FortiOS v6.2 has been released in March this year and we are still gaining experience with this version. In this article we would like to draw you attention to the protocol which is used for FortiGuard service communication. Up to v6.0 udp has been used, with 6.2 the default protocol has changed to https.
Uhh – yes. All of us know that https is much slower then udp. So be prepared for categorization requests being answered more slowly.
But there are more obstacles – at least right now in July 2019.
First, it seems that only three Fortiguard Server are capable of answering FortiGuard requests with https.
So all Fortigates in the world which are running v6.2 and are using https for the Fortiguard communication bundle their requests on these three server – I assume that they are pretty good loaded. And second, all three Fortiguard Server are located in timezone GMT-8. That’s pretty far away – at least for us european guys…
Here is the output from the same command when udp is used:
Compare for yourself how much slower it gets. On the left side the Webfilter response time for https, on the right side the time for udp.
So now it’s your decision. Fast categorization requests with lightweight udp and maybe (?) proprietary encryption or encapsulation? Or do you prefer full-blown https requests (TLS1.2) to GMT-8?
Update – January 27, 2020:
Finally it seems that Fortinet has set up a Fortiguard server in timezone GMT+1 which is capable of https.
Thanks to Stephane for this u