Fortinet black logo

New Features

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Support the Happy Eyeballs algorithm for explicit proxy 7.4.1

Support the Happy Eyeballs algorithm for explicit proxy 7.4.1

Note

This information is also available in the FortiOS 7.4 Administration Guide:

The "Happy Eyeballs" (also named fast fallback) algorithm, as outlined in RFC 8305, is now supported for explicit web proxy. This feature operates by attempting to connect to a web server that is available at multiple IPv4 and IPv6 addresses, either sequentially or simultaneously. As a result, the web server can be connected with reduced user-visible delay, which enhances the overall browsing experience.

config web-proxy fast-fallback
    edit <name>
        set status {enable | disable}
        set connection-mode {sequentially | simultaneously}
        set protocol {IPv4-first | IPv6-first | IPv4-only | IPv6-only}
        set connection-timeout <integer>
    next
end

status {enable | disable}

Enable/disable the fast fallback entry (default = enable).

connection-mode {sequentially | simultaneously}

Set the connection mode for multiple destinations.

  • sequentially: connect the different destinations sequentially (default).
  • simultaneously: connect the different destinations simultaneously.

protocol {IPv4-first | IPv6-first | IPv4-only | IPv6-only}

Set the connection protocols for multiple destinations.

  • IPv4-first: connect IPv4 destinations first (default).
  • IPv6-first: connect IPv6 destinations first.
  • IPv4-only: connect IPv4 destinations only.
  • IPv6-only: connect IPv6 destinations only.

connection-timeout <integer>

Start another connection if a connection takes longer than the timeout value, in milliseconds (200 - 1800000, default = 200).

Based on the settings for connection-mode and protocol, the explicit web proxy will try connecting to the web server in different ways:

  • If the connection-mode is set to sequential (default), then the explicit web proxy will try connecting to the web server by IPv4 first, or by IPv6 first depending on the protocol setting. If the connection attempt over IPv4 or IPv6 succeeds, then the connection is kept; but if the connection fails, then it falls back to try a connection over IPv6 or IPv4 instead.
  • If the connection-mode is set to simultaneously, then the explicit web proxy will try connecting to the web server by IPv4 and IPv6 at the same time. If the connection over IPv4 is established first, then the connection is kept for the session and the IPv6 connection is discarded and vice-versa.
  • If the user only wants to connect by IPv4 but not IPv6, or by IPv6 but not IPv4, then the protocol option can be set to IPv4-only or IPv6-only accordingly. The explicit web proxy will try connecting to the web server only by IPv4 or IPv6, even though both IPv4 and IPv6 may work.

Example

In this example, a client visits a web server through a FortiGate explicit web proxy that has IPv4 and IPv6 connections to the web server (www.example.com), which can resolve to IPv4 address 93.184.216.34 and IPv6 address 2606:2800:220:1:248:1893:25c8:1946.

The configuration uses sequential connection mode, the IPv4 first protocol, and the default connection timeout (200 ms).

To configure the FortiGate:

  1. Configure the IPv4 static route:

    config router static
    edit 1
        set gateway 172.16.200.251
        set device "port3"
    next
end

  2. Configure the IPv6 static route:

    config router static6
    edit 1
        set gateway 2000:172:16:200::254
        set device "port3"
    next
end

  3. Configure the proxy destination connection fast fallback:

    config web-proxy fast-fallback
    edit "ffbk"
        set status enable
        set connection-mode sequentially
        set protocol IPv4-first
        set connection-timeout 200
    next
end

  4. Configure the exempt URL of the web server from web proxy forwarding and caching:

    config web-proxy url-match
    edit "ffbk"
        set url-pattern "example.com"
        set fast-fallback "ffbk"
    next
end

  5. Configure the proxy policy:

    config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set srcaddr6 "all"
        set dstaddr6 "all"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
    next
end

Verifying the connection

Scenario 1:

The TCP connection from the explicit web proxy to the web server is established successfully over IPv4 within 200 ms.

As shown in the forward traffic log, the web session data is transmitted over IPv4 between the explicit web proxy and the web server.

2: date=2023-06-26 time=18:46:18 eventtime=1687830378260927765 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=33304 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=93.184.216.34 dstport=80 dstintf="port3" dstintfrole="undefined" sessionid=1688881487 service="HTTP" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="560d8520-fa7b-51ed-e06a-df05ec145542" trandisp="snat" transip=0.0.0.0 transport=0 duration=0 wanin=0 rcvdbyte=0 wanout=0 lanin=131 sentbyte=131 lanout=1591 appcat="unscanned"
Scenario 2:

The TCP connection from the explicit web proxy to the web server is not established over IPv4 within 200 ms and falls back to IPv6 successfully.

The IPv4 path to the server is interrupted, and the TCP connection between the explicit web proxy and web server cannot be established. The explicit web proxy waits until the 200 ms connection timeout timer expires, then attempts to connect to the server by IPv6, which is successful. The web session data is transmitted over IPv6, as shown in the forward traffic log.

2: date=2023-06-26 time=18:47:27 eventtime=1687830447277653089 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=36636 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=2606:2800:220:1:248:1893:25c8:1946 dstport=80 dstintf="port3" dstintfrole="undefined" sessionid=1688881488 service="HTTP" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="560d8520-fa7b-51ed-e06a-df05ec145542" trandisp="snat" transport=0 duration=1 wanin=0 rcvdbyte=0 wanout=0 lanin=131 sentbyte=131 lanout=1591 appcat="unscanned"
Previous
Next

Support the Happy Eyeballs algorithm for explicit proxy 7.4.1

Note

This information is also available in the FortiOS 7.4 Administration Guide:

The "Happy Eyeballs" (also named fast fallback) algorithm, as outlined in RFC 8305, is now supported for explicit web proxy. This feature operates by attempting to connect to a web server that is available at multiple IPv4 and IPv6 addresses, either sequentially or simultaneously. As a result, the web server can be connected with reduced user-visible delay, which enhances the overall browsing experience.

config web-proxy fast-fallback
    edit <name>
        set status {enable | disable}
        set connection-mode {sequentially | simultaneously}
        set protocol {IPv4-first | IPv6-first | IPv4-only | IPv6-only}
        set connection-timeout <integer>
    next
end

status {enable | disable}

Enable/disable the fast fallback entry (default = enable).

connection-mode {sequentially | simultaneously}

Set the connection mode for multiple destinations.

  • sequentially: connect the different destinations sequentially (default).
  • simultaneously: connect the different destinations simultaneously.

protocol {IPv4-first | IPv6-first | IPv4-only | IPv6-only}

Set the connection protocols for multiple destinations.

  • IPv4-first: connect IPv4 destinations first (default).
  • IPv6-first: connect IPv6 destinations first.
  • IPv4-only: connect IPv4 destinations only.
  • IPv6-only: connect IPv6 destinations only.

connection-timeout <integer>

Start another connection if a connection takes longer than the timeout value, in milliseconds (200 - 1800000, default = 200).

Based on the settings for connection-mode and protocol, the explicit web proxy will try connecting to the web server in different ways:

  • If the connection-mode is set to sequential (default), then the explicit web proxy will try connecting to the web server by IPv4 first, or by IPv6 first depending on the protocol setting. If the connection attempt over IPv4 or IPv6 succeeds, then the connection is kept; but if the connection fails, then it falls back to try a connection over IPv6 or IPv4 instead.
  • If the connection-mode is set to simultaneously, then the explicit web proxy will try connecting to the web server by IPv4 and IPv6 at the same time. If the connection over IPv4 is established first, then the connection is kept for the session and the IPv6 connection is discarded and vice-versa.
  • If the user only wants to connect by IPv4 but not IPv6, or by IPv6 but not IPv4, then the protocol option can be set to IPv4-only or IPv6-only accordingly. The explicit web proxy will try connecting to the web server only by IPv4 or IPv6, even though both IPv4 and IPv6 may work.

Example

In this example, a client visits a web server through a FortiGate explicit web proxy that has IPv4 and IPv6 connections to the web server (www.example.com), which can resolve to IPv4 address 93.184.216.34 and IPv6 address 2606:2800:220:1:248:1893:25c8:1946.

The configuration uses sequential connection mode, the IPv4 first protocol, and the default connection timeout (200 ms).

To configure the FortiGate:

  1. Configure the IPv4 static route:

    config router static
    edit 1
        set gateway 172.16.200.251
        set device "port3"
    next
end

  2. Configure the IPv6 static route:

    config router static6
    edit 1
        set gateway 2000:172:16:200::254
        set device "port3"
    next
end

  3. Configure the proxy destination connection fast fallback:

    config web-proxy fast-fallback
    edit "ffbk"
        set status enable
        set connection-mode sequentially
        set protocol IPv4-first
        set connection-timeout 200
    next
end

  4. Configure the exempt URL of the web server from web proxy forwarding and caching:

    config web-proxy url-match
    edit "ffbk"
        set url-pattern "example.com"
        set fast-fallback "ffbk"
    next
end

  5. Configure the proxy policy:

    config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set srcaddr6 "all"
        set dstaddr6 "all"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
    next
end

Verifying the connection

Scenario 1:

The TCP connection from the explicit web proxy to the web server is established successfully over IPv4 within 200 ms.

As shown in the forward traffic log, the web session data is transmitted over IPv4 between the explicit web proxy and the web server.

2: date=2023-06-26 time=18:46:18 eventtime=1687830378260927765 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=33304 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=93.184.216.34 dstport=80 dstintf="port3" dstintfrole="undefined" sessionid=1688881487 service="HTTP" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="560d8520-fa7b-51ed-e06a-df05ec145542" trandisp="snat" transip=0.0.0.0 transport=0 duration=0 wanin=0 rcvdbyte=0 wanout=0 lanin=131 sentbyte=131 lanout=1591 appcat="unscanned"
Scenario 2:

The TCP connection from the explicit web proxy to the web server is not established over IPv4 within 200 ms and falls back to IPv6 successfully.

The IPv4 path to the server is interrupted, and the TCP connection between the explicit web proxy and web server cannot be established. The explicit web proxy waits until the 200 ms connection timeout timer expires, then attempts to connect to the server by IPv6, which is successful. The web session data is transmitted over IPv6, as shown in the forward traffic log.

2: date=2023-06-26 time=18:47:27 eventtime=1687830447277653089 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=36636 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=2606:2800:220:1:248:1893:25c8:1946 dstport=80 dstintf="port3" dstintfrole="undefined" sessionid=1688881488 service="HTTP" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="560d8520-fa7b-51ed-e06a-df05ec145542" trandisp="snat" transport=0 duration=1 wanin=0 rcvdbyte=0 wanout=0 lanin=131 sentbyte=131 lanout=1591 appcat="unscanned"
Previous
Next