config : server-policy vserver
server-policy vserver
Use this command to configure virtual servers.
Before you can create a policy, you must first configure a virtual server which defines the network interface or bridge and IP address on which traffic destined for an individual physical server or server farm will arrive.
When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a physical server or a server farm. The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:
• the traffic arrives on the network interface or bridge associated with the virtual server
• for reverse proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical with the physical server’s IP address)
| Virtual servers can be on the same subnet as physical servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the physical server 10.0.0.2. However, this is not recommended. Unless your network’s routing configuration prevents it, it could allow attackers that are aware of the physical server’s IP address to bypass FortiWeb by accessing the physical server directly. |
To apply virtual servers, select them within a server policy. For details, see
“config server-policy policy”.
To use this command, your administrator account’s access control profile must have either
w or
rw permission to the
traroutegrp area. For more information, see
“Permissions”.
Syntax
config server-policy vserver
next
end
Variable | Description | Default |
<virtual-server_name> | Type the name of the new or existing virtual server. The maximum length is 63 characters. To display the list of existing servers, type: edit ? | disable |
status {enable | disable} | Enable to accept traffic destined for this virtual server. | No default. |
interface <interface_name> | Type the name of the network interface or bridge, such as port1 or bridge1, to which the virtual server is bound, and on which traffic destined for the virtual server will arrive. The maximum length is 35 characters. To display the list of existing interfaces, type: edit ? | No default. |
vip <virtual-ip_ipv4mask> | Type the IPv4 address and subnet of the virtual server. | 0.0.0.0 0.0.0.0 |
vip6 <virtual-ip_ipv6mask> | Type the IPv6 address and subnet of the virtual server. | ::/0 |
Example
This example configures a virtual server named inline_vip1 on the network interface named port1.
The port number on which the virtual server will receive traffic is defined separately, in the policies that use this virtual server definition.
config server-policy vserver
edit "inline_vip1"
set status enable
set interface port1
set vip 10.0.0.1 255.255.255.0
next
end
Related topics