YouTube extremely slow after FortiGate installation

Welcome to the forums. It' s possible that the Fortigate is scanning all the Youtube videos for threats. This KB article describes how to omit most video/audio from scanning. You might try implementing this to see if it helps. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31303&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=28409094&stateId=0%200%2028407895 If the above doesn' t help, perhaps you could tell us a bit more about your setup. Firmware version? Bandwidth available? Number of users?

Hello, please provide us some details: - Which Firmware are you running? - What ist the speed of your intenet connection? - How many users are at your location? - Are you using a separate proxy (squid)? - Are you using protection profiles (AV/IPS scanning)? Sincerely Harald

Sorry for the delay in responding about this, was out of town for a few weeks. Anyways, here is the info about our firewall: FortiGate 110C Firmware Version: v4.0,build0496,111108 (MR3 Patch 3) Speed test: Dwn=14.85 MBps / Up=5.70 MBps Approximately 175 users No separate proxy No protection files (that I' m aware of) We did not have this issue when we were using a Cisco firewall, and it started as soon as we brought the FortiGate online. Thanks for all your help!

I just tried this: CLI Syntax: config webfilter content-header edit 1 set comment ' ' config entries edit " video/.*" set action block next edit " audio/.*" set action exempt next end set name " weblist-01" next end from the article posted above, but did' t help.

No protection files (that I' m aware of)

Nicholas, This setting requires a Web Protection Profile in order to work per the KB. In the example in the KB, they use a sample Protection Profile called " Web" to demonstrate how you would activate this particular setting. However, if you' re not using a Web Protection Profile, what kind of inspection are you doing on your traffic? If you don' t have a web protection profile, then you are not filtering websites for any games, movies, gambling, social networking, etc. If you go to your Firewall Policy settings in the GUI and then change the Column Settings to display the Web Filter Profile, you will be able to verify if any of your traffic is already using a Web Protection Profile. That' s probably a good place to start. If you don' t use a Web Protection Profile, you could try to create a simple one with just the header exception outlined in the KB. You could try assigning that to your users to see if there is a difference. It' s easy enough to remove. Also, MR3 is now up to Patch 5. From what I' ve read, this is much more stable than Patch 3. You might want to try an upgrade as a simple first measure to see if that helps. Hope this helps.

Bill, Went in to the firewall policies and enabled the viewing of the web filter profiles, and we do have one in place, that looks like it is currently applied to our entire internal network and our guest wireless. Go to the UTM profiles and looking at the web filter profile that was created for us, I do not see a setting that stands out to say " scan multimedia" or " scan online streaming media" or anything like that, nor am I sure that I should. The only thing I remotely see is the bandwidth consuming category is set to allow, but nothing to allow me to configure it. Thanks for your help!

Go to the UTM profiles and looking at the web filter profile that was created for us, I do not see a setting that stands out to say " scan multimedia" or " scan online streaming media" or anything like that, nor am I sure that I should.

You wouldn' t see anything there. For better or worse, many of the obscure (and not so obscure) settings can only be set in the CLI. The GUI is more like a basic-to-intermediate interface to the box while the CLI is the full-monty advanced interface. If your primary web profile is called " primaryWebProfile" then you would want to make the following settings in your config to activate the header exclusions you made previously: config webfilter profile edit " primaryWebProfile" config http set options contenttype-check end config web set content-header-list 1 end next end Caveat: I am NOT using MR3, but the config for this appears to be the same. As always, make sure you backup your config before making any changes. These are pretty benign changes, but you would probably not want to make them during peak traffic.

I' ve got the same problem on a couple of my FortiGates (FWF80CM/FWF60C) but I experience that problem regardless of a protection profiles/UTM. I rebuilt the 80CM by formatting the flash, loading a fresh copy of 4.2.10 and manually configuring the unit with no UTM/protection assigned to any of the policies and I get horrid performance on YouTube. Plug the test PC directly into the ISP and bypass the FortiGate and performance is excellent. The same thing happens on a FWF60c. My 620b' s work great as long as no UTM is applied to the policy. I' m going to test the above KB link to see if that works and report back here afterwards.

They changed the syntax in MR3. Based on the docs at docs.fortinet.com for MR3, you can skip the " config http" context and go directly to " set options contenttype-check" . You can skip the corresponding " end" command as well. Just before you make the change, you might want to do a " show" to see if there are any existing " options" already set. The " set" command does not add to existing options settings -- it will replace them. Other than the above, it looks like the other commands should work in MR3.

config webfilter profile edit " primaryWebProfile" set options contenttype-check config web set content-header-list 1 end next end

Okay, just got done doing this commands, and it appears to have greatly improved my YouTube loading times. Have tested with five people thus far, and not experienced any lag in starting the videos. Thank you VERY much for the help. Will give it a day or two, and test with some more people, but looking good thus far. Thanks!