Monitor
You can go to the Monitor menu to view lists of currently authenticated users, and banned users. For each authenticated user, the list includes the user name, user group, how long the user has been authenticated (Duration), how long until the user’s session times out (Time left), and the method of authentication used. The Banned User list includes users configured by administrators.
Firewall
In some environments, it is useful to determine which users are authenticated by the FortiCache unit and allow the system administrator to de-authenticate (stop current session) users. With the firewall monitor, you can deMonitor
authenticate all currently authenticated users, or select individual users to de-authenticate. To permanently stop a user from re-authenticating, change the configuration (disable a user account) and then use the user monitor to immediately end the user’s current session.
Monitored firewall users can be viewed from User> Monitor> Firewall. This page lists all authenticated firewall users that are currently authenticated by the unit and active. This page allows you to refresh the information on the page, as well as filter the information.
| Refresh | Refresh the Firewall user monitor list. |
| De-authenticate | Stop authenticated sessions for all selected users in the Firewall user monitor list. Users must re-authenticate with the firewall to resume their communication session. |
| User Name | The names of all connected remote users. |
| User Group | The group that the remote user is a member of. |
| Policy ID | The policy identification number of the user. |
| Duration | The length of time since the user was authenticated. |
| IP Address | The user’s source IP address. |
| Traffic Volume | The amount of traffic going through the unit that is generated by the user. |
| Method | The authentication method used for the user by the unit, such as FSSO Agent, firewall authentication, or NTLM. |
| Time-left | Shows the amount of time remaining for the user. This column is not visible by default. Right-click in the column headings to add it. |
User Quarantine
The user quarantine shows all IP addresses and interfaces blocked by Network Access Control (NAC) quarantine. The list also shows all IP addresses, authenticated users, senders, and interfaces blocked by DLP.
The system administrator can selectively release users or interfaces from quarantine, or configure quarantine to expire after a selected time period.
All sessions started by users or IP addresses on the banned user list are blocked until the user or IP address is removed from the list. All sessions to an interface on the list are blocked until the interface is removed from the list.
The user quarantine is viewed from User> Monitor> UserQuarantine.
| Delete | Removes the user from the list. |
| Remove All | Remove all users and IP addresses from the list. |
Monitor
| IP Address | The IP address of the user in the list. |
| Source | The source of the user in the list. |
| Created | The date and time that the user or IP address was added to the list. |
| Expires | The date and time that the user or IP address will be automatically removed from the list. If Expires is Indefinite, the entry must be manually removed from the list. |
WAN Optimization and Web Caching
You can use web caching to cache web pages from any web server. All traffic between a client network and one or more web servers is then intercepted by a web cache policy. This policy causes the FortiCache unit to cache pages from the web servers on the FortiCache unit and makes the cached pages available to users on the client network. Web caching can be configured for standard and reverse web caching.
In a standard web caching configuration, the FortiCache unit caches pages for users on a client network. A router sends HTTP traffic to be cached to the FortiCache unit.
You can also create a reverse proxy web caching configuration where the FortiCache unit is dedicated to providing web caching for a single web server or server farm. In this second configuration, the one or more FortiCache units can be installed between the server network and the WAN or Internet or traffic to be cached can be routed to the FortiCache units.
You can add WAN Optimization to improve traffic performance and efficiency as it crosses the WAN.
FortiCache WAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, SSL offloading, and secure tunneling.
Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web servers onto FortiCache SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS traffic, you can also apply protocol optimization and web caching.
This chapter describes:
l WAN optimization profiles l WAN optimization peers l Cache l Monitor
WAN optimization profiles
FortiCacheWAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, web caching, SSL offloading, and secure tunneling.
Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web servers onto FortiCache SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.
WAN optimization profiles
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS traffic, you can also apply protocol optimization and web caching.
To configure WAN optimization profiles, go to WAN Opt. & Cache > WAN Opt. Profiles > Profiles. The Edit WAN Optimization Profile page is displayed.
