Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aneshcheret
Staff
Staff

Created on ‎09-02-2019 07:00 AM Edited on ‎04-30-2024 01:19 AM By Community Manager

Article Id 195947

Technical Tip: TCP Windowing Scaling for a FortiGate running as Web Proxy

Description


This article describes how FortiGate, a Web Proxy, influences the TCP Window Scaling process.

 

Scope

 

FortiGate.

Solution


In some cases, TCP window size may become the bottleneck of a TCP connection.
In theory, when other factors, (e.g. bandwidth, memory, CPU, etc.) are not the bottleneck, the Maximum Throughput (MaxThr) is capped by TCP Window size (W) assuming the Latency (L) between client and server is fixed as follows:

Maximum Throughput (MaxThr) = TCP Window size (W) / Latency (L).
 
Note:
All written below strictly belongs to a FortiGate running as an Explicit Web Proxy and options for modifying/influencing TCP Window size are for HTTP/HTTPS traffic.
 
Before FortiOS version 6.2, the TCP Window size was calculated dynamically by the FortiGate, based on the available system resources (it mainly relies on the amount of available RAM).
There was no option of influencing nor configuring the TCP Window size.
 
Starting from FortiOS 6.2, TCP Window size can be modified.
Starting from FortiOS 7.0.6, the new (default) option for TCP window size was added:
  • 'auto-tuning': Allow the system to auto-tune TCP window size.
  • 'system': Let the FortiGate dynamically allocate TCP Window size based on the available system resources.
  • 'dynamic': Setup minimum and maximum possible TCP Window size based on the available system resources.
  • 'static': Define a static TCP Window Size.
 
TCP Window size can be configured under Proxy Options via CLI:
 
config firewall profile-protocol-options
    edit proxy_option_name
        config http
            set tcp-window-type system (auto-tuning | system | static | dynamic)
            set tcp-window-minimum 131072 (dynamic only)
            set tcp-window-maximum 8388608 (dynamic only)
            set tcp-window-size 262144 (static only)
        end
    next
end
 
When using tcp-window-type auto-tuning, system, or dynamic, it's possible to modify the TCP window size adjustment trigger.
The trigger would be the minimal percentage of change in total free memory required before wad adjusts the TCP window.
 
config system global
    set wad-memory-change-granularity 10
end
 
Values between 5-25%, 10 is the default.

Important note:
When modifying TCP window size, be careful, it may be risky to increase TCP window size, especially for a proxy that handles many concurrent TCP connections.
It will increase memory cost for each connection when the forwarding speed difference is large on the client and server side.
Labels:
7917
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.