Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aneshcheret
Staff
Staff

Created on ‎09-02-2019 07:00 AM

Article Id 195947

Technical Tip: TCP Windowing Scaling for a FortiGate unit running as Web Proxy

Description
This document describes how FortiGate, running as a Web Proxy, is influencing the TCP Window Scaling process.

Solution
In some cases, TCP window size may become the bottleneck of a TCP connection.
In theory, when other factors, (e.g. bandwidth, memory, cpu and etc.) are not the bottleneck, the Maximum Throughput (MaxThr) is capped by TCP Window size (W) assuming the Latency (L) between client and server is fixed as following:

Maximum Throughput (MaxThr) = TCP Window size (W) / Latency (L)

Note: All written below strictly belongs to a FortiGate running as Explicit Web Proxy and options for modifying/influencing TCP Window size are for http/https traffic.

Prior to FortiOS version 6.2, the TCP Window size was calculated dynamically by the FortiGate, based on the available system resources (it mainly relies on amount of available RAM).
There was no option of influencing nor configuring the TCP Window size.

Starting from FortiOS 6.2, TCP Window size can be modified. Possible options are:
- “system”: Let the FortiGate dynamically allocate TCP Window size based on the available system resources.
- “dynamic”: Setup minimum and maximum possible TCP Window size based on the available system resources.
- “static”: Define a static TCP Window Size.

TCP Window size can be configured under Proxy Options via CLI:
#config firewall profile-protocol-options
    edit proxy_option_name
        config http
            set tcp-window-type system (system | static | dynamic)
            set tcp-window-minimum 131072 (dynamic only)
            set tcp-window-maximum 8388608 (dynamic only)
            set tcp-window-size 262144 (static only)
        end
    next
end
When using tcp-window-type system or dynamic, it's also possible to modify the trigger of the tcp window size adjustment.
The trigger would be the minimal percentage of change in total free memory required before wad adjusts tcp window.
#config system global
    set wad-memory-change-granularity 10
end
Values between 5-25%, 10 is the default.
 
Important note: When modifying tcp window size, be careful, it may be risky to increase TCP window size, especially for a proxy that handles many concurrent TCP connections.
It will increase memory cost for each individual connection when forwarding speed difference is large on client and server side.





Labels:
7837
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.