Fortinet white logo
Fortinet white logo

Administration Guide

Starting an SSL-VPN tunnel Throughput test

Starting an SSL-VPN tunnel Throughput test

This test establishes a SSL-VPN tunnel connection, loops completed HTTP/TCP/UDP transaction and closes the Tunnel.

To start an SSL-VPN tunnel Throughput test

  1. Go to Cases > Performance Testing> VPN > SSL-VPN > Throughput to display the test case summary page.
  2. Click + Create New to display the Select case options dialog box.
  3. Configure the Inner Traffic and click OK to continue.

    HTTP Throughput
    HTTP RPS
    TCP Throughput
    UDP Throughput
  4. Set the server network to Peer Network.

    If Fortigate SSLVPN policy has disabled NAT mode, you need set the Internal IP assigned by Fortigate.

    If Fortigate SSLVPN policy has enabled NAT mode, you need to set a peer IP.

  5. Set Specifics for Load and Client. See the table below.

  6. Set Inner protocol case Specifics >HTTPCPS.

    Simulated Users Number of simusers in a Tunnel.

SSL-VPN Test Case common options

SSL-VPN Test Case configuration specific to Throughput

Settings Guidelines
Basic Information

VPN Host Group

Specify VPN hosts defined under Objects > Host Group. A Host Group is comprised of Hosts e.g. abc.com = 1.1.1.1 . FortiTester will inject the hosts configured into SNI field (server name indication) within the TLS handshake.

Load
Mode

Simuser: Simulated users. Simuser simulates a user processing through an Actions list one at a time. It allows you to determine the maximum number of concurrent users your device, infrastructure, or system can handle.
Connections/second: This mode simulates TCP connections, each of them containing up to hundreds of transactions. It's useful to test how many concurrent connections can be handled by your device. Note: Available only for CPS and RPS.

If the user wants FortiTester to create connections as fast as possible, the user should set the Mode to Simulated Users.

What is the difference between Simuser and Connections/second?

Tunnel Concurrent Connection

The total number of tunnels created in the Throughput case.

Ramp Up Time

The duration in seconds for which new sessions can be opened, attempting to reach the desired Connections per Second configured. (Range: 0 - 300).

Note: If FortiTester cannot reach the Connections per Second configured during the specified Ramp Up Time, it will keep the highest CPS it reached during the Ramp Up Time.

Ramp Down Time The duration in second during which the device ramps down the number of connections it is making. 0 will cause the FortiTester to cease generating sessions. (Range: 0 - 300).
Transactions per Tunnel Number of transactions in a Tunnel
VPN Gateway Port Specify the VPN gateway port number.

Enable User Group

Enable to simulate multiple user names. This allows FortiView to populate with more rich user name information, for example.

  1. Go to Objects > User Groups > Create New to create a user group object.
  2. Click Create New to create multiple users/password pairs to the current User Group Object.
  3. In SSL-VPN (CPS/RPS/CC/Throughput) cases, click on the "Enable User Group" switch option button and select the User Group created in step 1.
VPN Username Enter the VPN username.
VPN Password Enter the VPN password.

Tunnel mode

Select TCP or UDP.

Client Profile

Client Close Mode

Select the connection close method: 3Way_Fin or Reset.

Quiet Shutdown

Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer.

Available SSL Versions

Select SSL versions.

TLSv1.3 and other SSL versions are mutually exclusive. This means you can’t select TLSv1.3 at the same time with other SSL versions.

SSL Ciphers

Select one or more SSL ciphers from the list.

Session Resumption
  • Disabled (turns off session resumption).
  • Resume Session by Ticket: Select this option to simulate a client presenting a ticket to a TLS server, having originated from that server, for the purpose of resuming a TLS session.
  • Resume Session by Session: Select this option to simulate a user attempting to use the same SSL Session ID, initially negotiated with the server.

This option applies only to TLS v1 and TLS v1.2. It does not apply to TLS v1.3.

Enable Client Certificate

Enable the client authentication for HTTPS cases.

Piggyback Get Requests If enabled, this means an acknowledgment is sent on the data frame, not in an individual frame. Otherwise, it sends an ACK frame individually. This feature only works with get/post requests.

