Fortinet black logo

CLI Reference

Home FortiADC 7.4.3 CLI Reference
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.2
6.0.1
6.0.0
5.4.5
5.4.3
5.4.2
5.4.1
5.4.0
5.3.0
4.8.1
4.7.0

config load-balance http3-profile

config load-balance http3-profile

HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

Use the config load-balance http3-profile command to configure an HTTP3 Profile configuration that can then be referenced by HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

Profile Description
LB_HTTP3_PROFILE_DEFAULT

max-streams — 5

max-idle-timeout — 50

connection-tx-buffers — 30

quic-cc-algo — cubic

Syntax

config load-balance http3-profile

edit <name>

set max-streams <integer>

set max-idle-timeout <integer>

set connection-tx-buffers <integer>

set quic-cc-algo {cubic|newreno}

next

end

max-streams

 Specify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.

max-idle-timeout

Specify the HTTP/3 QUIC connection idle timeout in seconds.

When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

The default value is 50 seconds, and the range is 1-86400 seconds.

connection-tx-buffers

Specify the number of buffers to send on the HTTP/3 QUIC connection.

This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

The default value is 30, and the range is 5-100.

quic-cc-algo

FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

Select the QUIC congestion algorithm to use:

  • cubic

  • newreno

Cubic is the default congestion control algorithm.

Example

config load-balance http3-profile

edit 1

set max-streams 5

set max-idle-timeout 50

set connection-tx-buffers 30

set quic-cc-algo cubic

next

end

HTTP/3 supported functionality and limitations

HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

Key limitations:

  • HTTP/3 only operates under L7-HTTPS VS.

  • HTTP/3 VS does not support dynamic configuration.

  • HTTP/3 VS does not support session and persistence table display.

  • HTTP/3 VS does not support HTTP detailed information statistics.

  • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

Configuration

Supported HTTP/3 functionality
load-balance profile

Profile type must be https to reference HTTP3 profiles.
load-balance virtual-server

  • VS type must be Layer 7 to reference HTTP3 profiles.

  • Number of ports must be set to one port only, multiple ports is not supported.

  • Alone mode must be enabled.
load-balance method

Supported load balancing methods:

  • round-robin

  • least-connection

  • host-hash

  • host-domain-hash

  • uri-hash

  • full-uri-hash

  • dynamic load balance
load-balance persistence

Supported persistence types:

  • consistent-hash-ip

  • embedded-cookie

  • hash-cookie

  • hash-http-header

  • hash-http-request

  • hash-source-address-port

  • insert-cookie

  • persistent-cookie

  • rewrite-cookie

  • ssl-session-id
Client SSL Profile

Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Previous
Next

config load-balance http3-profile

HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

Use the config load-balance http3-profile command to configure an HTTP3 Profile configuration that can then be referenced by HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

Profile Description
LB_HTTP3_PROFILE_DEFAULT

max-streams — 5

max-idle-timeout — 50

connection-tx-buffers — 30

quic-cc-algo — cubic

Syntax

config load-balance http3-profile

edit <name>

set max-streams <integer>

set max-idle-timeout <integer>

set connection-tx-buffers <integer>

set quic-cc-algo {cubic|newreno}

next

end

max-streams

 Specify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.

max-idle-timeout

Specify the HTTP/3 QUIC connection idle timeout in seconds.

When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

The default value is 50 seconds, and the range is 1-86400 seconds.

connection-tx-buffers

Specify the number of buffers to send on the HTTP/3 QUIC connection.

This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

The default value is 30, and the range is 5-100.

quic-cc-algo

FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

Select the QUIC congestion algorithm to use:

  • cubic

  • newreno

Cubic is the default congestion control algorithm.

Example

config load-balance http3-profile

edit 1

set max-streams 5

set max-idle-timeout 50

set connection-tx-buffers 30

set quic-cc-algo cubic

next

end

HTTP/3 supported functionality and limitations

HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

Key limitations:

  • HTTP/3 only operates under L7-HTTPS VS.

  • HTTP/3 VS does not support dynamic configuration.

  • HTTP/3 VS does not support session and persistence table display.

  • HTTP/3 VS does not support HTTP detailed information statistics.

  • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

Configuration

Supported HTTP/3 functionality
load-balance profile

Profile type must be https to reference HTTP3 profiles.
load-balance virtual-server

  • VS type must be Layer 7 to reference HTTP3 profiles.

  • Number of ports must be set to one port only, multiple ports is not supported.

  • Alone mode must be enabled.
load-balance method

Supported load balancing methods:

  • round-robin

  • least-connection

  • host-hash

  • host-domain-hash

  • uri-hash

  • full-uri-hash

  • dynamic load balance
load-balance persistence

Supported persistence types:

  • consistent-hash-ip

  • embedded-cookie

  • hash-cookie

  • hash-http-header

  • hash-http-request

  • hash-source-address-port

  • insert-cookie

  • persistent-cookie

  • rewrite-cookie

  • ssl-session-id
Client SSL Profile

Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
Previous
Next