Support the Happy Eyeballs algorithm for explicit proxy 7.4.1
|
This information is also available in the FortiOS 7.4 Administration Guide: |
The "Happy Eyeballs" (also named fast fallback) algorithm, as outlined in RFC 8305, is now supported for explicit web proxy. This feature operates by attempting to connect to a web server that is available at multiple IPv4 and IPv6 addresses, either sequentially or simultaneously. As a result, the web server can be connected with reduced user-visible delay, which enhances the overall browsing experience.
config web-proxy fast-fallback
edit <name>
set status {enable | disable}
set connection-mode {sequentially | simultaneously}
set protocol {IPv4-first | IPv6-first | IPv4-only | IPv6-only}
set connection-timeout <integer>
next
end
|
status {enable | disable} |
Enable/disable the fast fallback entry (default = |
|
connection-mode {sequentially | simultaneously} |
Set the connection mode for multiple destinations.
|
|
protocol {IPv4-first | IPv6-first | IPv4-only | IPv6-only} |
Set the connection protocols for multiple destinations.
|
|
connection-timeout <integer> |
Start another connection if a connection takes longer than the timeout value, in milliseconds (200 - 1800000, default = 200). |
Based on the settings for connection-mode and protocol, the explicit web proxy will try connecting to the web server in different ways:
- If the
connection-modeis set tosequential(default), then the explicit web proxy will try connecting to the web server by IPv4 first, or by IPv6 first depending on theprotocolsetting. If the connection attempt over IPv4 or IPv6 succeeds, then the connection is kept; but if the connection fails, then it falls back to try a connection over IPv6 or IPv4 instead. - If the
connection-modeis set tosimultaneously, then the explicit web proxy will try connecting to the web server by IPv4 and IPv6 at the same time. If the connection over IPv4 is established first, then the connection is kept for the session and the IPv6 connection is discarded and vice-versa. - If the user only wants to connect by IPv4 but not IPv6, or by IPv6 but not IPv4, then the
protocoloption can be set toIPv4-onlyorIPv6-onlyaccordingly. The explicit web proxy will try connecting to the web server only by IPv4 or IPv6, even though both IPv4 and IPv6 may work.
Example
In this example, a client visits a web server through a FortiGate explicit web proxy that has IPv4 and IPv6 connections to the web server (www.example.com), which can resolve to IPv4 address 93.184.216.34 and IPv6 address 2606:2800:220:1:248:1893:25c8:1946.
The configuration uses sequential connection mode, the IPv4 first protocol, and the default connection timeout (200 ms).
To configure the FortiGate:
-
Configure the IPv4 static route:
config router static edit 1 set gateway 172.16.200.251 set device "port3" next end -
Configure the IPv6 static route:
config router static6 edit 1 set gateway 2000:172:16:200::254 set device "port3" next end -
Configure the proxy destination connection fast fallback:
config web-proxy fast-fallback edit "ffbk" set status enable set connection-mode sequentially set protocol IPv4-first set connection-timeout 200 next end -
Configure the exempt URL of the web server from web proxy forwarding and caching:
config web-proxy url-match edit "ffbk" set url-pattern "example.com" set fast-fallback "ffbk" next end -
Configure the proxy policy:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port3" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set logtraffic all set srcaddr6 "all" set dstaddr6 "all" set utm-status enable set ssl-ssh-profile "deep-custom" set av-profile "av" next end
Verifying the connection
Scenario 1:
The TCP connection from the explicit web proxy to the web server is established successfully over IPv4 within 200 ms.
As shown in the forward traffic log, the web session data is transmitted over IPv4 between the explicit web proxy and the web server.
2: date=2023-06-26 time=18:46:18 eventtime=1687830378260927765 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=33304 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=93.184.216.34 dstport=80 dstintf="port3" dstintfrole="undefined" sessionid=1688881487 service="HTTP" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="560d8520-fa7b-51ed-e06a-df05ec145542" trandisp="snat" transip=0.0.0.0 transport=0 duration=0 wanin=0 rcvdbyte=0 wanout=0 lanin=131 sentbyte=131 lanout=1591 appcat="unscanned"
Scenario 2:
The TCP connection from the explicit web proxy to the web server is not established over IPv4 within 200 ms and falls back to IPv6 successfully.
The IPv4 path to the server is interrupted, and the TCP connection between the explicit web proxy and web server cannot be established. The explicit web proxy waits until the 200 ms connection timeout timer expires, then attempts to connect to the server by IPv6, which is successful. The web session data is transmitted over IPv6, as shown in the forward traffic log.
2: date=2023-06-26 time=18:47:27 eventtime=1687830447277653089 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=36636 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=2606:2800:220:1:248:1893:25c8:1946 dstport=80 dstintf="port3" dstintfrole="undefined" sessionid=1688881488 service="HTTP" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="560d8520-fa7b-51ed-e06a-df05ec145542" trandisp="snat" transport=0 duration=1 wanin=0 rcvdbyte=0 wanout=0 lanin=131 sentbyte=131 lanout=1591 appcat="unscanned"