Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎11-29-2021 12:13 AM Edited on ‎07-21-2025 02:09 AM By Moderator

Article Id 199760

Technical Tip: Improving Low Throughput when using Proxy-based policies and HTTP/HTTPS traffic

Description

This article describes the scenario where traffic throughput is unusually low when sending/receiving HTTP or HTTPS traffic (for example, downloading a file from a website), but throughput for other traffic streams seems otherwise fine.

 

In this scenario, artificially low HTTP/HTTPS throughput will be visible throughput caused by the FortiGate utilizing a lower-than-expected TCP Window Size when proxying connections between the client and the HTTP server.

 

This solution applies if the following conditions are met:

 

  • Other potential causes of low TCP throughput include packet loss, traffic-shaping, network bottlenecking outside of the FortiGate/FortiProxy, etc.
  • Significant performance impacts to HTTP/HTTPS traffic only will be visible.
  • The same throughput problem is not visible if it is switched to flow-based Firewall Policies.
Scope

FortiGate v7.2.0 and later.

FortiProxy.
Solution

Create a custom 'Protocol Options' profile (since the 'default' is read-only) and modify the HTTP config section with tcp-window-type set to dynamic or auto-tuning:

 

config firewall profile-protocol-options
    edit <Profile Name>
        config http
            set tcp-window-type dynamic
        end
end

 

Or:

 

config firewall profile-protocol-options
    edit <Profile Name>
        config http
            set tcp-window-type auto-tuning
        end
end

 

After the profile is created, it will be necessary to apply it to the appropriate firewall policies.

It will also be necessary to clear/restart existing sessions to take advantage of the change.

 

Note that this option is present in the config http section only.

 

By default (before FortiOS v7.2.1), the FortiGate/FortiProxy has this option set to 'system', which means that the value of the TCP Window Size is statically set based on the protocol.

For HTTP/HTTPS in particular, this can result in an artificial limit being imposed on throughput per TCP stream.

 

By changing tcp-window-type to dynamic, the FortiGate/FortiProxy is enabled to dynamically increase and decrease the TCP Window size based on the available system resources, which can allow for much higher throughput for HTTP/HTTPS connections.

 

By changing tcp-window-type to auto-tuning, the FortiGate/FortiProxy is enabled to dynamically increase and decrease the TCP Window size based on the available system resources. The difference from the previous option is that there is no minimum value for the receive buffer, and the device will fall back to the 'system' value if the memory usage reaches 80%.

 

The following are the relevant options available:

 

set tcp-window-type (system | static | dynamic | auto-tuning)

 

  • auto-tuning: Allow system to auto-tune TCP window size (default -> starting from v7.2.1).
  • system: Use the system default TCP window size for this protocol (default -> until v7.2.0).
  • static: Manually specify TCP window size (in bytes).
  • dynamic: Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

 

set tcp-window-minimum <65536 - 1048576> (default = <131072>; dynamic only)
set tcp-window-maximum <1048576 - 33554432> (default = <8388608>; dynamic only)
set tcp-window-size <65536 - 33554432> (default = <262144>; static only)

 

If, after changing the above config, it is still slow, especially the upload of files and deep inspection used, then try to change the Alpn HTTP version (http1-1) and test it again.

For command and configuration, refer to the document:

HTTP/2 support in proxy mode SSL inspection 

 

Note.

Setting tcp-window-type to dynamic/auto-tuning will also result in increased memory usage per HTTP/HTTPS connection (increasing TCP Window Size directly increases the amount of memory buffer required to accept incoming data).

 

If the FortiGate/FortiProxy is undersized for the environment (i.e., the memory usage and session counts are very high during normal operation), then exercise caution when enabling this option and applying the Protocol Options profile to the firewall policies.

To summarize:
If a FortiGate is facing slow website loading times during peak hours, to address this, create a custom 'FastHTTP' profile with auto-tuning or dynamic TCP window sizing, apply it to web traffic policies, and clear existing sessions during a maintenance window. This optimization helps speed up web browsing, especially when the network is busy.
4212
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.