Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.3 Handbook
    7.4.3
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring HTTP3 profiles

    Configuring HTTP3 profiles

    HTTP/3 Protocol Overview

    HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

    In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

    Advantages of HTTP/3 using QUIC

    As a result of using QUIC, HTTP/3 is designed to improve the speed, reliability, and security of data transfer over the internet.

    Faster connection setup (lower latency)

    The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

    Customizable congestion control

    QUIC allows implementers to customize the congestion control algorithm used within the protocol.

    Enhanced security

    QUIC encrypts almost all of its packet header fields by default default (via TLS).

    Connection migration

    QUIC identifies connections based on the ConnectionID (CID) instead of Connection table, which allows migration between different network interfaces or IP addresses without disconnecting.

    Less head-of-line (HoL) blocking

    In TCP, if a packet is lost or delayed, it can cause subsequent packets to be blocked. QUIC mitigates this issue by using multiple independent byte streams so that the loss or delay of a single packet does not impact the delivery of other packets.

    FortiADC HTTP/3 support

    You can now configure an HTTP3 Profile that can then be referenced in HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

    HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

    FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

    A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

    Profile Description
    LB_HTTP3_PROFILE_DEFAULT

    QUIC Congestion Algorithm — Cubic

    Max Streams — 5

    Max Idle Timeout — 50

    Connection TX Buffers — 30
    To configure an HTTP3 Profile:
    1. Go to Server Load Balance > Application Resources.
    2. Click the HTTP3 Profile tab.
    3. Click Create New to display the configuration editor.
    4. Configure the following settings:

      Setting

      Description

      NameSpecify a unique name for the HTTP3 profile. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
      QUIC Congestion Algorithm

      FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

      Select the QUIC congestion algorithm to use:

      • Cubic

      • New Reno

      Cubic is the default congestion control algorithm.

      Max StreamsSpecify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.
      Max Idle Timeout

      Specify the HTTP/3 QUIC connection idle timeout in seconds.

      When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

      The default value is 50 seconds, and the range is 1-86400 seconds.

      Connection TX Buffers

      Specify the number of buffers to send on the HTTP/3 QUIC connection.

      This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

      The default value is 30, and the range is 5-100.

    5. Click Save.

    Once the HTTP3 Profile configuration is saved, it can be referenced in an HTTPS Application Profile configuration.

    HTTP/3 supported functionality and limitations

    HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

    Key limitations:

    • HTTP/3 only operates under L7-HTTPS VS.

    • HTTP/3 VS does not support dynamic configuration.

    • HTTP/3 VS does not support session and persistence table display.

    • HTTP/3 VS does not support HTTP detailed information statistics.

    • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

    The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

    Configuration

    Supported HTTP/3 functionality
    Application Profile

    Profile type must be HTTPS to reference HTTP3 profiles.
    Virtual Server

    • VS type must be Layer 7 to reference HTTP3 profiles.

    • Number of ports must be set to one port only, multiple ports is not supported.
    LB Method

    Supported load balancing methods:

    • Round Robin

    • Least Connection

    • URI Hash

    • Full URI Hash

    • Host Hash

    • Host Domain Hash

    • Dynamic Load
    Persistence

    Supported persistence types:

    • Source Address Hash

    • Source Address-port Hash

    • HTTP Header Hash

    • HTTP Request Hash

    • Cookie Hash

    • Persistent Cookie

    • Insert Cookie

    • Rewrite Cookie

    • Embedded Cookie

    • SSL Session ID
    Client SSL Profile

    Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
    Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
    Previous
    Next

    Configuring HTTP3 profiles

    Configuring HTTP3 profiles

    HTTP/3 Protocol Overview

    HTTP/3 is the latest version of the HTTP protocol and unlike previous versions which relied on TCP to handle streams in the HTTP layer, HTTP/3 uses QUIC (Quick UDP Internet Connections), a multiplexed transport protocol built on UDP. The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

    In version 7.4.0, FortiADC is introducing HTTP/3 support as an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments. For details, see HTTP/3 supported functionality and limitations.

    Advantages of HTTP/3 using QUIC

    As a result of using QUIC, HTTP/3 is designed to improve the speed, reliability, and security of data transfer over the internet.

    Faster connection setup (lower latency)

    The HTTP/3 protocol has a lower latency as a result of using QUIC, allowing it to have a quicker handshake for establishing a secure session compared to HTTP/2 which achieves this using TCP and TLS.

    Customizable congestion control

    QUIC allows implementers to customize the congestion control algorithm used within the protocol.

