Variable | Description | Default |
<server-pool_name> | Type the name of the server farm. The maximum length is 63 characters. To display the list of existing servers, type: edit ? | No default. |
type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp} | Select the current operation mode of the appliance to display the corresponding pool options. For full information on the operating modes, see “How to choose the operation mode” on page 69. | reverse-proxy |
server-balance {enable | disable} | Specifies whether the pool contains a single server or multiple members. If the value is enabled, FortiWeb uses the specified load-balancing algorithm to distribute TCP connections among the members. If a member is unresponsive to the specified server health check, FortiWeb forwards subsequent connections to another member of the pool. Available only when type is reverse-proxy. | disable |
health <health-check_name> | Type the name of a server health check FortiWeb uses to determine the responsiveness of server pool members. The maximum length is 35 characters. To display the list of existing health checks, type: edit ? Available only if type is reverse-proxy and server-balance is enable. Note: If a pool member is unresponsive, wait until the server becomes responsive again before disabling its server health check. Server health checks record the up or down status of the server. If you deactivate the server health check while the server is unresponsive, the server health check cannot update the recorded status, and FortiWeb continues to regard the physical server as if it were unresponsive. You can determine the physical server’s connectivity status using the Service Status widget (see the FortiWeb Administration Guide) or an SNMP trap (see “config system snmp community”). | No default. |
lb-algo {least-connections | round-robin | weighted-round-robin} | Select the load-balancing algorithms that FortiWeb uses when it distributes new connections among server pool members. • least-connections — Distributes new connections to the member with the fewest number of existing, fully-formed connections. • round-robin — Distributes new connections to the next member of the server pool, regardless of weight, response time, traffic load, or number of existing connections. Unresponsive servers are avoided. • weighted-round-robin — Distributes new connections using the round robin method, except that members with a higher weight value receive a larger percentage of connections. Available only if type is reverse-proxy and server-balance is enable. | No default. |
persistence <persistence-policy_name> | Type the name of the persistence policy that specifies a session persistence method and timeout to apply to the pool. For more information, see “config server-policy persistence-policy”. | No default. |
comment "<comment_str>" | Type a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 63 characters. | No default. |
<entry_index> | Type the index number of the member entry within the server pool. The valid range is from 1 to 9,223,372,036,854,775,807. For round robin-style load-balancing, the index number indicates the order in which FortiWeb distributes connections. | No default. |
status {disable |enable | maintain} | To specify the status of the pool member, type one of the following values: • enable — Specifies that this pool member can receive new sessions from FortiWeb. • disable — Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible. • maintain — Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections. | enable |
server-type {physical | domain} | Specify whether to specify the pool member by IP address or domain. | physical |
ip {address_ipv4 |address_ipv6} | Type the IP address of the web server to include in the pool. Warning: Server policies do not apply features that do not yet support IPv6 to servers specified using IPv6 addresses. Available only if server-type is physical. | No default. |
domain <server_fqdn> | Type the fully-qualified domain name of the web server to include in the pool, such as www.example.com. Warning: Server policies do not apply features that do not yet support IPv6 to domain servers whose DNS names resolve to IPv6 addresses. Tip: For domain servers, FortiWeb queries a DNS server to query and resolve each web server’s domain name to an IP address. For improved performance, do one of the following: • use physical servers instead • ensure highly reliable, low-latency service to a DNS server on your local network Available only if server-type is domain. | No default. |
port <port_int> | Type the TCP port number where the pool member listens for connections. The valid range is from 1 to 65,535. | 80 |
weight <weight_int> | If the server pool uses the weighted round robin load-balancing algorithm, type the numerical weight of the pool member. Members with a greater weight receive a greater proportion of connections. The valid range is from 1 to 9,999. | 0 |
ssl {enable | disable} | For reverse proxy, offline protection, and transparent inspection modes, specifies whether connections between FortiWeb and the pool member use SSL/TLS. For true transparent proxy, specifies whether FortiWeb performs SSL/TLS processing for the pool members and connections between FortiWeb and the pool member use SSL/TLS. For offline protection and transparent modes, also configure certificate <certificate_name>. FortiWeb uses the certificate to decrypt and scan connections before passing the encrypted traffic through to the pool members (SSL inspection). For true transparent proxy, also configure certificate <certificate_name> and additional SSL settings as required. FortiWeb handles SSL negotiations and encryption and decryption, instead of the pool member (SSL offloading). (For reverse proxy mode, you can configure SSL offloading for all members of a pool using a server policy. See “server-policy policy”.) Note: When this option is enabled, the pool member must be configured to apply SSL. Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb appliance is operating in transparent inspection or offline protection mode. | No default. |
certificate <certificate_name> | Type the name of the certificate that FortiWeb uses to decrypt SSL-secured connections. Available only if ssl is enable. The maximum length is 35 characters. To display the list of existing certificates, type: edit ? | No default. |
