<end_ipv4>]
set mappedport <port_int>
set max-embryonic-connections <initiated_int>
set monitor <name_str>
set nat-source-vip {enable | disable}
set outlook-web-access {disable | enable}
set persistence {none | ssl-session-id | http-cookie(http)
set portforward {enable | disable}
set portmapping-type {1-to-1 | m-to-n}
set protocol {sctp | tcp | udp | icmp}
set server-type {http | https | imaps | ip | pop3s | smtps | ssl | tcp | udp}
set src-filter <addr_str>
set srcintf-filter <intf_str>
set ssl-mode {full | half}
set ssl-algorithm {low | medium | high | custom}
set ssl-certificate <certificate_str>
set ssl-client-renegotiation {allow | deny | secure}
set ssl-client-session-state-max <sessionstates_int>
set ssl-client-session-state-timeout <timeout_int>
set ssl-client-session-state-type {both | client | disable | time}
set ssl-dh-bits <bits_int>
set ssl-http-location-conversion {enable | disable}
set ssl-http-match-host {enable | disable}?
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}
set ssl-pfs {allow | deny | require}
set ssl-send-empty-frags {enable | disable}
set ssl-server-session-state-max <sessionstates_int>
set ssl-server-session-state-timeout <timeout_int>
set ssl-server-session-state-type {both | count | disable | time}
set type {dns‑translation | load‑balance | server‑load-balance | static‑nat}
set weblogic-server {enable | disable}
set websphere-server {enable | disable}
config realservers
edit <table_id>
set client-ip <ip_range_ipv4> [<ip_range_ipv4>] [<ip_range_ipv4>] [<ip_range_ipv4>]
set healthcheck {enable | disable}
set holddown-interval <seconds_int>
set http-host <host_str>
set ip <server_ip>
set max-connections <connection_integer>
set monitor <healthcheck_str>
set port <port_ip>
set status {active | disable | standby}
set weight <loadbalanceweight_int>
end
config ssl-cipher-suites
edit <id>
set cipher <cipher_name>
set versions {ssl‑3.0 tls‑1.0 tls‑1.1}
end
end
Variable
Description
Default
<name_str>
Enter the name of this virtual IP address.
No default.
arp-reply {enable | disable}
Select to respond to ARP requests for this virtual IP address.
enable
comment <comment_str>
Enter comments relevant to the configured virtual IP.
No default
dns-mapping-ttl <int>
Enter time-to-live for DNS response. Range 0 to 604 800. Available when type is dns‑translation.
0
extintf <name_str>
Enter the name of the interface connected to the source network that receives the packets that will be forwarded to the destination network. The interface name can be any FortiGate network interface, VLAN subinterface, IPSec VPN interface, or modem interface.
No default.
extip <address_ipv4>[-<address_ipv4>]
Enter the IP address or address range on the external interface that you want to map to an address or address range on the destination network.
If type is static-nat and mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.
To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to 0.0.0.0.
0.0.0.0
extport <port_int>
Enter the external port number range that you want to map to a port number range on the destination network.
This option only appears if portforward is enabled.
If portforward is enabled and you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers, set extport to the port number range. Then set mappedport to the start and end of the destination port range.
When using port number ranges, the external port number range corresponds to a mapped port number range containing an equal number of port numbers, and each port number in the external range is always translated to the same port number in the mapped range.
If type is server-load-balance, extport is available unless server-type is ip. The value of extport changes to 80 if server-type is http and to 443 if server-type is https.
0
gratuitous-arp-interval <interval_seconds>
Configure sending of ARP packets by a virtual IP. You can set the time interval between sending ARP packets. Set the interval to 0 to disable sending ARP packets.
0
http-cookie-age <age_int>
Configure HTTP cookie persistence to change how long the browser caches the cookie. Enter an age in minutes or set the age to 0 to make the browser keep the cookie indefinitely. The range is 0 to 525600 minutes.
This option is available when type is server-load-balance, server-type is http or https and persistence is http or https.
60
http-cookie-domain <domain_str>
Configure HTTP cookie persistence to restrict the domain that the cookie should apply to. Enter the DNS domain name to restrict the cookie to.
This option is available when type is server-load-balance, server-type is http or https and persistence is http or https.
 
http-cookie-domain-from-host {enable | disable}
If enabled, when the FortiGate unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie will be set to the value of the Host: header, if there was one.
If there was no Host: header, the Domain attribute will be set to the value of http-cookie-domain if it is set and if it is not then the Domain attribute will not be included in the SetCookie.
