Configuring virtual servers on your FortiWeb

Before you can create a server policy, you must first configure a virtual server that defines the network interface or bridge and IP address where traffic destined for a server pool arrives. When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a single web server (for Single Server server pools) or distribute sessions/connections among servers in a server pool.

A virtual server on your FortiWeb is not the same as a virtual host on your web server. A virtual server is more similar to a virtual IP on a FortiGate. It is not an actual server, but simply defines the listening network interface. Unlike a FortiGate VIP, it includes a specialized proxy that only picks up HTTP and HTTPS.

By default, in reverse proxy mode, FortiWeb’s virtual servers do not forward non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (It only forwards traffic picked up and allowed by the HTTP reverse proxy.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. See also Topology for reverse proxy mode and the config router setting command in the FortiWeb CLI Reference.

The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

Virtual servers can be on the same subnet as real web servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server could forward to the web server

However, this is not usually recommended. Unless your network’s routing configuration prevents it, it would allow clients that are aware of the web server’s IP address to bypass the FortiWeb appliance by accessing the back-end web server directly. The topology may be required in some cases, however, such as IP-based forwarding, mentioned above.

To configure a virtual server

1.  Go to Server Objects > Server > Virtual Server.

Each server entry includes an Enable check box, marked by default. Clear this check box if you need to disable the server. See Enabling or disabling traffic forwarding to your servers.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

2.  Click Create New.

A dialog appears.

3.  Complet

Setting name Description
Name Enter a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Use Interface IP

Select to use the IP address of the specified network interface as the address of the virtual server.

This is useful for Microsoft Azure and AWS deployments where FortiWeb communicates with the Internet using a cloud-based load balancer.

IPv4 Address

IPv6 Address

Enter the IP address and subnet of the virtual server.

If the FortiWeb appliance is operating in offline protection mode or either of the transparent modes, because FortiWeb ignores this IP address when it determines whether or not to apply a server policy to the connection, you can specify any IP address except the address of the web server.

Note: If a policy uses any virtual servers with IPv6 addresses, FortiWeb does not apply features in the policy that do not yet support IPv6, even if you include them in the policy.


Select the network interface or bridge the virtual server is bound to and where traffic destined for the virtual server arrives.

To configure an interface or bridge, see Network interface or bridge?.

4.  Click OK.

5.  To define the listening port of the virtual server, create a custom service (see Defining your network services).

6.  To use the virtual server, select both it and the custom service in a server policy (see Configuring a server policy).

See also