Example Adding secure tunneling to an active-passive WAN optimization configuration

Configuring WAN optimization with secure tunneling – CLI

Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit CLI.

 

To the client-side FortiGate unit

1. Add the Local Host ID to the client-side FortiGate configuration:

config wanopt settings set host-id Client-Fgt

end

2. Add the server-side Local Host ID to the client-side peer list:

config wanopt peer edit Server-Fgt

set ip 192.168.20.1 end

3. Add a new authentication group to be used for secure tunneling:

config wanopt auth-group edit Auth-Secure-Tunnel

set auth-method psk set psk 2345678

end

Leave peer-accept at its default value.

4. Add a WAN optimization profile that enables secure tunneling and includes the authentication group, enables

HTTP protocol optimization, and enables secure tunneling and byte caching for HTTP traffic:

config wanopt profile edit Secure-wan-op-pro

set auth-group Auth-Secure-Tunnel config http

set status enable

set secure-tunnel enable set byte-caching enable set port 80

end end

5. Add a firewall address for the client network.

config firewall address edit Client-Net

set type ipmask

set subnet 172.20.120.0 255.255.255.0 set associated-interface port1

end

6. Add a firewall address for the web server network.

config firewall address edit Web-Server-Net

set type ipmask

set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

7. Add an active WAN optimization security policy that includes the WAN optimization profile that enables secure tunneling and that applies virus scanning:

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr Client-Net

set dstaddr Web-Server-Net set action accept

set service HTTP

set schedule always set wanopt enable

set wanopt-detection active

set wanopt-profile Secure-wan-opt-pro end

 

To configure the server-side FortiGate unit

1. Add the Local Host ID to the server-side FortiGate configuration:

config wanopt settings set host-id Server-Fgt

end

2. Add the client-side Local Host ID to the server-side peer list:

config wanopt peer edit Client-Fgt

set ip 172.20.120.1

end

3. Add an authentication group to be used for secure tunneling:

config wanopt auth-group edit Auth-Secure-Tunnel

set auth-method psk set psk 2345678

end

Leave peer-accept at its default value.

4. Add a firewall address for the client network.

config firewall address edit Client-Net

set type ipmask

set subnet 172.20.120.0 255.255.255.0 set associated-interface port1

end

5. Add a firewall address for the web server network.

config firewall address edit Web-Server-Net

set type ipmask

set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

6. Add a passive WAN optimization policy.

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr Client-Net

set dstaddr Web-Server-Net set action accept

set service ALL

set schedule always set wanopt enable

set wanopt-detection passive set wanopt-passive-opt default

end

7. Add a WAN optimization tunnel explicit proxy policy.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end

Pages: 1 2

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos