Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiADC 8.0.1 Administration Guide
    8.0.1
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0

    Configuring HTTP2 profiles

    Configuring HTTP2 profiles

    You can now create application profiles that support HTTP2. To do so, you must first create an HTTP2 Profile, then use that profile when creating a new application profile.

    Alternatively, predefined profiles are available to be referenced in HTTP/HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

    Profile Description
    LB_HTTP2_PROFILE_DEFAULT

    Priority Mode — Best Effort

    Upgrade Mode — Upgradeable

    Max Concurrent Stream — 5

    Max Receive Window — 65535

    Max Frame Size — 16384

    Header Table Size — 4096

    Max Header List Size — 65536

    SSL Constraint — Enable

    Backend HTTP2 — Disable

    LB_HTTP2_PROFILE_END2END_H2

    Priority Mode — Best Effort

    Upgrade Mode — Upgradeable

    Max Concurrent Stream — 5

    Max Receive Window — 65535

    Max Frame Size — 16384

    Header Table Size — 4096

    Max Header List Size — 65536

    SSL Constraint — Enable

    Backend HTTP2 — Enable

    Backend Max Receive Window — 65535

    Backend Concurrent Stream — 5

    Backend Proto Mode HTTPS — ALPN

    Backend Proto Mode HTTP — Force H1

    Backend Multiplex Mode — Multi Connection
    To configure HTTP2 profiles:
    1. Go to Server Load Balance > Application Resources.
    2. Click the HTTP2 Profile tab.
    3. Click Create New to display the configuration editor.
    4. Configure the following settings:
      Type Profile Configuration Guidelines

      Name

      Specify a unique name for the HTTP2 profile.

      Priority Mode

      Set to Best Effort. Not configurable.

      Upgrade ModeSet to Upgradeable. Not configurable.
      Max Concurrent StreamSpecify the maximum number of concurrent streams available at one time. The default number is 5, and the valid range is 1-200.
      Max Receive WindowSpecify the maximum number of bytes that can be received without sending an acknowledgment response. The default value is 65535 bytes, and the valid range is 16384-524288.
      Max Frame Size

      Specify the max size of the data frames, in bytes that the HTTP2 protocol sends to the client. Setting a large frame size improves network utilization, but it can also affect concurrency. The default value is 16384 bytes, and the valid range is 16384-131072.

      Note: When Backend HTTP2 is enabled, the Max Frame Size is not supported, as this cannot be set independently for the frontend and backend. Instead, the HTTP2 Profile Max Frame Size will override the Tune Buffer Size in the Application Profile.

      Header Table SizeSpecify the size of the header table, in KB. A larger table size allows for better HTTP header compression, but it requires more memory. The default value is 4096, and the valid range is 4096-65536.
      Header List LimitationSpecify the size of the name value length , in bytes, that the HTTP2 protocol sends in a single header frame. The default value is 65536, and the valid range is 4096-262144.
      SSL Constraint

      Enable or disable SSL constraint. If enabled, the following conditions must be met:

      • The TLS implementation supports Server Name Indication.
      • The TLS implementation disables compression.
      • The TLS implementation disables renegotiation.
      • Renegotiation takes place before the connection preface is sent.
      • HTTP/2 uses cipher suites with ephemeral key exchange.
      • Ephemeral key exchange has a size of at least 2048 bits (for DHE) or a security level of at least 128 bits (for ECDHE).
      • Clients accept DHE no smaller than 4096 bits.
      • Stream or block ciphers are not used with HTTP.

      Backend HTTP2

      Enable/disable support for the backend HTTP/2 functionality.

      When enabled, the related virtual server will switch to httproxy3 for support.

      This is disabled by default.

      Note: The backend HTTP/2 implementation is built on HTTP/3, which introduces specific limitations. For details, see Configuring HTTP3 profiles.

      Backend Max Receive Window

      The Backend Max Receive Window option is available if Backend HTTP2 is enabled.

      Specify the init-windows-size configuration for the backend HTTP/2 connection. The default value is 65535, and the valid range is 16384-524288.

      Backend Concurrent Stream

      The Backend Concurrent Stream option is available if Backend HTTP2 is enabled.

      Specify the maximum limit for concurrent streams that the backend server can handle to ensure optimal performance and prevent overloading. The default value is 5, and the valid range is 1-200.

      Backend Proto Mode HTTPS

      The Backend Proto Mode HTTPS option is available if Backend HTTP2 is enabled.

      Select the HTTPS server backend HTTP/2 protocol mode.

      • ALPN — Use Application-Layer Protocol Negotiation (ALPN).

      • Force H1 — Enforce HTTP/1.

      • Force H2 — Enforce HTTP/2.

      The default is ALPN.

      Backend Proto Mode HTTP

      The Backend Proto Mode HTTP option is available if Backend HTTP2 is enabled.

      Select the HTTP server backend HTTP/2 protocol mode.

      • Force H1 — Enforce HTTP/1.

      • Force H2 — Enforce HTTP/2.

      The default is Force H1.

      Backend Multiplex Mode

      The Backend Multiplex Mode option is available if Backend HTTP2 is enabled.

      Select the backend multiplexing mode.

      • Multi Connection — Multiple streams from the frontend are mapped to multiple backend connections.

      • Single Connection — All requests from multiple frontend connections are sent through a single backend connection.

      The default is Multi Connection.

    5. Click Save.

    Once the HTTP2 Profile configuration is saved, it can be referenced in an HTTP/HTTPS Application Profile configuration.

