FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 246189
Description This article describes an issue where a virtual server stops working after upgrading to FortiOS v7.2.4 build 1396 and offers a workaround.

FortiGate v7.2.4 and later.


Virtual server configuration fails to work when multiple HTTP/2 streams are opened from the client side if the real server-side uses the HTTP/1.1 stream. The client-side closes all the HTTP/2 streams before all HTTP/1.1 streams can be completed. 


Use web browser developer tools to check if the client side is using HTTP/2. If so, information similar to the following snapshot will be visible:




Support for HTTP2 was added in FortiOS 7.2.4 as NFR 818343. See the release notes for more information.




Set the value of 'http-supported-max-version' inside 'config firewall vip' of the affected virtual server to 'http1'.


CLI reference guide:


In FortiOS 7.2.4 - 7.2.6, and 7.4.0:


config firewall vip 

    edit <virtual_server_name>

        set http-supported-max-version [http1|http2]<----- Set it to http1.




To disable HTPP2 support in 7.4.1 and later:


config firewall vip

edit <virtual_server_name>

set h2-support disable




After making the changes, the client side will show HTTP/1.1 and not HTTP/2. The connection will succeed and the virtual server will work as expected. A working snippet from the developer tools will show information similar to the following:




Additional information and explanation:


Versions before v7.2.4 (such as v7.2.3) did not support HTTP2. HTTP2 support was introduced in v7.2.4. Refer to FortiOS Release Notes v7.2.4 new features. There was a small issue that was fixed in bug 884578 with version FOS v7.2.5.


This feature may introduce issues if the end server does not support HTTP2. The client now will be able to attempt to negotiate with HTTP2 and as the FortiGate now supports it, it will allow but then issues may arise because the end server lacks HTTP2 support.


If HTTP multiplex is disabled and the real server in VIP does not support http2, some technical issues will occur with supporting http2 in the client-to-VIP side connection.

To support http2 in a virtual server when the real server does not support http2, FortiGate (wad) will attempt to make multiple HTTP connections to the server. Since HTTP-multiplex is not enabled, the same address and port will be used as the original client. Then, in the second connect attempt, the connection fails due to the address already being in use.


The workaround is to enable 'http-multiplex' or set max-version http1 (as shown in this article).

  • Note that if http-multiplex is enabled, the FortiGate device will use its interface address to connect to the real server, which will result in the server not being able to know the original client IP address and port.
  • Usually, this will not create issues, but the experience may vary from application to application.