This option is available when type is server-load-balance, server-type is http or https and persistence is http‑cookie.
disable
http-cookie-generation <generation_int>
Configure HTTP cookie persistence to invalidate all cookies that have already been generated. The exact value of the generation is not important, only that it is different from any generation that has already been used.
This option is available when type is server-load-balance, server-type is http or https and persistence is http or https.
0
http-cookie-path <path_str>
Configure HTTP cookie persistence to limit the cookies to a particular path, for example /new/path.
This option is available when type is server-load-balance, server-type is http or https and persistence is http or https.
 
http-cookie-share {disable | same-ip}
Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server. The default setting same-ip means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.
Select disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers.
This options is available when type is server-load-balance, server-type is http or https and persistence is http or https.
same-ip
http-ip-header
{enable | disable}
Select to preserve the client’s IP address in the X-Forwarded-For HTTP header line if HTTP multiplexing is enabled. This can be useful if you require logging on the server of the client’s original IP address. If this option is not selected, in HTTP multiplexing configurations the header will contain the IP address of the FortiGate unit.
This option appears only if portforward and http-multiplex are enable.
disable
http-ip-header-name <ip‑header‑name>
If http-ip-header is enabled, this field defines the header to substitute for X-Forwarded-For.
null
http-multiplex
{enable | disable}
Select to use the FortiGate unit to multiplex multiple client connections into a few connections between the FortiGate unit and the real server. This can improve performance by reducing server overhead associated with establishing multiple connections. The server must be HTTP/1.1 compliant.
This option is only available if server-type is http or https.
disable
https-cookie-secure {disable | enable}
Configure HTTP cookie persistence to enable or disable using secure cookies for HTTPS sessions. Secure cookies are disabled by default because they can interfere with cookie sharing across HTTP and HTTPS virtual servers. If enabled, then the Secure tag is added to the cookie inserted by the FortiGate unit.
This option is available when type is server-load-balance, server-type is http or https and persistence is http or https.
disable
id <id_num_str>
Enter a unique identification number for the configured virtual IP. Not checked for uniqueness. Range 0 - 65535.
No default.
ldb-method
{first-alive | http-host | least-rtt | least‑session | round‑robin | static | weighted}
Select the method used by the virtual server to distribute sessions to the real servers. You add real servers to the virtual server using config realservers.
first-alive: Always directs requests to the first alive real server. In this case “first” refers to the order of the real servers in the virtual server configuration. For example, if you add real servers A, B and C in that order, then traffic always goes to A as long as it is alive. If A goes down then traffic goes to B and if B goes down the traffic goes to C. If A comes back up, traffic goes to A. Real servers are ordered in the virtual server configuration in the order in which you add them, with the most recently added real server last. If you want to change the order you must delete and re-add real servers as required.
http-host: Load balance HTTP requests by the contents of the HOST header.
least-rtt: Directs requests to the real server with the least round trip time. The round trip time is determined by a Ping monitor and is defaulted to 0 if no Ping monitors are defined.
least-session: Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing have similar capabilities.
round-robin: Directs request to the next real server, and treats all real servers as equals regardless of response time or number of connections. Unresponsive real servers are avoided. A separate real server is required.
static: Distributes sessions evenly across all real servers according to the session source IP address. This load balancing method provides some persistence because all sessions from the same source address would always go to the same server. However, the distribution is stateless, so if a real server is added or removed (or goes up or down) the distribution is changed so persistence will be lost. Separate real servers are not required.
weighted: Real servers with a higher weight value receive a larger percentage of connections at any one time. Server weights can be set in config realservers set weight
This option appears only if type is server-load-balance.
static
mappedip
[<start_ipv4>-<end_ipv4>]
Enter the IP address or IP address range on the destination network to which the external IP address is mapped.
If type is static-nat and mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.
If type is load-balance and mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-to-many mapping.
0.0.0.0
mappedport <port_int>
Enter the port number range on the destination network to which the external port number range is mapped.
You can also enter a port number range to forward packets to multiple ports on the destination network.
0
max-embryonic-connections <initiated_int>
Enter the maximum number of partially established SSL or HTTP connections. This should be greater than the maximum number of connections you want to establish per second.
This option appears only if portforward is enable, and http is enable or ssl is not off.
1000
monitor <name_str>
Select the health check monitor for use when polling to determine a virtual server’s connectivity status.
No default.
nat-source-vip
{enable | disable}
Enable to prevent unintended servers from using a virtual IP. The virtual IP will be used as the source IP address for connections from the server through the FortiGate unit.
