Best Practices – WAN Optimization
WAN Optimization features require significant memory resources and generate a high amount of I/O on disk. Before enabling WAN Optimization, ensure that the memory usage is not too high. If possible, avoid other diskintensive features such as heavy traffic logging on the same disk as the one configured for WAN Optimization needs.
In general, it is preferable to enable the Transparent Mode checkbox and ensure that routing between the two endpoints is acceptable. Some protocols may not work well without enabling Transparent Mode.
Other best practices for utilizing the WAN Optimization feature follow.
Sharing the WAN Opt. tunnel for traffic of the same nature
WAN optimization tunnel sharing is recommended for similar types of WAN optimization traffic (such as CIFS traffic from different servers). However, tunnel sharing for different types of traffic is not recommended. For example, aggressive and non-aggressive protocols should not share the same tunnel.
Ordering WAN Opt. rules appropriately
l Precise, port specific WAN Optimization rules should be at the top of the list. l Generic rules, such as overall TCP, should be at the bottom of the list.
Avoiding mixing protocols in a WAN Opt. tunnel
Different protocols may be more or less talkative or interactive . Mixing protocols in a tunnel may result in a delay for some of them. It is recommended to define protocol specific wan-optimization rules and restrict the ports to the necessary ones only for performance reasons.
Setting correct configuration options for CIFS WAN Opt.
Ensure that the WAN Optimization rules cover TCP ports 139 and 445 (on the same or two different rules). Also ensure that Transparent Mode is selected.
Setting correct configuration options for MAPI WAN Opt.
For MAPI WAN Optimization, only specify a rule with TCP port 135 (unless the MAPI control port is configured differently). Derived data sessions using other random ports will be handled by the CIFS wan-optimization daemon even with only the control port configured.
Testing WAN Opt. in a lab
- Ensure that WAN emulators are used to simulate the WAN. If no WAN emulator is used, it is expected to have better results without WAN Optimization than with WAN Optimization.
- To test the difference between cold transfers (first-time transfers) and warm transfers, it is recommended to generate a random file of the cold transfer to ensure that the test is the first time that the file has been seen.
WAN Optimization Interface monitoring (port monitoring)
Regarding byte compression and type of file
Enabling byte compression on file transfers already compressed (.jpeg files, compressed archive, etc.) won’t provide any performance increase and could be seen as a misuse of CPU resources.
Regarding network address translation (NAT)
Selecting the NAT feature in a security policy does not have any influence on WAN Optimization traffic.
There is no benefit to using active-active mode, so for pure WAN Optimization needs, use active-passive mode. Refer to the FGCP High Availability section for other best practices related to HA.
Authentication with specific peers
Configure WAN optimization authentication with specific peers. Accepting any peer is not recommended as this can be less secure.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Leave a Reply