Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.6
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Session and user limits

    Session and user limits

    Web browsers and web servers open and close multiple sessions with the explicit web proxy. Some sessions are short-lived, while others may persist for longer periods due to HTTP persistent connection behavior. Sessions can remain on the explicit web proxy session list after a user has stopped using the proxy (for example, after closing their browser). If an explicit web proxy session is idle for more than 3600 seconds (one hour) it is torn down by the explicit web proxy. Modern HTTP versions (HTTP/1.1, HTTP/2, HTTP/3) use connection persistence mechanisms to improve performance, but the proxy enforces its own session lifecycle independent of the client

    This section describes proxy sessions and user limits for both the explicit web proxy and the explicit FTP proxy. Session and user limits for the two proxies are counted and calculated together. However, in most cases if both proxies are active there will be many more web proxy sessions than FTP proxy sessions.

    FortiOS adds two sessions to the session table for every explicit proxy session that is initiated by a client:

    • One for the connection from the client to the explicit proxy, typically over a configured proxy port using HTTP or HTTPS.

    • The other for the proxied connection from FortiOS to the destination server, which may use HTTP, HTTPS (TLS-encrypted), or other application protocols, depending on the request.

    These outbound sessions use the FortiOS interface IP as the source address and connect to the destination service using its negotiated port and protocol, rather than assuming fixed ports.

    FortiOS limits the number of explicit proxy users, including both explicit FTP proxy and explicit web proxy users. The number of users varies by FortiGate model from 1000 to 128000 for high end models. This limit cannot be raised.

    This feature is not supported on FortiGate models with 2 GB RAM or less. See Proxy-related features not supported on FortiGate 2 GB RAM models for more information.

    If your FortiGate unit is configured for multiple VDOMs, you can go to System > Global Resources to view the maximum number of Concurrent explicit proxy users and, optionally, reduce the limit. The following command can also be used:

    config global
    config system resource-limits
        set proxy 50
    end
end

    To limit the number of explicit proxy users for a VDOM, in the GUI enable multiple VDOMs then go to System > VDOM and edit a VDOM, or use the following command to change the number of explicit web proxy users for VDOM_1:

    config global
    config system vdom-property
        edit VDOM_1
            set proxy 25
        next
    end
end

    Use the diagnose wad user list command to view the non-anonymous explicit web proxy users. Users may be displayed with this command even if they are no longer actively using the proxy. All idle sessions timeout after 3600 seconds.

    Use the diagnose wad user clear command to clear currently authenticated explicit proxy users. You can also use the diagnose wad user clear <user-name> command to clear individual users. This deletes information about all users and forces them re-authenticate.

    Use the diagnose wad process worker -1 157 command to view the details of each used concurrent proxy connection for every WAD worker. Alternatively, the first output line from the diagnose wad process worker -1 118 command shows summarized statistics for each WAD worker.

    Note

    Users that authenticate with explicit web-proxy or ftp-proxy security policies appears in the Dashboard > Asset and Identities > Firewall Users list when you switch the view from the default Firewall view to Proxy view.

    Determining the number of concurrent explicit proxy users depends on their authentication method:

    • Session-based authenticated users: Each authenticated user is counted as a single user. Because multiple users can have the same user name, the proxy attempts to identify users according to their authentication membership (based upon whether they were authenticated using RADIUS, LDAP, FSAE, local database, or similar). If a user of one session has the same name and membership as a user of another session, the explicit proxy assumes that it is one user.

    • IP-based authentication, no authentication, or if no web-proxy security policy has been added: The source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

    The explicit proxy does not limit the number of active sessions for each user. As a result, the actual explicit proxy session count is usually much higher than the number of explicit web proxy users. If an excessive number of explicit web proxy sessions is compromising system performance, you can limit the amount of users if the FortiGate unit is operating with multiple VDOMs.

    Previous
    Next

    Session and user limits

    Session and user limits

    Web browsers and web servers open and close multiple sessions with the explicit web proxy. Some sessions are short-lived, while others may persist for longer periods due to HTTP persistent connection behavior. Sessions can remain on the explicit web proxy session list after a user has stopped using the proxy (for example, after closing their browser). If an explicit web proxy session is idle for more than 3600 seconds (one hour) it is torn down by the explicit web proxy. Modern HTTP versions (HTTP/1.1, HTTP/2, HTTP/3) use connection persistence mechanisms to improve performance, but the proxy enforces its own session lifecycle independent of the client

    This section describes proxy sessions and user limits for both the explicit web proxy and the explicit FTP proxy. Session and user limits for the two proxies are counted and calculated together. However, in most cases if both proxies are active there will be many more web proxy sessions than FTP proxy sessions.

    FortiOS adds two sessions to the session table for every explicit proxy session that is initiated by a client:

    • One for the connection from the client to the explicit proxy, typically over a configured proxy port using HTTP or HTTPS.

    • The other for the proxied connection from FortiOS to the destination server, which may use HTTP, HTTPS (TLS-encrypted), or other application protocols, depending on the request.

    These outbound sessions use the FortiOS interface IP as the source address and connect to the destination service using its negotiated port and protocol, rather than assuming fixed ports.

    FortiOS limits the number of explicit proxy users, including both explicit FTP proxy and explicit web proxy users. The number of users varies by FortiGate model from 1000 to 128000 for high end models. This limit cannot be raised.

    This feature is not supported on FortiGate models with 2 GB RAM or less. See Proxy-related features not supported on FortiGate 2 GB RAM models for more information.

    If your FortiGate unit is configured for multiple VDOMs, you can go to System > Global Resources to view the maximum number of Concurrent explicit proxy users and, optionally, reduce the limit. The following command can also be used:

    config global
    config system resource-limits
        set proxy 50
    end
end

    To limit the number of explicit proxy users for a VDOM, in the GUI enable multiple VDOMs then go to System > VDOM and edit a VDOM, or use the following command to change the number of explicit web proxy users for VDOM_1:

    config global
    config system vdom-property
        edit VDOM_1
            set proxy 25
        next
    end
end

    Use the diagnose wad user list command to view the non-anonymous explicit web proxy users. Users may be displayed with this command even if they are no longer actively using the proxy. All idle sessions timeout after 3600 seconds.

    Use the diagnose wad user clear command to clear currently authenticated explicit proxy users. You can also use the diagnose wad user clear <user-name> command to clear individual users. This deletes information about all users and forces them re-authenticate.

    Use the diagnose wad process worker -1 157 command to view the details of each used concurrent proxy connection for every WAD worker. Alternatively, the first output line from the diagnose wad process worker -1 118 command shows summarized statistics for each WAD worker.

    Note

    Users that authenticate with explicit web-proxy or ftp-proxy security policies appears in the Dashboard > Asset and Identities > Firewall Users list when you switch the view from the default Firewall view to Proxy view.

    Determining the number of concurrent explicit proxy users depends on their authentication method:

    • Session-based authenticated users: Each authenticated user is counted as a single user. Because multiple users can have the same user name, the proxy attempts to identify users according to their authentication membership (based upon whether they were authenticated using RADIUS, LDAP, FSAE, local database, or similar). If a user of one session has the same name and membership as a user of another session, the explicit proxy assumes that it is one user.

    • IP-based authentication, no authentication, or if no web-proxy security policy has been added: The source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

    The explicit proxy does not limit the number of active sessions for each user. As a result, the actual explicit proxy session count is usually much higher than the number of explicit web proxy users. If an excessive number of explicit web proxy sessions is compromising system performance, you can limit the amount of users if the FortiGate unit is operating with multiple VDOMs.

    Previous
    Next