Disable to use the actual IP address of the server (or the FortiGate destination interface if using NAT) as the source address of connections from the server that pass through the FortiGate unit.
disable
outlook-web-access {disable | enable}
If the FortiGate unit provides SSL offload for Microsoft Outlook Web Access then the Outlook server expects to see a Front-End-Https: on header inserted into the HTTP headers as described in this Microsoft Technical Note. If outlook-web-access is enabled FortiGate unit adds this header to all HTTP requests.
This options is available when type is server-load-balance, server-type is http or https.
disable
persistence {none | ssl-session-id | http-cookie(http)
http https ssl
If the type is server-load-balance, configure persistence for a virtual server to make sure that clients connect to the same server every time they make a request that is part of the same session.
When you configure persistence, the FortiGate unit load balances a new session to a real server according to the ldb-method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.
You can configure persistence if server‑type is set to http, https, or ssl.
none: No persistence. Sessions are distributed solely according to the ldb-method. Setting ldb-method to static (the default) results in behavior equivalent to persistence. See the description of static in firewall ldb-method {first-alive | http-host | least-rtt | least‑session | round‑robin | static | weighted} for more information.
http-cookie: all HTTP or HTTPS sessions with the same HTTP session cookie are sent to the same real server. http-cookie is available if server-type is set to https or ssl. If you select http-cookie you can also configure http-cookie-domain, http-cookie-path, http-cookie-generation, http-cookie-age, and http-cookie-share for HTTP and these settings plus https-cookie-secure for HTTPS.
ssl-session-id: all sessions with the same SSL session ID are sent to the same real server. ssl-session-id is available if server-type is set to https or ssl.
none
portforward
{enable | disable}
Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport.
disable
portmapping-type {1-to-1 | m-to-n}
Select the type of port mapping.
1-to1 — one-to-one mapping
m-to-n — load balancing
This is available when portforward is enable.
1-to-1
protocol {sctp | tcp | udp | icmp}
Select the protocol to use when forwarding packets.
tcp
server-type {http | https | imaps | ip | pop3s | smtps | ssl | tcp | udp}
If the type is server-load-balance, select the protocol to be load balanced by the virtual server (also called the server load balance virtual IP). If you select a general protocol such as ip, tcp, or udp the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as http, https, or ssl you can apply additional server load balancing features such as persistence and HTTP multiplexing.
http: load balance only HTTP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced. You can also configure http-multiplex. You can also set persistence to http-cookie and configure http-cookie-domain, http-cookie-path, http-cookie-generation, http-cookie-age, and http-cookie-share settings for cookie persistence.
https: load balance only HTTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced. You can also configure http-multiplex and set persistence to http-cookie and configure the same http-cookie options as for http virtual servers plus the https-cookie-secure option. You can also set persistence to ssl-session-id. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on. https is available on FortiGate units that support SSL acceleration.
imaps: load balance only IMAPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.
ip: load balance all sessions accepted by the firewall policy that contains this server load balance virtual IP. Since all sessions are load balanced you don’t have to set the extport.
pop3s: load balance only POP3S sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.
smtps: load balance only SMTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.
(none)
 
ssl: load balance only SSL sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on.
tcp: load balance only TCP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.
udp: load balance only UDP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.
 
src-filter <addr_str>
Enter a source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses by spaces.
null
srcintf-filter <intf_str>
Enter names of the interfaces to which the VIP applies. Separate names with spaces.
No default.
ssl-mode {full | half}
Select whether or not to accelerate SSL communications with the destination by using the FortiGate unit to perform SSL operations, and indicate which segments of the connection will receive SSL offloading. Accelerating SSL communications in this way is also called SSL offloading.
full: Select to apply SSL acceleration to both parts of the connection: the segment between the client and the FortiGate unit, and the segment between the FortiGate unit and the server. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the option half, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration.
half: Select to apply SSL only to the part of the connection between the client and the FortiGate unit. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator.
SSL 3.0 and TLS 1.0 are supported.
This option appears only if server-type is ssl or https.
full
ssl-algorithm {low | medium | high | custom}
Set the permitted encryption algorithms for SSL sessions according to encryption strength:
low   —   AES, 3DES, RC4, DES
medium — AES, 3DES, RC4
high  —   AES, 3DES
custom —  determined in config ssl-cipher-suites subcommand
high
ssl-certificate <certificate_str>
Enter the name of the SSL certificate to use with SSL acceleration.
This option appears only if type is server-load-balance and server-type is ssl.
No default.
ssl-client-renegotiation {allow | deny | secure}
Select the SSL secure renegotiation policy.
allow — Allow, but do not require secure renegotiation.
deny — Do not allow renegotiation.
secure — Require secure renegotiation.