Configure the following settings, then select Apply to apply any changes:
| Profile | Select a profile to edit from the drop-down list. |
| Create New | Create a new WAN optimization profile. |
| Clone | Clone the current profile. |
| Delete | Delete the current profile. |
| View List | View the web filter profile list. See Profile list on page 123. |
| Name | Enter a name for the WAN optimization profile. |
| Comments | Optionally, enater a description of the profile. |
| Transparent Mode | Select checkbox to enable transparent mode. |
| Authentication Group | Enable to select the authentication group from the dropdown menu that will be applied to the WAN optimization profile. |
| Protocol | Select the protocols that are enabled for this profile: CIFS, FTP, HTTP, MAPI, and TCP. |
| SSL Offloading | Select to enable SSL offloading.
SSL offloading offloads SSL decryption and encryption from web servers onto FortiCache SSL acceleration hardware. It is only available for HTTP and TCP protocols. |
optimization profiles
| Secure Tunneling | Select to enable secure tunneling.
To use secure tunneling, it must be enabled for a protocol, and an authentication group must be added. The authentication group specifies the certificate or pre-shared key used to set up the secure tunnel. The Peer Acceptance setting of the authentication group does not affect secure tunneling. The FortiCache units at each end of the secure tunnel must have the same authentication group with the same name and the same configuration, including the same pre-shared key or certificate. |
| Byte Caching | Select to enable byte caching.
Byte caching breaks large units of application data (for example, a file being downloaded from a web page) into small chunks of data, labelling each chunk of data with a hash of the chunk and storing those chunks and their hashes in a database. The database is stored on a WAN optimization storage device. |
| Port | Specify the port number for the protocol. The default values are:
l CIFS: 445 l FTP: 21 l HTTP: 80 l MAPI: 135 l TCP: 1 – 65535 |
Profile list
The WAN optimization profile list can be viewed by selecting View List in the Edit WAN Optimization Profile page toolbar.
| Create New | Create a new WAN optimization profile. |
| Edit | Modify the profile. |
| Delete | Remove the profile. |
| Name | The name of the WAN optimization profile. |
| Ports | The ports used by the profile. |
| Transparent | Whether or not transparent mode is enabled. |
| Authentication Goup | The authentication group used by the profile, if any. See Authentication groups on page 125. |
| Comments | Optional description of the WAN optimization profile. |
WAN optimization peers
Managing WAN optimization profiles
WAN optimization profiles can be added, edited, cloned, and deleted as required.
To create a new WAN optimization profile:
- From either the Edit WAN Optimization Profile page or the WAN optimization profile list, select Create New.
- Enter the required information, then select OK to create the new WAN optimization profile.
To edit a WAN optimization profile:
- From the Edit WAN Optimization Profile page, select the profile you need to edit from the profile drop-down list.
From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile name in the list.
The Edit WAN Optimization Profile window opens.
- Edit the information as required, then select Apply to apply your changes.
To clone a WAN optimization profile:
- From the Edit WAN Optimization Profile page, select the profile you need to clone from the profile drop-down list.
- Select Clone from the toolbar.
- Enter a name for the profile in the dialog box, then select OK.
- Edit the clone as required.
To delete a profile or profiles:
- From the profile list, select the profile or profiles that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected profile or profiles.
WAN optimization peers
The client-side and server-side FortiCache units are called WAN optimization peers because all of the FortiCache units in a WAN optimization network have the same peer relationship with each other. The client and server roles relate to how a session is started. Any FortiCache unit configured for WAN optimization can be both a client-side and a server-side FortiCache unit at the same time, depending on the direction of the traffic. Client-side FortiCache units initiate WAN optimization sessions and server-side FortiCache units respond to the session requests. Any FortiCache unit can be a client-side FortiCache unit for some sessions and a server-side FortiCache unit for others.