Client TCP Options

TCP Receive Window The receive window in which you want the TCP stack to send TCP segments. The receive window informs the peer how many bytes of data the stack is currently able to receive. The supplied value is used in all segments sent by the stack. The valid range is 0 to 65535.
Delayed Acks Select to cause the TCP stack to implement the Delayed ACK strategy, which attempts to minimize the transmission of zero-payload ACK packets. Acknowledgments will be deferred and should be piggybacked on top of valid data packets. If successfully deferred, these acknowledgments are free, in the sense that they consume no additional bandwidth.
Delayed Ack Timeout If you select Delayed ACKs, use this timeout value to specify the maximum time the TCP stack waits to defer ACK transmission. If this timer expires, the stack transmits a zero-payload acknowledgment.
Timestamps Option Select to add a TCP time stamp to each TCP segment.
Enable Push Flag Select to set the TCP PSH (push) flag in all TCP packets. This flag causes buffered data to be pushed to the receiving application. If deselected, the PSH flag is not set in any TCP packet.
SACK Option Select to enable TCP Selective Acknowledgment Options(SACK).
Enable TCP Keepalive Select to enable TCP Keep-alive Timer.
Keepalive Timeout If you enable TCP Keepalive, use this timeout value to specify the maximum time to send your peer a keep-alive probe packet
Keepalive Probes If you enable TCP Keepalive, use this value to specify the maximum probes to detect the broken connection.
Override Internal Timeout Calculation Select to override the TCP stack calculation of the retransmission timeout value.
Retransmission Timeout If you select Override Internal Timeout Calculation, use this value for the first transmission of a particular data or control packet; it is doubled for each subsequent retransmission.
Retries The number of times a timed-out packet is retransmitted before aborting further retransmission. If the client does not receive a response after the configured number of retries have been attempted, the error is logged in the results. CSV file as a TCP timeout when a SYN or FIN is sent, and no SYN/ACK or FIN/ACK from the server is received.

FinACK Timer

This value measures the amount of time that a SimUser waits after it finishes its actions and before it directly breaks all of its TCP connections (that is, the time to wait to receive the LAST_ACK message for a FIN request). A value of 0 disables the timer.

Note: Setting this timer can adversely affect TCP performance.

Client Network
Network MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally.

Inner Network MSS

The inner TCP MSS.

IP Option DSCP Provide quality of service (QoS).

Client Limit

Bandwidth

Bandwidth in Mbps. The default is 0, which means the device will send traffic as fast as possible.

Packets per Second

Rate of the packets per second. The default is 0, which means the device will create transactions as fast as possible.

Tunnels per Second

The rate at which DUT establishes tunnels per second.

HttpThroughput profiles

HttpThroughput Load
Simulated Users Number of users to simulate.
HTTP Request Time Out An HTTP request timeout occurs when an HTTP request is issued, but no data is responded back from the server within a certain time (in seconds). The timeout usually indicates an overwhelmed server or reverse proxy, or an outage of the back-end transactions processing servers. FortiTester will reset the connection upon timeout.

HttpThroughput Client

HttpThroughput Client Profile

Request Header The HTTP header of the request packet. Click the Add button to specify more headers. Wild card is supported.
Client Close Mode Select the connection close method: 3Way_Fin or Reset.
HttpThroughput Server Profile
Case Server Port The server port where the test case traffic arrives.
Response Header The HTTP header of the response packet. Click the Add button to specify more headers.

HttpThroughput Server Network

IP Option DCSP

Provide quality of service (QoS).

HttpThroughput Server Limit

Bandwidth

Bandwidth in Mbps. The default is 0, which means the device will send traffic as fast as possible.

Packets per Second

Rate of the packets per second. The default is 0, which means the device will create transactions as fast as possible.

HttpThroughput Action

Method Three methods are available here: GET, POST, and Custom. If you select Custom, you can click +Add to add at most 32 requests.
Request Page Select System Pages with Fixed or Random File Name and Content.
Get page Select the file that the simulated clients access. Optionally, you can select Custom to choose the file template you have created in Cases > Performance Testing > Objects > Files.
Post page Select the file that simulated servers response. You can edit the post parameters. The file size limit is 10MB.
Response pages The size of the response.
Available only when Method is Custom.
HTTP Pipelining Available only when Method is Custom.
Generate Random Content
Enable to generate random content in response package.
Available only when Method is Custom.
Random Method Select to use which method to generate random content.
Success criteria Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. See Using success criteria.