Secure renegotiation complies with RFC 5746 Secure Negotiation Indication.
allow
ssl-client-session-state-max <sessionstates_int>
Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit.
This option appears only if type is server-load-balance and server-type is ssl.
1000
ssl-client-session-state-timeout <timeout_int>
Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the FortiGate unit.
This option appears only if type is server-load-balance and server-type is ssl.
30
ssl-client-session-state-type {both | client | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate unit.
both: Select to expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
count: Select to expire SSL session states when ssl-client-session-state-max is exceeded.
disable: Select to keep no SSL session states.
time: Select to expire SSL session states when ssl-client-session-state-timeout is exceeded.
This option appears only if type is server-load-balance and server-type is ssl.
both
ssl-dh-bits <bits_int>
Enter the number of bits of the prime number used in the Diffie-Hellman exchange for RSA encryption of the SSL connection. Larger prime numbers are associated with greater cryptographic strength.
This option appears only if type is server-load-balance and server-type is ssl.
1024
ssl-http-location-conversion
{enable | disable}
Select to replace http with https in the reply’s Location HTTP header field.
For example, in the reply, Location: http://example.com/ would be converted to Location: https://example.com/.
This option appears only if type is server-load-balance and server-type is https.
disable
ssl-http-match-host
{enable | disable}
Select to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field, or, if the Host field does not exist, the host name portion of the request’s URI. If disabled, conversion occurs regardless of whether the host names in the request and the reply match.
For example, if host matching is enabled, and a request contains Host: example.com and the reply contains Location: http://example.cc/, the Location field does not match the host of the original request and the reply’s Location field remains unchanged. If the reply contains Location: http://example.com/, however, then the FortiGate unit detects the matching host name and converts the reply field to Location: https://example.com/.
This option appears only if ssl-http-location-conversion is enable.
disable
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}
Enter the maximum version of SSL/TLS to accept in negotiation.
This option appears only if type is server-load-balance and server-type is ssl.
tls‑1.1
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}
Enter the minimum version of SSL/TLS to accept in negotiation.
This option appears only if type is server-load-balance and server-type is ssl.
ssl‑3.0
ssl-pfs {allow | deny | require}
Select handling of perfect forward secrecy (PFS) for connections:
allow — Allow use of any cipher suite.
deny — Allow only non-Diffie-Hellman cipher-suites.
require — Allow only Diffie-Hellman cipher-suites.
allow
ssl-send-empty-frags
{enable | disable}
Select to precede the record with empty fragments to thwart attacks on CBC IV. You might disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.
This option appears only if type is server-load-balance and server-type is ssl, and applies only to SSL 3.0 and TLS 1.0.
enable
ssl-server-session-state-max <sessionstates_int>
Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the server and the FortiGate unit.
This option appears only if ssl-mode is full.
1000
ssl-server-session-state-timeout <timeout_int>
Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the server and the FortiGate unit.
This option appears only if ssl-mode is full.
30
ssl-server-session-state-type {both | count | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate unit.
both: Select to expire SSL session states when either ssl-server-session-state-max or ssl-server-session-state-timeout is exceeded, regardless of which occurs first.
count: Select to expire SSL session states when ssl-server-session-state-max is exceeded.
disable: Select to keep no SSL session states.
time: Select to expire SSL session states when ssl-server-session-state-timeout is exceeded.
This option appears only if ssl-mode is full.
both
type
{dns‑translation | load‑balance | server‑load-balance | static‑nat}
Select the type of static or dynamic NAT applied by the virtual IP.
dns‑translation: Dynamic VIP with DNS translation.
load-balance: Dynamic NAT load balancing with server selection from an IP address range.
server-load-balance: Dynamic NAT load balancing with server selection from among up to eight realservers, determined by your selected load balancing algorithm and server responsiveness monitors.
static-nat: Static NAT.
static-nat
weblogic-server {enable | disable}
Enable or disable adding HTTP header to indicate SSL offload for WebLogic server.
disable
websphere-server {enable | disable}
Enable or disable adding HTTP header to indicate SSL offload for WebSphere server.
disable
realservers
The following are the options for config realservers, and are available only if type is server‑load-balance.
client-ip <ip_range_ipv4> [<ip_range_ipv4>] [<ip_range_ipv4>] [<ip_range_ipv4>]
Restrict the clients that can connect to a real server according to the client’s source IP address. Use the client-ip option to enter up to four client source IP addresses or address ranges. Separate each IP address or range with a space. The following example shows how to add a single IP address and an IP address range:
set client-ip 192.168.1.90 192.168.1.100-192.168.1.120
Use the client-ip option if you have multiple real servers in a server load balance VIP and you want to control which clients use which real server according to the client’s source IP address.