To identify all of the WAN optimization peers that a FortiCache unit can perform WAN optimization with, host IDs and IP addresses of all of the peers are added to the FortiCache unit configuration. The peer IP address is actually the IP address of the peer unit interface that communicates with the FortiCache unit.
Peers
Go to WAN Opt. & Cache > WAN Opt. Peers > Peers to view the WAN optimization peer list.
optimization peers
| Create New | Create a new WAN optimization peer. |
| Edit | Edit a WAN optimization peer. |
| Delete | Delete a WAN optimization peer or peers. |
| Local Host ID | The local host ID. Enter an ID, then select Apply to apply the ID. |
| Search | Enter a search term to search the peer list. |
| Peer Host ID | The peer host ID of the WAN optimization peer. |
| IP Address | The IP address of the peer. |
| Ref. | Displays the number of times the peer is referenced to other objects.
To view the location of the referenced peer, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. |
To create a new WAN optimization peer:
- From the peer list, select Create New in the toolbar. The New WAN Optimization Peer window opens.
- Enter the PeerHost ID and IP Address.
- Select OK to create the new peer.
To edit a WAN optimization peer:
- Select the peer you would like to edit then select Edit from the toolbar, or double-click on the peer in the peer list. The Edit WAN Optimization Peer window opens.
- Edit the peer as required and select OK to apply your changes.
To delete a WAN optimization peer or peers:
- Select the peer or peers that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected peer or peers.
Authentication groups
You need to add authentication groups to support authentication and secure tunneling between WAN optimization peers.
To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must WAN optimization peers
have an authentication group with the same name and settings. The authentication group is added to a peer-topeer or active rule on the client-side FortiCache unit. When the server-side FortiCache unit receives a tunnel start request that includes an authentication group from the client-side unit, the server-side unit finds an authentication group in its configuration with the same name. If both authentication groups have the same certificate or preshared key, the peers can authenticate and set up the tunnel.
Go to WAN Opt. & Cache > WAN Opt. Peers > Authentication Groups to manage the authentication groups.
| Create New | Create a new authentication group. |
| Edit | Edit an authentication group. |
| Delete | Delete an authentication group or groups. |
| Search | Enter a search term to search the group list. |
| Name | The name of the group. |
| Authentication Method | The authentication used by the group, either Certificate or Pre-shared key. |
| Peer(s) | The peer or peers in the group. |
| Ref. | Displays the number of times the group is referenced to other objects.
To view the location of the referenced group, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. |
To create a new authentication group:
- Select Create New from the toolbar. The New Authentication Group window opens.
- Enter the following information:
| Name | Enter a name for the authentication group. |
Cache
| Authentication Method | Select the authentication method to use.
l Certificate: Use a certificate to authenticate and encrypt WAN optimization tunnels. Then select a local certificate that has been added to this FortiCache unit from the drop-down list. l Pre-shared Key: Use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. Then enter the password (or preshared key) in the Password field. Other FortiCache units that participate in WAN optimization tunnels with this unit must have an authentication group with the same name and password. The password must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 alphanumeric characters. |
| Accept Peer(s) | Select the peer acceptance method for the authentication group.
l Any: If you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used for WAN optimization with FortiCache units that do not have static IP addresses, such as units that use DHCP. l Defined Only: Authenticate with peers that have added to the peer list only. l Specify: Select a peer from the drop-down list to authenticate with the selected peer only. Select Create New from the drop-down list to create a new peer; see To create a new WAN optimization peer: on page 125. |
- Select OK to create the new authentication group.
The authentication group can now be added to WAN optimization profiles to apply the authentication settings in the authentication group to the profile. See Managing WAN optimization profiles on page 124.
To edit an authentication group:
- Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the authentication group list. The Edit Authentication Group window opens.
- Edit the group information as required and select OK to apply your changes.
To delete an authentication group or groups:
- Select the group or groups that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected group or groups.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!