Fortinet has introduced a new configuration parameter in FortiOS 7.2.4 and higher. The setting is “http-supported-max-version” that is configurable under “config firewall vip”.
Symptoms
After an upgrade of the FortiOS to 7.2.4, some websites that are published over a virtual server on the FortiGate are loading infinite. A part of the page is loading and the rest is just not appearing even when waiting a few minutes.
In the developer console you can see, that some elements, that are loaded later over ajax request, are not delivered to the client browser. The browser is waiting and shows the “loading” sign infinitely.
Cause
The FortiGate is supporting HTTP2 requests over virtual-servers now. Unfortunately, some servers (more specific: reverse proxies) are not yet able to handle those requests.
Even if the setting on the FortiGate is described to be backwards compatible, some websites are having issues with this.
Solution
To solve the issue, you can just set the setting back to http1 as documented here:
config firewall vip
edit "myvip"
set http-supported-max-version http1
next
end
According to the FortiGate CLI and the Fortinet CLI Reference Guide for FortiOS 7.2.6 and higher, this setting can be set to:
http-supported-max-version [http1 | http2]
http1: Support HTTP 1.1 and HTTP1.
http2: Support HTTP2, HTTP 1.1, and HTTP1. This is the default setting!
Please open a new session to test the change: To open a new session, close and reopen your browser or open a private/inkognito window.
More information
Fortinet has created a knowledge base article for this problem.
Fortinet has mentioned this new feature in the FortiOS 7.2.4 release notes.