Different real servers in the same virtual server can have the same or overlapping IP addresses and ranges. If an overlap occurs, sessions from the overlapping source addresses are load balanced among the real servers with the overlapping addresses.
If you do not specify a client-ip all clients can use the real server.
 
<table_id>
Enter an index number used to identify the server that you are configuring. You can configure a maximum number of eight (8) servers in a server load balancing cluster.
No default.
healthcheck
{enable | disable}
Enable to check the responsiveness of the server before forwarding traffic. You must also configure monitor.
disable
holddown-interval <seconds_int>
Enter the amount of time in seconds that the health check monitor will continue to monitor the status of a server whose status is active after it has been detected to be unresponsive.
If the server is detected to be continuously responsive during this interval, a server whose status is standby will be removed from current use and replaced with this server, which will again be used by server load balanced traffic. In this way, server load balancing prefers to use servers whose status is active, if they are responsive.
If the server is detected to be unresponsive during the first holddown interval, the server will remain out of use for server load balanced traffic, the health check monitor will double the holddown interval once, and continue to monitor the server for the duration of the doubled holddown interval. The health check monitor continues to monitor the server for additional iterations of the doubled holddown interval until connectivity to the server becomes reliable, at which time the holddown interval will revert to the configured interval, and the newly responsive server whose status is active will replace the standby server in the pool of servers currently in use. In effect, if the status of a server is active but the server is habitually unresponsive, the health check monitor is less likely to restore the server to use by server load balanced traffic until the server’s connectivity becomes more reliable.
This option applies only to real servers whose status is active, but have been detected to be unresponsive (“down”).
300
http-host <host_str>
Enter the value of the HOST header to match. For traffic to use the realserver, the HTTP(S) Host: header must match (case insensitive) the value of the http-host attribute.
This is available when VIP ldb-method is http-host.
null
ip <server_ip>
Enter the IP address of a server in this server load balancing cluster.
0.0.0.0
max-connections <connection_integer>
Enter the limit on the number of active connections directed to a real server. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit.
0 means unlimited number of connections.
0
monitor <healthcheck_str>
Enter one or more names of health check monitor settings to use when performing a health check, separating each name with a space. If any of the configured health check monitors detect failures, the FortiGate unit will deem the server unresponsive, and will not forward traffic to that server. For details on configuring health check monitor settings, see firewall ldb-monitor.
This option appears only if healthcheck is enable.
No default.
port <port_ip>
Enter the port used if port forwarding is enabled.
10
status {active | disable | standby}
Select whether the server is in the pool of servers currently being used for server load balanced traffic, the server is on standby, or is disabled.
active: The FortiGate unit may forward traffic to the server unless its health check monitors determine that the server is unresponsive, at which time the FortiGate unit will temporarily use a server whose status is standby. The healthcheck monitor will continue to monitor the unresponsive server for the duration of holddown-interval. If this server becomes reliably responsive again, it will be restored to active use, and the standby server will revert to standby. For details on health check monitoring when an active server is unresponsive, see “holddown-interval <seconds_int>”.
disable: The FortiGate unit will not forward traffic to this server, and will not perform health checks. You might use this option to conserve server load balancing resources when you know that a server will be unavailable for a long period, such as when the server is down for repair.
standby: If a server whose status is active becomes unresponsive, the FortiGate unit will temporarily use a responsive server whose status is standby until the server whose status is active again becomes reliably responsive. If multiple responsive standby servers are available, the FortiGate unit selects the standby server with the greatest weight. If a standby server becomes unresponsive, the FortiGate unit will select another responsive server whose status is standby.
active
weight <loadbalanceweight_int>
Enter the weight value of a specific server. Servers with a greater weight receive a greater proportion of forwarded connections, or, if their status is standby, are more likely to be selected to temporarily replace servers whose status is active, but that are unresponsive. Valid weight values are between 1 and 255.
This option is available only if ldb-method is weighted.
1
ssl-cipher-suites
The following are the variables for config ssl-cipher-suites, and are available only if type is server‑load-balance and ssl-algorithm is custom.
cipher <cipher_name>
Enter the cipher name. For a list of available ciphers, enter set cipher ?
 
versions {ssl‑3.0 tls‑1.0 tls‑1.1}
Enter the algorithm versions to support.
ssl‑3.0 tls‑1.0 tls‑1.1