HTTP2 connection coalescing and concurrent multiplexing for ZTNA, virtual server load balancing, and explicit proxy 7.2.4
This information is also available in the FortiOS 7.2 Administration Guide: |
HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same, and the host names are compatible in the certificate. This is supported for ZTNA, virtual server load balancing, and explicit proxy.
Basic settings
To configure the ZTNA access proxy:
config firewall access-proxy edit <name> set http-supported-max-version {http1 | http2} set svr-pool-multiplex {enable | disable} set svr-pool-ttl <integer> set svr-pool-server-max-request <integer> next end
http-supported-max-version {http1 | http2} |
Set the maximum supported HTTP version:
|
svr-pool-multiplex {enable | disable} |
Enable/disable server pool multiplexing. When enabled, share the connected server in HTTP, HTTPS, and web portal API gateway. |
svr-pool-ttl <integer> |
Set the time-to-live in the server pool for idle connections to servers (in seconds, 0 - 2147483647, default = 15). |
svr-pool-server-max-request <integer> |
Set the maximum number of requests that servers in server pool handle before disconnecting (0 - 2147483647, default = 0). |
To configure the load balanced virtual server:
config firewall vip edit <name> set type server-load-balance set server-type {http | https} set http-multiplex {enable | disable} set http-multiplex-ttl <integer> set http-multiplex-max-request <integer> set http-supported-max-version {http1 | http2} next end
http-multiplex {enable | disable} |
Enable/disable HTTP multiplexing. |
http-multiplex-ttl <integer> |
Set the time-to-live for idle connections to servers (in seconds, 0 - 2147483647, default = 15). |
http-multiplex-max-request <integer> |
Set the maximum number of requests that the multiplex server can handle before disconnecting (0 - 2147483647, default = 0). |
http-supported-max-version {http1 | http2} |
Set the maximum supported HTTP version:
|
To configure the explicit web proxy:
config web-proxy explicit set http-connection-mode {static | multiplex | serverpool} end
http-connection-mode {static | multiplex | serverpool} |
Set the HTTP connection mode:
|
Examples
In the following examples, multiple clients submit requests in HTTP2. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same TLS session to connect to the same destination server.
ZTNA
In ZTNA scenarios, the FortiGate application gateway may accept multiple HTTP2 requests to the same ZTNA server destined to different virtual hosts on the same real server. These HTTP2 requests can share the same TLS connection between the FortiGate and the real server so that the handshake does not need to be performed multiple times for multiple connections.
In order for the FortiGate to match the SNI (Server Name Indication), this SNI value must appear under the SAN extension on the server certificate. Configuring the SNI value under the CN alone will not work. |
To configure connection coalescing and concurrent multiplexing with ZTNA:
-
Configure the VIP:
config firewall vip edit "vip-ztna" set type access-proxy set extip 10.1.100.223 set extintf "port2" set server-type https set extport 443 set ssl-certificate "Fortinet_SSL" next end
-
Configure the ZTNA server and path mapping:
config firewall access-proxy edit "ztna" set vip "vip-ztna" set client-cert disable set svr-pool-multiplex enable set http-supported-max-version http2 config api-gateway edit 1 set url-map "/a" set virtual-host "a.ftnt.com" config realservers edit 1 set ip 172.16.200.99 next end next edit 2 set url-map "/b" set virtual-host "b.ftnt.com" config realservers edit 1 set ip 172.16.200.99 next end next end next end
-
Configure the ZTNA policy:
config firewall proxy-policy edit 3 set proxy access-proxy set access-proxy "ztna" set srcintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set logtraffic all set utm-status enable set ssl-ssh-profile "deep-inspection-clone" set av-profile "av" next end
-
Get the clients to access a.ftnt.com and b.ftnt.com. The clients share access with the same real server and certificate (CN=*.ftnt.com). The FortiGate shares the first TLS connection with second TLS connection.
-
Verify the sniffer packet capture on the FortiGate server side. There is one client hello.
-
Disable server pool multiplexing:
config firewall access-proxy edit "ztna" set vip "vip-ztna" set svr-pool-multiplex disable next end
-
Verify the sniffer packet capture. This time, the FortiGate does not coalesce the TLS connection, so there are two client hellos.
Virtual server load balancing
To configure connection coalescing and concurrent multiplexing with virtual server load balancing:
-
Configure the virtual server:
config firewall vip edit "vip-test" set type server-load-balance set extip 10.1.100.222 set extintf "port2" set server-type https set extport 443 config realservers edit 1 set ip 172.16.200.99 set port 443 next end set http-multiplex enable set ssl-mode full set ssl-certificate "Fortinet_SSL" next end
-
Configure the firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "vip-test" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection-clone" set av-profile "av" set logtraffic all set nat enable next end
-
Get the clients to access the VIP address (10.1.100.222). The FortiGate shares the first TLS connection with second TLS connection.
-
Verify the sniffer packet capture on the FortiGate server side. There is one client hello.
-
Disable HTTP multiplexing:
config firewall vip edit "vip-test" config realservers edit 1 set type ip set ip 172.16.200.99 set port 443 next end set http-multiplex disable next end
-
Verify the sniffer packet capture. This time, the FortiGate does reuse the TLS connection, so there are two client hellos sent to the real server.
Explicit proxy
To configure connection coalescing and concurrent multiplexing with an explicit proxy:
-
Configure the explicit web proxy:
config web-proxy explicit set status enable set http-incoming-port 8080 set http-connection-mode serverpool end
Connection coalescing and concurrent multiplexing with an explicit proxy only supports HTTP.
-
Enable explicit web proxy on port2:
config system interface edit "port2" set ip 10.1.100.6 255.255.255.0 set explicit-web-proxy enable next end
-
Configure the proxy policy:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port3" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set srcaddr6 "all" set dstaddr6 "all" set utm-status enable set profile-protocol-options "default-clone" set ssl-ssh-profile "deep-inspection-clone" next end
-
Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.
-
Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.
-
Change the HTTP connection mode to static:
config web-proxy explicit set status enable set http-incoming-port 8080 set http-connection-mode static end
-
Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.