- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Traffic through fortigate firewall is extremely sl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic through fortigate firewall is extremely sluggish for some situations.
Depending on how a client gets out to the Internet, through the FG, is either very quick, or very sluggish.
client -> Linux proxy(port 3128) -> Fortigate(443) - Outside(443). Very quick
client -> Fortigate( Explicit Proxy port 3128) - Outside(443). Very quick
client -> Fortigate(443) - Outside(443). Extremely slow, and often times out.
The Linux proxy is in the same subnet as the client.(client is .4, proxy is .5) So it does not appear to be routing related. To the FortiGate the proxy should have the same path as the client. Hits the same rules, same routing...etc.
The client use the FG to resolve DNS and that does not seem to be affected. Reply come quickly.
The only main difference is that the client is Windows, and the proxy is Linux.
Am sure I'm missing something, but not sure what.
FG 6.4.12, Virtual.
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about the NIC card or connectivity differences between the Linux proxy and the windows client? Is the Linux a server with a 10G network card and the windows is a wireless device?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of the clients and the FG are in Azure, but also have issues with a Windows 10 Vmware box coming in through a VPN. The VMs in Azure are different sizes, but the networking should be the same. Aside from the OS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the "fast" Linux box is in Azure? But the other client is not? That VPN tunnel is probably your bottleneck no? Maybe I'm not following here, can you give some more details on the flow?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, any client wanting to go out directly through the FG experiences slow 20+ second (or worse) load times for even the simplest sites. If a client uses either an Azure VM acting as a web proxy, or uses the FG as the web proxy, the responses are immediate. Have verified that the speediness is not related to caching on the proxy, and am pretty sure the FG does not do any. So the Azure proxy VM can access the Internet through the FG quickly, but any web client, whether inside Azure or from an external VPN, experience the slowness, and connections attempts often time out.. The odd thing to me, is that the web proxy in Azure has no slowness or time out issues when it goes through the FG on behalf of the client. But the same client going directly to the FG does. And it does not seem to matter where the client is located.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try changing the MSS to ~1350 and check. Just assuming the client is negotiating a higher MSS value compared to the proxy devices.
# config firewall policy
edit <policy id>
set tcp-mss-sender <mss value>
set tcp-mss-receiver <mss value>
If this doesn't help, taking a pcap for the non working scenario (pcap from client, inside and outside interface on fortigate) simultaneously could give us some more idea.
set tcp-mss-receiver <mss value>
If this doesn't help, taking a pcap for the non working scenario (pcap from client, inside and outside interface on fortigate) simultaneously could give us some more idea.
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok. tried the settings. no change. will see if I can gather more info
Related Posts
- Fortigate with Mikrotik Site to site... 384 Views
- FortiGate 80F and MFA Issues 918 Views
- Significant Throttling over SSLVPN FortiClient 758 Views
- FortiGate 400E FortiOS 7.0.13 WAD extreme... 573 Views
- FortiAPs are not visible (detected) by... 611 Views
Labels
-
FortiGate
6,453 -
FortiClient
1,289 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
67 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.