    Previous
    Next

    Configuring HTTP2 profiles

    Configuring HTTP2 profiles

    You can now create application profiles that support HTTP2. To do so, you must first create an HTTP2 Profile, then use that profile when creating a new application profile.

    Alternatively, predefined profiles are available to be referenced in HTTP/HTTPS application profiles. All values in the predefined profile is view-only and cannot be modified.

    Profile Description
    LB_HTTP2_PROFILE_DEFAULT

    Priority Mode — Best Effort

    Upgrade Mode — Upgradeable

    Max Concurrent Stream — 5

    Max Receive Window — 65535

    Max Frame Size — 16384

    Header Table Size — 4096

    Max Header List Size — 65536

    SSL Constraint — Enable

    Backend HTTP2 — Disable

    LB_HTTP2_PROFILE_END2END_H2

    Priority Mode — Best Effort

    Upgrade Mode — Upgradeable

    Max Concurrent Stream — 5

    Max Receive Window — 65535

    Max Frame Size — 16384

    Header Table Size — 4096

    Max Header List Size — 65536

    SSL Constraint — Enable

    Backend HTTP2 — Enable

    Backend Max Receive Window — 65535

    Backend Concurrent Stream — 5

    Backend Proto Mode HTTPS — ALPN

    Backend Proto Mode HTTP — Force H1

    Backend Multiplex Mode — Multi Connection
    To configure HTTP2 profiles:
    1. Go to Server Load Balance > Application Resources.
    2. Click the HTTP2 Profile tab.
    3. Click Create New to display the configuration editor.
    4. Configure the following settings:
      Type Profile Configuration Guidelines

      Name

      Specify a unique name for the HTTP2 profile.

      Priority Mode

      Set to Best Effort. Not configurable.

      Upgrade ModeSet to Upgradeable. Not configurable.
      Max Concurrent StreamSpecify the maximum number of concurrent streams available at one time. The default number is 5, and the valid range is 1-200.
      Max Receive WindowSpecify the maximum number of bytes that can be received without sending an acknowledgment response. The default value is 65535 bytes, and the valid range is 16384-524288.
      Max Frame Size

      Specify the max size of the data frames, in bytes that the HTTP2 protocol sends to the client. Setting a large frame size improves network utilization, but it can also affect concurrency. The default value is 16384 bytes, and the valid range is 16384-131072.

      Note: When Backend HTTP2 is enabled, the Max Frame Size is not supported, as this cannot be set independently for the frontend and backend. Instead, the HTTP2 Profile Max Frame Size will override the Tune Buffer Size in the Application Profile.

      Header Table SizeSpecify the size of the header table, in KB. A larger table size allows for better HTTP header compression, but it requires more memory. The default value is 4096, and the valid range is 4096-65536.
      Header List LimitationSpecify the size of the name value length , in bytes, that the HTTP2 protocol sends in a single header frame. The default value is 65536, and the valid range is 4096-262144.
      SSL Constraint

      Enable or disable SSL constraint. If enabled, the following conditions must be met:

      • The TLS implementation supports Server Name Indication.
      • The TLS implementation disables compression.
      • The TLS implementation disables renegotiation.
      • Renegotiation takes place before the connection preface is sent.
      • HTTP/2 uses cipher suites with ephemeral key exchange.
      • Ephemeral key exchange has a size of at least 2048 bits (for DHE) or a security level of at least 128 bits (for ECDHE).
      • Clients accept DHE no smaller than 4096 bits.
      • Stream or block ciphers are not used with HTTP.

      Backend HTTP2

      Enable/disable support for the backend HTTP/2 functionality.

      When enabled, the related virtual server will switch to httproxy3 for support.

      This is disabled by default.

      Note: The backend HTTP/2 implementation is built on HTTP/3, which introduces specific limitations. For details, see Configuring HTTP3 profiles.

      Backend Max Receive Window

      The Backend Max Receive Window option is available if Backend HTTP2 is enabled.

      Specify the init-windows-size configuration for the backend HTTP/2 connection. The default value is 65535, and the valid range is 16384-524288.

      Backend Concurrent Stream

      The Backend Concurrent Stream option is available if Backend HTTP2 is enabled.

      Specify the maximum limit for concurrent streams that the backend server can handle to ensure optimal performance and prevent overloading. The default value is 5, and the valid range is 1-200.

      Backend Proto Mode HTTPS

      The Backend Proto Mode HTTPS option is available if Backend HTTP2 is enabled.

      Select the HTTPS server backend HTTP/2 protocol mode.

      • ALPN — Use Application-Layer Protocol Negotiation (ALPN).

      • Force H1 — Enforce HTTP/1.

      • Force H2 — Enforce HTTP/2.

      The default is ALPN.

      Backend Proto Mode HTTP

      The Backend Proto Mode HTTP option is available if Backend HTTP2 is enabled.

      Select the HTTP server backend HTTP/2 protocol mode.

      • Force H1 — Enforce HTTP/1.

      • Force H2 — Enforce HTTP/2.

      The default is Force H1.

      Backend Multiplex Mode

      The Backend Multiplex Mode option is available if Backend HTTP2 is enabled.

      Select the backend multiplexing mode.

      • Multi Connection — Multiple streams from the frontend are mapped to multiple backend connections.

      • Single Connection — All requests from multiple frontend connections are sent through a single backend connection.

      The default is Multi Connection.

    5. Click Save.

    Once the HTTP2 Profile configuration is saved, it can be referenced in an HTTP/HTTPS Application Profile configuration.

    Previous
    Next