Fortinet black logo

CLI Reference

config load-balance http3-profile

HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

Use the config load-balance http3-profile command to configure an HTTP3 Profile configuration that can then be referenced by HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

Profile Description
LB_HTTP3_PROFILE_DEFAULT

max-streams — 5

max-idle-timeout — 50

connection-tx-buffers — 30

quic-cc-algo — cubic

Syntax

config load-balance http3-profile

edit <name>

set max-streams <integer>

set max-idle-timeout <integer>

set connection-tx-buffers <integer>

set quic-cc-algo {cubic|newreno}

next

end

max-streams

Specify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.

max-idle-timeout

Specify the HTTP/3 QUIC connection idle timeout in seconds.

When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

The default value is 50 seconds, and the range is 1-86400 seconds.

connection-tx-buffers

Specify the number of buffers to send on the HTTP/3 QUIC connection.

This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

The default value is 30, and the range is 5-100.

quic-cc-algo

FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

Select the QUIC congestion algorithm to use:

  • cubic

  • newreno

Cubic is the default congestion control algorithm.

Example

config load-balance http3-profile

edit 1

set max-streams 5

set max-idle-timeout 50

set connection-tx-buffers 30

set quic-cc-algo cubic

next

end

HTTP/3 supported functionality and limitations

HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

Key limitations:
  • HTTP/3 only operates under L7-HTTPS VS.

  • HTTP/3 VS does not support dynamic configuration.

  • HTTP/3 VS does not support session and persistence table display.

  • HTTP/3 VS does not support HTTP detailed information statistics.

  • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

Configuration

Supported HTTP/3 functionality

load-balance profile

Profile type must be https to reference HTTP3 profiles.

load-balance virtual-server
  • VS type must be Layer 7 to reference HTTP3 profiles.

  • Number of ports must be set to one port only, multiple ports is not supported.

  • Alone mode must be enabled.

  • Multi-process only supports one CPU core.

load-balance method

Supported load balancing methods:

  • round-robin

  • least-connection

  • host-hash

  • host-domain-hash

  • uri-hash

  • full-uri-hash

  • dynamic load balance

load-balance persistence

Supported persistence types:

  • consistent-hash-ip

  • embedded-cookie

  • hash-cookie

  • hash-http-header

  • hash-http-request

  • hash-source-address-port

  • insert-cookie

  • persistent-cookie

  • rewrite-cookie

  • ssl-session-id

Client SSL Profile

Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3

Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3

HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

Use the config load-balance http3-profile command to configure an HTTP3 Profile configuration that can then be referenced by HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

Profile Description
LB_HTTP3_PROFILE_DEFAULT

max-streams — 5

max-idle-timeout — 50

connection-tx-buffers — 30

quic-cc-algo — cubic

Syntax

config load-balance http3-profile

edit <name>

set max-streams <integer>

set max-idle-timeout <integer>

set connection-tx-buffers <integer>

set quic-cc-algo {cubic|newreno}

next

end

max-streams

Specify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.

max-idle-timeout

Specify the HTTP/3 QUIC connection idle timeout in seconds.

When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

The default value is 50 seconds, and the range is 1-86400 seconds.

connection-tx-buffers

Specify the number of buffers to send on the HTTP/3 QUIC connection.

This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

The default value is 30, and the range is 5-100.

quic-cc-algo

FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

Select the QUIC congestion algorithm to use:

  • cubic

  • newreno

Cubic is the default congestion control algorithm.

Example

config load-balance http3-profile

edit 1

set max-streams 5

set max-idle-timeout 50

set connection-tx-buffers 30

set quic-cc-algo cubic

next

end

HTTP/3 supported functionality and limitations

HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

Key limitations:
  • HTTP/3 only operates under L7-HTTPS VS.

  • HTTP/3 VS does not support dynamic configuration.

  • HTTP/3 VS does not support session and persistence table display.

  • HTTP/3 VS does not support HTTP detailed information statistics.

  • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

Configuration

Supported HTTP/3 functionality

load-balance profile

Profile type must be https to reference HTTP3 profiles.

load-balance virtual-server
  • VS type must be Layer 7 to reference HTTP3 profiles.

  • Number of ports must be set to one port only, multiple ports is not supported.

  • Alone mode must be enabled.

  • Multi-process only supports one CPU core.

load-balance method

Supported load balancing methods:

  • round-robin

  • least-connection

  • host-hash

  • host-domain-hash

  • uri-hash

  • full-uri-hash

  • dynamic load balance

load-balance persistence

Supported persistence types:

  • consistent-hash-ip

  • embedded-cookie

  • hash-cookie

  • hash-http-header

  • hash-http-request

  • hash-source-address-port

  • insert-cookie

  • persistent-cookie

  • rewrite-cookie

  • ssl-session-id

Client SSL Profile

Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3

Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3