    Enhanced security

    QUIC encrypts almost all of its packet header fields by default default (via TLS).

    Connection migration

    QUIC identifies connections based on the ConnectionID (CID) instead of Connection table, which allows migration between different network interfaces or IP addresses without disconnecting.

    Less head-of-line (HoL) blocking

    In TCP, if a packet is lost or delayed, it can cause subsequent packets to be blocked. QUIC mitigates this issue by using multiple independent byte streams so that the loss or delay of a single packet does not impact the delivery of other packets.

    FortiADC HTTP/3 support

    You can now configure an HTTP3 Profile that can then be referenced in HTTPS application profiles. Once referenced, the HTTPS profile becomes a HTTP/3 load balance profile and the virtual server that references the profile becomes a HTTP/3 VS. This HTTP/3 VS can only operate under L7-HTTPS VS.

    HTTP/3 VS listens to the TCP port and the corresponding UDP port at the same time.

    FortiADC does not support server side HTTP/3, instead support is provided for client HTTP/3 to the ADC and then converted to HTTP/1 (conversion to HTTP/2 is not supported).

    A predefined profile is available to be referenced in HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

    Profile Description
    LB_HTTP3_PROFILE_DEFAULT

    QUIC Congestion Algorithm — Cubic

    Max Streams — 5

    Max Idle Timeout — 50

    Connection TX Buffers — 30
    To configure an HTTP3 Profile:
    1. Go to Server Load Balance > Application Resources.
    2. Click the HTTP3 Profile tab.
    3. Click Create New to display the configuration editor.
    4. Configure the following settings:

      Setting

      Description

      NameSpecify a unique name for the HTTP3 profile. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
      QUIC Congestion Algorithm

      FortiADC supports Cubic and New Reno loss-based congestion control for QUIC, where the congestion control responds to packet loss events.

      Select the QUIC congestion algorithm to use:

      • Cubic

      • New Reno

      Cubic is the default congestion control algorithm.

      Max StreamsSpecify the maximum allowable number of HTTP/3 QUIC streams. The default value is 5, and the range is 1-200.
      Max Idle Timeout

      Specify the HTTP/3 QUIC connection idle timeout in seconds.

      When no data is transmitted over the HTTP/3 connection after the specified time has elapsed, the HTTP/3 connection will timeout. The HTTP/3 connection is tracked using a unique connection-ID instead of a UDP session.

      The default value is 50 seconds, and the range is 1-86400 seconds.

      Connection TX Buffers

      Specify the number of buffers to send on the HTTP/3 QUIC connection.

      This parameter significantly affects the performance of the HTTP/3 response direction. The higher the number of buffers are sent, the higher the performance will be. However, the memory usage increases.

      The default value is 30, and the range is 5-100.

    5. Click Save.

    Once the HTTP3 Profile configuration is saved, it can be referenced in an HTTPS Application Profile configuration.

    HTTP/3 supported functionality and limitations

    HTTP/3 support is currently an experimental feature with limited HTTP/3 functionality, so it is not recommended to be used in production environments.

    Key limitations:

    • HTTP/3 only operates under L7-HTTPS VS.

    • HTTP/3 VS does not support dynamic configuration.

    • HTTP/3 VS does not support session and persistence table display.

    • HTTP/3 VS does not support HTTP detailed information statistics.

    • HTTP/3 is only supported on VS, and the backend (RS) only supports HTTP/1.1.

    The current iteration of the HTTP/3 feature is supported in limited or conditional capacity. The following lists the configurations that currently support HTTP/3 functionality and in what capacity.

    Configuration

    Supported HTTP/3 functionality
    Application Profile

    Profile type must be HTTPS to reference HTTP3 profiles.
    Virtual Server

    • VS type must be Layer 7 to reference HTTP3 profiles.

    • Number of ports must be set to one port only, multiple ports is not supported.
    LB Method

    Supported load balancing methods:

    • Round Robin

    • Least Connection

    • URI Hash

    • Full URI Hash

    • Host Hash

    • Host Domain Hash

    • Dynamic Load
    Persistence

    Supported persistence types:

    • Source Address Hash

    • Source Address-port Hash

    • HTTP Header Hash

    • HTTP Request Hash

    • Cookie Hash

    • Persistent Cookie

    • Insert Cookie

    • Rewrite Cookie

    • Embedded Cookie

    • SSL Session ID
    Client SSL Profile

    Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
    Real Server SSL Profile Allowed SSL Versions — SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
    Previous
    Next