Description |
This article describes the scenario where traffic throughput is unusually low when sending/receiving HTTP or HTTPS traffic (for example, downloading a file from a website), but throughput for other traffic streams seems otherwise fine.
In this scenario, artificially low HTTP/HTTPS will be visible throughput caused by the FortiGate utilizing a lower-than-expected TCP Window Size when proxying connections between the client and the HTTP server.
This solution applies if the following conditions are met:
- Other potential have been ruled causes of low TCP throughput, including packet-loss, traffic-shaping, network bottlenecking outside of the FortiGate/FortiProxy, etc.
- Significant performance impacts to HTTP/HTTPS traffic only will be visible.
- The same throughput problem is not visible if it is wtiched to flow-based Firewall Policies. |
Scope |
FortiGate 6.2.0 and later. FortiProxy 1.1.1 and onward. |
Solution |
Create a custom 'Protocol Options' profile (since the 'default' is read-only) and modify the http config section with tcp-window-type set to dynamic:
# config firewall profile-protocol-options
After the profile is created, it will be necessary to apply it to the appropriate firewall policies. It will also be necessary to clear/restart existing sessions to take advantage of the change.
Note that this option is present in the config http section only.
By default, the FortiGate/FortiProxy has this option set to 'system', which means that the value of the TCP Window Size is statically set based on the protocol. For HTTP/HTTPS in particular, this can result in an artificial limit being imposed on throughput per TCP stream.
By changing tcp-window-type to dynamic, the FortiGate/FortiProxy is enabled to dynamically increase and decrease the TCP Window size based on the available system resources, which can allow for much higher throughput for HTTP/HTTPS connections.
The following are the relevant options available:
set tcp-window-type (system | static | dynamic).
- system: Use system default TCP window size for this protocol (default).
- static: Manually specify TCP window size (in bytes).
- dynamic: Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.
set tcp-window-minimum <65536 - 1048576> (default = <131072>; dynamic only)
Note. Setting tcp-window-type to dynamic will also result in increased memory usage per HTTP/HTTPS connection (increasing TCP Window Size directly increases the amount of memory buffer required to accept incoming data).
If the FortiGate/FortiProxy is undersized for the environment (i.e. the memory usage and session counts are very high during normal operation), then exercise caution when enabling this option and applying the Protocol Options profile to the firewall policies. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.