Created on
11-29-2021
12:13 AM
Edited on
01-17-2025
03:16 AM
By
Jean-Philippe_P
Description |
This article describes the scenario where traffic throughput is unusually low when sending/receiving HTTP or HTTPS traffic (for example, downloading a file from a website), but throughput for other traffic streams seems otherwise fine.
In this scenario, artificially low HTTP/HTTPS will be visible throughput caused by the FortiGate utilizing a lower-than-expected TCP Window Size when proxying connections between the client and the HTTP server.
This solution applies if the following conditions are met:
|
Scope |
FortiGate v6.2.0 and later. FortiProxy. |
Solution |
Create a custom 'Protocol Options' profile (since the 'default' is read-only) and modify the HTTP config section with tcp-window-type set to dynamic:
config firewall profile-protocol-options
After the profile is created, it will be necessary to apply it to the appropriate firewall policies. It will also be necessary to clear/restart existing sessions to take advantage of the change.
Note that this option is present in the config http section only.
By default, the FortiGate/FortiProxy has this option set to 'system', which means that the value of the TCP Window Size is statically set based on the protocol. For HTTP/HTTPS in particular, this can result in an artificial limit being imposed on throughput per TCP stream.
By changing tcp-window-type to dynamic, the FortiGate/FortiProxy is enabled to dynamically increase and decrease the TCP Window size based on the available system resources, which can allow for much higher throughput for HTTP/HTTPS connections.
The following are the relevant options available:
set tcp-window-type (system | static | dynamic).
set tcp-window-minimum <65536 - 1048576> (default = <131072>; dynamic only)
If after changing the above config it's still slow especially the upload of files file and deep inspection used then try to change the Alpn HTTP version (http1-1) and test it again. For command and configuration refer to the document. HTTP/2 support in proxy mode SSL inspection
Note. Setting tcp-window-type to dynamic will also result in increased memory usage per HTTP/HTTPS connection (increasing TCP Window Size directly increases the amount of memory buffer required to accept incoming data).
If the FortiGate/FortiProxy is undersized for the environment (i.e. the memory usage and session counts are very high during normal operation), then exercise caution when enabling this option and applying the Protocol Options profile to the firewall policies. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.