Layer 2 ADC


  • IPv4 only

  • Balances traffic among multiple next hop gateways

  • HTTP content inspection and modification like Layer7 load Balancing

  • Useful when the ADC doesn't know the real server IP addresses

Layer 4 Virtual Servers


  • IPv4 and v6

  • Fast inspection (processed on the first packet)

  • Persistence (based on L4 objects like IP addresses)

  • Load Balancing (based on L4 objects like IP addresses)

  • NAT (based on L4 objects like IP addresses)

Destination NAT is the default method of forwarding the traffic


Layer 4 ADC simply forwards the traffic to the real server and doesn't terminate the TCP handshake!

Layer 7 Virtual Servers


  • IPv4 and v6

  • slower inspection then Layer 4

  • HTTP content inspection and modification

  • Persistence

  • Load balancing

  • routing based on L7 objects (headers, cookies, etc)


Layer 2 and 7 ADC proxies the TCP connection !

Virtual Server objects

  • Virtual Server (Mandatory)

  • Real Server Pool (Mandatory)

  • Real Servers (Mandatory)

  • Health Check (Optional)

  • Load Balancing Method (Mandatory)

  • Application Profile (Mandatory)

    • HTTP caching (Optional)

    • HTTP compression (Optional)

  • Server Persistence (Optional)

  • Content Routing (Optional)

  • HTTP content rewrite (Optional)

  • HTTP error page (Optional)

Health Check Methods

ICMP / TCP echo

  • Send an ICMP / TCP echo request and waits for a response


  • queries the sever by sending either a GET or a HEAD request

  • Response content can be evaluated


  • Confirms that the TCP 3-way handshake can be completed to a specific TCP port


  • Send a DNS A record request and expects a specific IP address as a response

Radius / Radius Accounting / SMTP /POP3 / IMAP4

  • Log in to the server usinf a specified protocol


  • checks for a specific file on the FTP server


  • polls the server for CPU, memory and disk usage. The server is deemed unresponsive if it does not reply, or if any of those usage values goes above a preconfigured threshold.

TCP Half Open

  • Send a SYN and waits for a SYN/ACK. When its recieved, RST is sent


  • Establishes SSL connection. The result of the SSL connection determines the status of the server

  • Can be used for any SSL-based protocol

Application Profiles

TCP, UDP and FTP profiles

  • need to have a session timeout value

HTTP profile

  • (client address )By default it uses the client IP to setup the connection with the backend server

  • (client address )If x-forward for is enabled, FortiADC uses it to setup the connection with the backend server

  • disbaling this causes FortiADC to use its own address (SourceNAT)

HTTP Turbo

  • can't use advanced features such as source NAT, caching, compression, rate limiting, content rewrite.

Load Balancing Methods

Error Page

  • Can only be used with layer 7 virtual servers

  • web page needs to be uploaded as a html.index with a zip file

Global Server Load Balancing GSLB