Starting an SSL-VPN tunnel Throughput test

Starting an SSL-VPN tunnel Throughput test

This test establishes a SSL-VPN tunnel connection, loops completed HTTP/TCP/UDP transaction and closes the Tunnel.

To start an SSL-VPN tunnel Throughput test

  1. Go to Cases > Performance Testing> VPN > SSL-VPN > Throughput to display the test case summary page.
  2. Click + Create New to display the Select case options dialog box.
  3. Configure the Inner Traffic and click OK to continue.

    HTTP Throughput
    HTTP RPS
    TCP Throughput
    UDP Throughput
  4. Set the server network to Peer Network.

    If Fortigate SSLVPN policy has disabled NAT mode, you need set the Internal IP assigned by Fortigate.

    If Fortigate SSLVPN policy has enabled NAT mode, you need to set a peer IP.

  5. Set Specifics for Load and Client. See the table below.

  6. Set Inner protocol case Specifics >HTTPCPS.

    Simulated Users Number of simusers in a Tunnel.

SSL-VPN Test Case common options

SSL-VPN Test Case configuration specific to Throughput

Settings Guidelines
Basic Information

VPN Host Group

Specify VPN hosts defined under Objects > Host Group. A Host Group is comprised of Hosts e.g. abc.com = 1.1.1.1 . FortiTester will inject the hosts configured into SNI field (server name indication) within the TLS handshake.

Load
Mode

Simuser: Simulated users. Simuser simulates a user processing through an Actions list one at a time. It allows you to determine the maximum number of concurrent users your device, infrastructure, or system can handle.
Connections/second: This mode simulates TCP connections, each of them containing up to hundreds of transactions. It's useful to test how many concurrent connections can be handled by your device. Note: Available only for CPS and RPS.

If the user wants FortiTester to create connections as fast as possible, the user should set the Mode to Simulated Users.

What is the difference between Simuser and Connections/second?

Tunnel Concurrent Connection

The total number of tunnels created in the Throughput case.

Ramp Up Time

The duration in seconds for which new sessions can be opened, attempting to reach the desired Connections per Second configured. (Range: 0 - 300).

Note: If FortiTester cannot reach the Connections per Second configured during the specified Ramp Up Time, it will keep the highest CPS it reached during the Ramp Up Time.

Ramp Down Time The duration in second during which the device ramps down the number of connections it is making. 0 will cause the FortiTester to cease generating sessions. (Range: 0 - 300).
Transactions per Tunnel Number of transactions in a Tunnel
VPN Gateway Port Specify the VPN gateway port number.

Enable User Group

Enable to simulate multiple user names. This allows FortiView to populate with more rich user name information, for example.

  1. Go to Objects > User Groups > Create New to create a user group object.
  2. Click Create New to create multiple users/password pairs to the current User Group Object.
  3. In SSL-VPN (CPS/RPS/CC/Throughput) cases, click on the "Enable User Group" switch option button and select the User Group created in step 1.
VPN Username Enter the VPN username.
VPN Password Enter the VPN password.

Tunnel mode

Select TCP or UDP.

Client Profile

Client Close Mode

Select the connection close method: 3Way_Fin or Reset.

Quiet Shutdown

Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer.

Available SSL Versions

Select SSL versions.

TLSv1.3 and other SSL versions are mutually exclusive. This means you can’t select TLSv1.3 at the same time with other SSL versions.

SSL Ciphers

Select one or more SSL ciphers from the list.

Session Resumption
  • Disabled (turns off session resumption).
  • Resume Session by Ticket: Select this option to simulate a client presenting a ticket to a TLS server, having originated from that server, for the purpose of resuming a TLS session.
  • Resume Session by Session: Select this option to simulate a user attempting to use the same SSL Session ID, initially negotiated with the server.

This option applies only to TLS v1 and TLS v1.2. It does not apply to TLS v1.3.

Enable Client Certificate

Enable the client authentication for HTTPS cases.

Piggyback Get Requests If enabled, this means an acknowledgment is sent on the data frame, not in an individual frame. Otherwise, it sends an ACK frame individually. This feature only works with get/post requests.

