WAN Opt Configuration examples

WAN Opt Configuration examples

This chapter provides the basic examples to illustrate WAN optimization configurations introduced in the previous chapters.

 

Example Basic manual (peer-to-peer) WAN optimization configuration

In a manual (peer to peer) configuration the WAN optimization tunnel can be set up between one client-side FortiGate unit and one server-side FortiGate unit. The peer ID of the server-side FortiGate unit is added to the client-side WAN optimization policy. When the client-side FortiGate unit initiates a tunnel with the server-side FortiGate unit, the packets that initiate the tunnel include information that allows the server-side FortiGate unit to determine that it is a manual tunnel request. The server-side FortiGate unit does not require a WAN optimization profile; you just need to add the client peer host ID and IP address to the server-side FortiGate unit peer list and from the CLI an explicit proxy policy to accept WAN optimization tunnel connections.

In a manual WAN optimization configuration, you create a manual WAN optimization security policy on the client- side FortiGate unit. To do this you must use the CLI to set wanopt-detection to off and to add the peer host ID of the server-side FortiGate unit to the WAN optimization security policy.

 

Network topology and assumptions

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of

172.20.34.12. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server_Fgt with a WAN IP address of 192.168.30.12. This unit is in front of a web server network with IP address 192.168.10.0.

This example customizes the default WAN optimization profile on the client-side FortiGate unit and adds it to the WAN optimization policy. You can also create a new WAN optimization profile.

 

Example manual (peer-to-peer) topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Configure the client-side FortiGate unit:

  • Add peers.
  • Configure the default WAN optimization profile to optimize HTTP traffic.
  • Add a manual WAN optimization security policy.

2. Configure the server-side FortiGate unit:

  • Add peers.
  • Add a WAN optimization tunnel policy.

 

Configuring basic peer-to-peer WAN optimization – web-based manager

Use the following steps to configure the example configuration from the web-based manager.

 

To configure the client-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the client-side FortiGate unit:

 

Local Host ID                            Client-Fgt

2. Select Apply.

3. Select Create New and add the server-side FortiGate unit Peer Host ID and IP Address for the server-side FortiGate:

Peer Host ID                               Server-Fgt

IP Address                                 192.168.30.12

4. Select OK.

5. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the client network.

Category                                     Address

Name                                           Client-Net

Type                                            Subnet

Subnet / IP Range                     172.20.120.0/24

Interface                                     port1

6. Select Create New to add a firewall address for the web server network.

Category                                     Address

Name                                           Web-Server-Net

Type                                            Subnet

Subnet / IP Range                     192.168.10.0/24

Interface                                     port2

7. Go to WAN Opt. & Cache > Profiles and edit the default profile.

8. Select Transparent Mode.

9. Under Protocol, select HTTP and for HTTP select Byte Caching. Leave the HTTP Port set to 80.

10. Select Apply to save your changes.

11. Go to Policy & Objects > IPv4 Policy and add a WAN optimization security policy to the client-side FortiGate unit that accepts traffic to be optimized:

Incoming Interface                   port1

Source Address                        all

Outgoing Interface                   port2

Destination Address                 all

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

12. Select Enable WAN Optimization and configure the following settings:

Enable WAN Optimization       active

Profile                                         default

13. Select OK.

14. Edit the policy from the CLI to turn off wanopt-detection, add the peer ID of the server-side FortiGate unit, and the default WAN optimization profile. The following example assumes the ID of the policy is 5:

config firewall policy edit 5

set wanopt-detection off set wanopt-peer Server-Fgt set wanopt-profile default

end

When you set the detection mode to off the policy becomes a manual mode WAN optimization policy. On the web-based manager the WAN optimization part of the policy changes to the following:

Enable WAN Optimization       Manual (Profile: default, Peer: Peer-Fgt-2)

 

To configure the server-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the server-side FortiGate unit:

Local Host ID                            Server-Fgt

2. Select Apply.

3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:

 

Peer Host ID                               Client-Fgt

IP Address                                 172.20.34.12

4. Select OK.

5. Enter the following CLI command to add an explicit proxy policy to accept WAN optimization tunnel connections.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.