FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff
Staff
Article Id 199760
Description

This article describes the scenario where traffic throughput is unusually low when sending/receiving HTTP or HTTPS traffic (for example, downloading a file from a website), but throughput for other traffic streams seems otherwise fine.

 

In this scenario,  artificially low HTTP/HTTPS will be visible throughput caused by the FortiGate utilizing a lower-than-expected TCP Window Size when proxying connections between the client and the HTTP server.

 

This solution applies if the following conditions are met:

 

- Other potential have been ruled causes of low TCP throughput, including packet-loss, traffic-shaping, network bottlenecking outside of the FortiGate/FortiProxy, etc.

 

- Significant performance impacts to HTTP/HTTPS traffic only will be visible.

 

- The same throughput problem is not visible if it is wtiched to flow-based Firewall Policies.

Scope

FortiGate 6.2.0 and later.

FortiProxy 1.1.1 and onward.

Solution

Create a custom 'Protocol Options' profile (since the 'default' is read-only) and modify the http config section with tcp-window-type set to dynamic:

 

# config firewall profile-protocol-options
  edit <Profile Name>
  # config http
    set tcp-window-type dynamic
  end
end

 

After the profile is created, it will be necessary to apply it to the appropriate firewall policies.

It will also be necessary to clear/restart existing sessions to take advantage of the change.

 

Note that this option is present in the config http section only.

 

By default, the FortiGate/FortiProxy has this option set to 'system', which means that the value of the TCP Window Size is statically set based on the protocol.

For HTTP/HTTPS in particular, this can result in an artificial limit being imposed on throughput per TCP stream.

 

By changing tcp-window-type to dynamic, the FortiGate/FortiProxy is enabled to dynamically increase and decrease the TCP Window size based on the available system resources, which can allow for much higher throughput for HTTP/HTTPS connections.

 

The following are the relevant options available:

 

set tcp-window-type (system | static | dynamic).

 

- system: Use system default TCP window size for this protocol (default).

 

- static: Manually specify TCP window size (in bytes).

 

- dynamic: Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

 

set tcp-window-minimum <65536 - 1048576> (default = <131072>; dynamic only)
set tcp-window-maximum <1048576 - 33554432> (default = <8388608>; dynamic only)
set tcp-window-size <65536 - 33554432> (default = <262144>; static only)

 

Note.

Setting tcp-window-type to dynamic will also result in increased memory usage per HTTP/HTTPS connection (increasing TCP Window Size directly increases the amount of memory buffer required to accept incoming data).

 

If the FortiGate/FortiProxy is undersized for the environment (i.e. the memory usage and session counts are very high during normal operation), then  exercise caution when enabling this option and applying the Protocol Options profile to the firewall policies.

In sum up:
If a FortiGate is facing slow website loading times during peak hours, to address this, create a custom 'FastHTTP' profile with dynamic TCP window sizing, apply it to web traffic policies, and clear existing sessions during a maintenance window. This optimization helps speed up web browsing, especially when the network is busy.