Client TCP Options

TCP Receive Window The receive window in which you want the TCP stack to send TCP segments. The receive window informs the peer how many bytes of data the stack is currently able to receive. The supplied value is used in all segments sent by the stack. The valid range is 0 to 65535.
Delayed Acks Select to cause the TCP stack to implement the Delayed ACK strategy, which attempts to minimize the transmission of zero-payload ACK packets. Acknowledgments will be deferred and should be piggybacked on top of valid data packets. If successfully deferred, these acknowledgments are free, in the sense that they consume no additional bandwidth.
Delayed Ack Timeout If you select Delayed ACKs, use this timeout value to specify the maximum time the TCP stack waits to defer ACK transmission. If this timer expires, the stack transmits a zero-payload acknowledgment.
Timestamps Option Select to add a TCP time stamp to each TCP segment.
Enable Push Flag Select to set the TCP PSH (push) flag in all TCP packets. This flag causes buffered data to be pushed to the receiving application. If deselected, the PSH flag is not set in any TCP packet.
SACK Option Select to enable TCP Selective Acknowledgment Options(SACK).
Enable TCP Keepalive Select to enable TCP Keep-alive Timer.
Keepalive Timeout If you enable TCP Keepalive, use this timeout value to specify the maximum time to send your peer a keep-alive probe packet
Keepalive Probes If you enable TCP Keepalive, use this value to specify the maximum probes to detect the broken connection.
Override Internal Timeout Calculation Select to override the TCP stack calculation of the retransmission timeout value.
Retransmission Timeout If you select Override Internal Timeout Calculation, use this value for the first transmission of a particular data or control packet; it is doubled for each subsequent retransmission.
Retries The number of times a timed-out packet is retransmitted before aborting further retransmission. If the client does not receive a response after the configured number of retries have been attempted, the error is logged in the results. CSV file as a TCP timeout when a SYN or FIN is sent, and no SYN/ACK or FIN/ACK from the server is received.

FinACK Timer

This value measures the amount of time that a SimUser waits after it finishes its actions and before it directly breaks all of its TCP connections (that is, the time to wait to receive the LAST_ACK message for a FIN request). A value of 0 disables the timer.

Note: Setting this timer can adversely affect TCP performance.

Client Network
Network MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally.

Inner Network MSS

The inner TCP MSS.

IP Option DSCP Provide quality of service (QoS).

Client Limit

Bandwidth

Bandwidth in Mbps. The default is 0, which means the device will send traffic as fast as possible.

Packets per Second

Rate of the packets per second. The default is 0, which means the device will create transactions as fast as possible.

Tunnels per Second

The rate at which DUT establishes tunnels per second.

HttpThroughput profiles

HttpThroughput Load
Simulated Users Number of users to simulate.
HTTP Request Time Out An HTTP request timeout occurs when an HTTP request is issued, but no data is responded back from the server within a certain time (in seconds). The timeout usually indicates an overwhelmed server or reverse proxy, or an outage of the back-end transactions processing servers. FortiTester will reset the connection upon timeout.

HttpThroughput Client

HttpThroughput Client Profile

Request Header The HTTP header of the request packet. Click the Add button to specify more headers. Wild card is supported.
Client Close Mode Select the connection close method: 3Way_Fin or Reset.
HttpThroughput Server Profile
Case Server Port The server port where the test case traffic arrives.
Response Header The HTTP header of the response packet. Click the Add button to specify more headers.

HttpThroughput Server Network

IP Option DCSP

Provide quality of service (QoS).

HttpThroughput Server Limit

Bandwidth

Bandwidth in Mbps. The default is 0, which means the device will send traffic as fast as possible.

Packets per Second

Rate of the packets per second. The default is 0, which means the device will create transactions as fast as possible.

HttpThroughput Action

Method Three methods are available here: GET, POST, and Custom. If you select Custom, you can click +Add to add at most 32 requests.
Request Page Select System Pages with Fixed or Random File Name and Content.
Get page Select the file that the simulated clients access. Optionally, you can select Custom to choose the file template you have created in Cases > Performance Testing > Objects > Files.
Post page Select the file that simulated servers response. You can edit the post parameters. The file size limit is 10MB.
Response pages The size of the response.
Available only when Method is Custom.
HTTP Pipelining Available only when Method is Custom.
Generate Random Content
Enable to generate random content in response package.
Available only when Method is Custom.
Random Method Select to use which method to generate random content.
Success criteria Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. See Using success criteria.