DescriptionThis document describes how FortiGate, running as a Web Proxy, is influencing the TCP Window Scaling process.SolutionIn some cases, TCP window size may become the bottleneck of a TCP connection.
In theory, when other factors, (e.g. bandwidth, memory, cpu and etc.) are not the bottleneck, the Maximum Throughput (MaxThr) is capped by TCP Window size (W) assuming the Latency (L) between client and server is fixed as following:
Maximum Throughput (MaxThr) = TCP Window size (W) / Latency (L)
Note: All written below strictly belongs to a FortiGate running as Explicit Web Proxy and options for modifying/influencing TCP Window size are for http/https traffic.
Prior to FortiOS version 6.2, the TCP Window size was calculated dynamically by the FortiGate, based on the available system resources (it mainly relies on amount of available RAM).
There was no option of influencing nor configuring the TCP Window size.
Starting from FortiOS 6.2, TCP Window size can be modified. Possible options are:
- “system”: Let the FortiGate dynamically allocate TCP Window size based on the available system resources.
- “dynamic”: Setup minimum and maximum possible TCP Window size based on the available system resources.
- “static”: Define a static TCP Window Size.
TCP Window size can be configured under Proxy Options via CLI:
#config firewall profile-protocol-options
edit proxy_option_name
config http
set tcp-window-type system (system | static | dynamic)
set tcp-window-minimum 131072 (dynamic only)
set tcp-window-maximum 8388608 (dynamic only)
set tcp-window-size 262144 (static only)
end
next
end
When using tcp-window-type system or dynamic, it's also possible to modify the trigger of the tcp window size adjustment.
The trigger would be the minimal percentage of change in total free memory required before wad adjusts tcp window.
#config system global
set wad-memory-change-granularity 10
end
Values between 5-25%, 10 is the default.
Important note: When modifying tcp window size, be careful, it may be risky to increase TCP window size, especially for a proxy that handles many concurrent TCP connections.
It will increase memory cost for each individual connection when forwarding speed difference is large on client and server side.