intermediate-certificate-group <CA-group_name> | Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients to complete the signing chain for them and validate the server certificate’s CA signature. If clients receive certificate warnings that the server certificate configured in certificate <certificate_name> has been signed by an intermediary CA, rather than directly by a root CA or other CA currently trusted by the client, configure this option. Alternatively, include the entire signing chain in the server certificate itself before uploading it to the FortiWeb appliance, thereby completing the chain of trust with a CA already known to the client. See the FortiWeb Administration Guide. Available only if type is transparent-servers-for-tp and ssl is enable. (For reverse proxy mode, configure this setting in the server policy instead. See intermediate-certificate-group <CA-group_name> in “server-policy policy”.) | No default. |
client-certificate <client-certificate_name> | Specifies the client certificate that FortiWeb uses to connect to this server pool member. Used when connections to this pool member require a valid client certificate. Available only if type is reverse-proxy or transparent-servers-for-tp and ssl is enable. To upload a client certificate for FortiWeb, see the FortiWeb Administration Guide. | disable |
hsts-header {enable | disable} | Enable to combat MITM attacks on HTTP by injecting the RFC 6797 strict transport security header into the reply, such as: Strict-Transport-Security: max-age=31536000; includeSubDomains This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display a dialog that allows the user to override the certificate mismatch error and continue. Available only if type is transparent-servers-for-tp and ssl is enable. | disable |
hsts-max-age <timeout_int> | Type the time to live in seconds for the HSTS header. This setting applies only if hsts-header is enable. | 7776000 |
certificate-verify <verifier_name> | Type the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. (If you do not specify one, the client is not required to present a personal certificate.) However, if sni is enable and the domain in the client request matches an entry in the specified SNI policy, FortiWeb uses the SNI configuration to determine which certificate verifier to use. Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the web site. For information on how the client’s certificate is verified, see ssl-client-verify <verifier_name> in “server-policy policy”. You can require that clients present a certificate alternatively or in addition to HTTP authentication (see “waf http-authen http-authen-rule”). Available only if type is transparent-servers-for-tp and ssl is enable. (For reverse proxy mode, configure this setting in the server policy instead. See ssl-client-verify <verifier_name> in “server-policy policy”.) The maximum length is 35 characters. To display the list of existing verifiers, type: edit ? Note: The client must support SSL 3.0, TLS 1.0, TLS 1.1, or TLS 1.2. | No default. |
url-cert {enable | disable} | Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate. Available only if https-service <service_name> is configured. | disable |
urlcert-group <urlcert-group_name> | Specifies the URL-based client certificate group that determines whether a client is required to present a personal certificate. If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate. For information on creating a group, see “config system certificate urlcert”. | No default. |
urlcert-hlen | Specifies the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes. FortiWeb blocks any matching requests that exceed the specified size. This setting prevents a request from exceeding the maximum buffer size. Valid values are from 16 to 128. | No default. |
sni {enable | disable} | Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by certificate <certificate_name>. The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. See “system certificate sni”. If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate <certificate_name> when the requested domain does not match a value in the SNI configuration. If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate <certificate_name>. Available only if type is transparent-servers-for-tp and ssl is enable. | disable |
sni-strict {enable | disable} | Select to configure FortiWeb to ignore the value of certificate <certificate_name> when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration. | disable |
sni-certificate <sni_name> | Type the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain. The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain. If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate <certificate_name> instead. Available only if sni {enable | disable} is enabled. | No default. |
set ssl-v3 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the SSL 3.0 cryptographic protocol. Available only if type is transparent-servers-for-tp and ssl is enable. | enable |
set tls-v10 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the TLS 1.0 cryptographic protocol. Available only if type is transparent-servers-for-tp and ssl is enable. | enable |
set tls-v11 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the TLS 1.1 cryptographic protocol. Available only if type is transparent-servers-for-tp and ssl is enable. | enable |
set tls-v12 {enable | disable} | Specifies whether clients can connect securely to FortiWeb using the TLS 1.2 cryptographic protocol. Available only if type is transparent-servers-for-tp and ssl is enable. | enable |
set ssl-cipher {medium | high} | Specify whether the set of cipher suites that FortiWeb allows creates a medium-security or high-security configuration. For details, see “Supported cipher suites & protocol versions” in the FortiWeb Administration Guide. Available only if type is transparent-servers-for-tp and ssl is enable. | medium |
set ssl-pfs {enable | disable} | Enable to configure FortiWeb to generate a new public-private key pair when it establishes a secure session with a Diffie–Hellman key exchange. Perfect forward secrecy (PFS) improves security by ensuring that the key pair for a current session is unrelated to the key for any future sessions. Available only if type is transparent-servers-for-tp and ssl is enable. | disabled |
set ssl-rc4-first {enable | disable} | Enable to configure FortiWeb to use the RC4 cipher when it first attempts to create a secure connection with a client. This option protects against a BEAST (Browser Exploit Against SSL/TLS) attack, a TLS 1.0 vulnerability. Enable only when set tls-v10 {enable | disable} is enabled and set ssl-cipher {medium | high} is medium. | enabled |
set ssl-noreg {enable | disable} | Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL. Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server. Available only if type is transparent-servers-for-tp and ssl is enable. | enabled |