Fortinet black logo

Handbook

Home FortiADC 7.4.2 Handbook
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring HTTP3 profiles

Configuring HTTP3 profiles

HTTP/3 Protocol Overview

HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

Advantages of HTTP/3 using QUIC

As a result of using QUIC, HTTP/3 is designed to improve the speed, reliability, and security of data transfer over the internet.

Faster connection setup (lower latency)

The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

Customizable congestion control

QUIC allows implementers to customize the congestion control algorithm used within the protocol.

Enhanced security

QUIC encrypts almost all of its packet header fields by default default (via TLS).

Connection migration

QUIC identifies connections based on the ConnectionID (CID) instead of Connection table, which allows migration between different network interfaces or IP addresses without disconnecting.

Less head-of-line (HoL) blocking

In TCP, if a packet is lost or delayed, it can cause subsequent packets to be blocked. QUIC mitigates this issue by using multiple independent byte streams so that the loss or delay of a single packet does not impact the delivery of other packets.

FortiADC HTTP/3 support

You can now configure an HTTP3 Profile that can then be referenced in HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

Profile Description
LB_HTTP3_PROFILE_DEFAULT

QUIC Congestion Algorithm — Cubic

Max Streams — 5

Max Idle Timeout — 50

Connection TX Buffers — 30
To configure an HTTP3 Profile:
  1. Go to Server Load Balance > Application Resources.
  2. Click the HTTP3 Profile tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    NameSpecify a unique name for the HTTP3 profile. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
    QUIC Congestion Algorithm

    FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

    Select the QUIC congestion algorithm to use:

    • Cubic

    • New Reno

    Cubic is the default congestion control algorithm.

    Max StreamsSpecify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.
    Max Idle Timeout

    Specify the HTTP/3 QUIC connection idle timeout in seconds.

    When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

    The default value is 50 seconds, and the range is 1-86400 seconds.

    Connection TX Buffers

    Specify the number of buffers to send on the HTTP/3 QUIC connection.

    This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

    The default value is 30, and the range is 5-100.

  5. Click Save.

Once the HTTP3 Profile configuration is saved, it can be referenced in an HTTPS Application Profile configuration.

HTTP/3 supported functionality and limitations

HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

Key limitations:

  • HTTP/3 only operates under L7-HTTPS VS.

  • HTTP/3 VS does not support dynamic configuration.

  • HTTP/3 VS does not support session and persistence table display.

  • HTTP/3 VS does not support HTTP detailed information statistics.

  • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

Configuration

Supported HTTP/3 functionality
Application Profile

Profile type must be HTTPS to reference HTTP3 profiles.
Virtual Server

  • VS type must be Layer 7 to reference HTTP3 profiles.

  • Number of ports must be set to one port only, multiple ports is not supported.
LB Method

Supported load balancing methods:

  • Round Robin

  • Least Connection

  • URI Hash

  • Full URI Hash

  • Host Hash

  • Host Domain Hash

  • Dynamic Load
Persistence

Supported persistence types:

  • Source Address Hash

  • Source Address-port Hash

  • HTTP Header Hash

  • HTTP Request Hash

  • Cookie Hash

  • Persistent Cookie

  • Insert Cookie

  • Rewrite Cookie

  • Embedded Cookie

  • SSL Session ID
Client SSL Profile

Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Previous
Next

Configuring HTTP3 profiles

HTTP/3 Protocol Overview

HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

Advantages of HTTP/3 using QUIC

As a result of using QUIC, HTTP/3 is designed to improve the speed, reliability, and security of data transfer over the internet.

Faster connection setup (lower latency)

The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

Customizable congestion control

QUIC allows implementers to customize the congestion control algorithm used within the protocol.

Enhanced security

QUIC encrypts almost all of its packet header fields by default default (via TLS).

Connection migration

QUIC identifies connections based on the ConnectionID (CID) instead of Connection table, which allows migration between different network interfaces or IP addresses without disconnecting.

Less head-of-line (HoL) blocking

In TCP, if a packet is lost or delayed, it can cause subsequent packets to be blocked. QUIC mitigates this issue by using multiple independent byte streams so that the loss or delay of a single packet does not impact the delivery of other packets.

FortiADC HTTP/3 support

You can now configure an HTTP3 Profile that can then be referenced in HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

Profile Description
LB_HTTP3_PROFILE_DEFAULT

QUIC Congestion Algorithm — Cubic

Max Streams — 5

Max Idle Timeout — 50

Connection TX Buffers — 30
To configure an HTTP3 Profile:
  1. Go to Server Load Balance > Application Resources.
  2. Click the HTTP3 Profile tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    NameSpecify a unique name for the HTTP3 profile. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
    QUIC Congestion Algorithm

    FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

    Select the QUIC congestion algorithm to use:

    • Cubic

    • New Reno

    Cubic is the default congestion control algorithm.

    Max StreamsSpecify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.
    Max Idle Timeout

    Specify the HTTP/3 QUIC connection idle timeout in seconds.

    When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

    The default value is 50 seconds, and the range is 1-86400 seconds.

    Connection TX Buffers

    Specify the number of buffers to send on the HTTP/3 QUIC connection.

    This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

    The default value is 30, and the range is 5-100.

  5. Click Save.

Once the HTTP3 Profile configuration is saved, it can be referenced in an HTTPS Application Profile configuration.

HTTP/3 supported functionality and limitations

HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

Key limitations:

  • HTTP/3 only operates under L7-HTTPS VS.

  • HTTP/3 VS does not support dynamic configuration.

  • HTTP/3 VS does not support session and persistence table display.

  • HTTP/3 VS does not support HTTP detailed information statistics.

  • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

Configuration

Supported HTTP/3 functionality
Application Profile

Profile type must be HTTPS to reference HTTP3 profiles.
Virtual Server

  • VS type must be Layer 7 to reference HTTP3 profiles.

  • Number of ports must be set to one port only, multiple ports is not supported.
LB Method

Supported load balancing methods:

  • Round Robin

  • Least Connection

  • URI Hash

  • Full URI Hash

  • Host Hash

  • Host Domain Hash

  • Dynamic Load
Persistence

Supported persistence types:

  • Source Address Hash

  • Source Address-port Hash

  • HTTP Header Hash

  • HTTP Request Hash

  • Cookie Hash

  • Persistent Cookie

  • Insert Cookie

  • Rewrite Cookie

  • Embedded Cookie

  • SSL Session ID
Client SSL Profile

Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Previous
Next