Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Traffic through fortigate firewall is extremely sluggish for some situations.

Depending on how a client gets out to the Internet, through the FG, is either very quick, or very sluggish.

client -> Linux proxy(port 3128) -> Fortigate(443) - Outside(443).  Very quick

client -> Fortigate( Explicit Proxy port 3128) - Outside(443).  Very quick

client  -> Fortigate(443) - Outside(443).  Extremely slow, and often times out.


The Linux proxy is in the same subnet as the client.(client is .4, proxy is .5)  So it does not appear to be routing related.  To the FortiGate the proxy should have the same path as the client.  Hits the same rules, same routing...etc.

The client use the FG to resolve DNS and that does not seem to be affected. Reply come quickly.

The only main difference is that the client is Windows, and the proxy is Linux.


Am sure I'm  missing something, but not sure what.


FG 6.4.12, Virtual.


What about the NIC card or connectivity differences between the Linux proxy and the windows client?  Is the Linux a server with a 10G network card and the windows is a wireless device?  

New Contributor III

One of the clients and the FG are in Azure, but also have issues with a Windows 10 Vmware box coming in through a VPN.  The VMs in Azure are different sizes, but the networking should be the same. Aside from the OS.


So the "fast" Linux box is in Azure?  But the other client is not?  That VPN tunnel is probably your bottleneck no?  Maybe I'm not following here, can you give some more details on the flow?

New Contributor III

Basically, any client wanting to go out directly through the FG experiences slow 20+ second (or worse) load times for even the simplest sites. If a client uses either an Azure VM acting as a web proxy, or uses the FG as the web proxy, the responses are immediate.  Have verified that the speediness is not related to caching on the proxy, and am pretty sure the FG does not do any.  So the Azure proxy VM can access the Internet through the FG quickly, but any web client, whether inside Azure or from an external VPN, experience the slowness, and connections attempts often time out..  The odd thing to me, is that the web proxy in Azure has no slowness or time out issues when it goes through the FG on behalf of the client. But the same client going directly to the FG does. And it does not seem to matter where the client is located.


Can you try changing the MSS to ~1350 and check. Just assuming the client is negotiating a higher MSS value compared to the proxy devices.


# config firewall policy
    edit <policy id>
         set tcp-mss-sender <mss value>
         set tcp-mss-receiver <mss value>

If this doesn't help, taking a pcap for the non working scenario (pcap from client, inside and outside interface on fortigate) simultaneously could give us some more idea.
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
New Contributor III

ok.  tried the settings. no change.  will see if I can gather more info


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors