Fortinet black logo

Administration Guide

HTTP/2 support

HTTP/2 support

If the FortiWeb is deployed in Reverse Proxy (see Topology for Reverse Proxy mode) or True Transparent Proxy (see Topology for either of the transparent modes) mode, HTTP/2 web communication can be protected by almost all the FortiWeb's security services except:

Note: HTTP/2 traffic will bypass the WebSocket and NTML authentication security services (even if the services are well-configured).

How to enable HTTP/2 support
Deployment in Reverse Proxy mode

When the FortiWeb is operating in Reverse Proxy mode, it can provide end-to-end HTTP/2 security which requires both clients and back-end servers running HTTP/2. Moreover, if the back web servers do not support HTTP/2, FortiWeb (in Reverse Proxy mode) provides the HTTP/2 protections also with conversion protocols between HTTP/2 clients and HTTP/1.1 back-end servers. This allows customers to enjoy HTTP/2 benefits without having to upgrade their web servers. Therefore, when the FortiWeb is operating in Reverse Proxy mode, it requires two necessary configurations for HTTP/2 security:

  • Server Policy: Enable HTTP/2 in a Server Policy (see HTTP/2), so that HTTP/2 can be negotiated between FortiWeb and clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake, if the client's browser supports HTTP/2 protocol. Then, FortiWeb can recognize HTTP/2 traffic and apply the security services to it.
  • Server Pool: Enable HTTP/2 for a Server Pool (see HTTP/2) if your back-end web servers are running HTTP/2. This indicates HTTP/2 communication between FortiWeb and the backend servers in the server pool. HTTP/2 Traffic processed by FortiWeb will be forwarded to the back web servers through HTTP/2. However, if your web servers do not support HTTP/2, keep the option disabled and FortiWeb will convert the processed HTTP/2 traffic to HTTP/1.x and forward it to the backend servers. Please note that enable this only if your back web servers really support HTTP/2, or connections will go failed.
Deployment in True Transparent Proxy mode

Conversion between HTTP/2 clients and HTTP/1.1 back-end servers is not available when the FortiWeb is operating in True Transparent Proxy mode. Therefore, FortiWeb's HTTP/2 inspection must work with the back web servers that really support HTTP/2. When your FortiWeb is operating in True Transparent Proxy mode, only one configuration is required to enable the HTTP/2 support:

  • Server Pool: Enable SSL and HTTP/2 in a Server Pool (see To configure an HTTP server pool). Please make sure your back-end web servers are running HTTP/2, or no HTTP/2 connections will be established between clients and the back servers and enabling HTTP/2 support on the FortiWeb will be kind of meaningless.

Note: FortiWeb only supports HTTP/2 for HTTPS (SSL) connections (most browsers support HTTP/2 for only HTTPS). Therefore, for deployment in Reverse Proxy or True Transparent Proxy mode, HTTPS or SSL on the FortiWeb must be enabled for HTTP/2.

HTTP/2 support

If the FortiWeb is deployed in Reverse Proxy (see Topology for Reverse Proxy mode) or True Transparent Proxy (see Topology for either of the transparent modes) mode, HTTP/2 web communication can be protected by almost all the FortiWeb's security services except:

Note: HTTP/2 traffic will bypass the WebSocket and NTML authentication security services (even if the services are well-configured).

How to enable HTTP/2 support
Deployment in Reverse Proxy mode

When the FortiWeb is operating in Reverse Proxy mode, it can provide end-to-end HTTP/2 security which requires both clients and back-end servers running HTTP/2. Moreover, if the back web servers do not support HTTP/2, FortiWeb (in Reverse Proxy mode) provides the HTTP/2 protections also with conversion protocols between HTTP/2 clients and HTTP/1.1 back-end servers. This allows customers to enjoy HTTP/2 benefits without having to upgrade their web servers. Therefore, when the FortiWeb is operating in Reverse Proxy mode, it requires two necessary configurations for HTTP/2 security:

  • Server Policy: Enable HTTP/2 in a Server Policy (see HTTP/2), so that HTTP/2 can be negotiated between FortiWeb and clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake, if the client's browser supports HTTP/2 protocol. Then, FortiWeb can recognize HTTP/2 traffic and apply the security services to it.
  • Server Pool: Enable HTTP/2 for a Server Pool (see HTTP/2) if your back-end web servers are running HTTP/2. This indicates HTTP/2 communication between FortiWeb and the backend servers in the server pool. HTTP/2 Traffic processed by FortiWeb will be forwarded to the back web servers through HTTP/2. However, if your web servers do not support HTTP/2, keep the option disabled and FortiWeb will convert the processed HTTP/2 traffic to HTTP/1.x and forward it to the backend servers. Please note that enable this only if your back web servers really support HTTP/2, or connections will go failed.
Deployment in True Transparent Proxy mode

Conversion between HTTP/2 clients and HTTP/1.1 back-end servers is not available when the FortiWeb is operating in True Transparent Proxy mode. Therefore, FortiWeb's HTTP/2 inspection must work with the back web servers that really support HTTP/2. When your FortiWeb is operating in True Transparent Proxy mode, only one configuration is required to enable the HTTP/2 support:

  • Server Pool: Enable SSL and HTTP/2 in a Server Pool (see To configure an HTTP server pool). Please make sure your back-end web servers are running HTTP/2, or no HTTP/2 connections will be established between clients and the back servers and enabling HTTP/2 support on the FortiWeb will be kind of meaningless.

Note: FortiWeb only supports HTTP/2 for HTTPS (SSL) connections (most browsers support HTTP/2 for only HTTPS). Therefore, for deployment in Reverse Proxy or True Transparent Proxy mode, HTTPS or SSL on the FortiWeb must be enabled for HTTP/2.