Category Archives: FortiGate

WAN Opt Configuration examples

WAN Opt Configuration examples

This chapter provides the basic examples to illustrate WAN optimization configurations introduced in the previous chapters.

Example Basic manual (peer-to-peer) WAN optimization configuration

In a manual (peer to peer) configuration the WAN optimization tunnel can be set up between one client-side FortiGate unit and one server-side FortiGate unit. The peer ID of the server-side FortiGate unit is added to the client-side WAN optimization policy. When the client-side FortiGate unit initiates a tunnel with the server-side FortiGate unit, the packets that initiate the tunnel include information that allows the server-side FortiGate unit to determine that it is a manual tunnel request. The server-side FortiGate unit does not require a WAN optimization profile; you just need to add the client peer host ID and IP address to the server-side FortiGate unit peer list and from the CLI an explicit proxy policy to accept WAN optimization tunnel connections.

In a manual WAN optimization configuration, you create a manual WAN optimization security policy on the client- side FortiGate unit. To do this you must use the CLI to set wanopt-detection to off and to add the peer host ID of the server-side FortiGate unit to the WAN optimization security policy.

Network topology and assumptions

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of

172.20.34.12. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server_Fgt with a WAN IP address of 192.168.30.12. This unit is in front of a web server network with IP address 192.168.10.0.

This example customizes the default WAN optimization profile on the client-side FortiGate unit and adds it to the WAN optimization policy. You can also create a new WAN optimization profile.

Example manual (peer-to-peer) topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Configure the client-side FortiGate unit:

Add peers.
Configure the default WAN optimization profile to optimize HTTP traffic.
Add a manual WAN optimization security policy.

2. Configure the server-side FortiGate unit:

Add peers.
Add a WAN optimization tunnel policy.

Configuring basic peer-to-peer WAN optimization – web-based manager

Use the following steps to configure the example configuration from the web-based manager.

To configure the client-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the client-side FortiGate unit:

Local Host ID Client-Fgt

2. Select Apply.

3. Select Create New and add the server-side FortiGate unit Peer Host ID and IP Address for the server-side FortiGate:

Peer Host ID Server-Fgt

IP Address 192.168.30.12

4. Select OK.

5. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the client network.

Category Address

Name Client-Net

Type Subnet

Subnet / IP Range 172.20.120.0/24

Interface port1

6. Select Create New to add a firewall address for the web server network.

Category Address

Name Web-Server-Net

Type Subnet

Subnet / IP Range 192.168.10.0/24

Interface port2

7. Go to WAN Opt. & Cache > Profiles and edit the default profile.

8. Select Transparent Mode.

9. Under Protocol, select HTTP and for HTTP select Byte Caching. Leave the HTTP Port set to 80.

10. Select Apply to save your changes.

11. Go to Policy & Objects > IPv4 Policy and add a WAN optimization security policy to the client-side FortiGate unit that accepts traffic to be optimized:

Incoming Interface port1

Source Address all

Outgoing Interface port2

Destination Address all

Schedule always

Service ALL

Action ACCEPT

12. Select Enable WAN Optimization and configure the following settings:

Enable WAN Optimization active

Profile default

13. Select OK.

14. Edit the policy from the CLI to turn off wanopt-detection, add the peer ID of the server-side FortiGate unit, and the default WAN optimization profile. The following example assumes the ID of the policy is 5:

config firewall policy edit 5

set wanopt-detection off set wanopt-peer Server-Fgt set wanopt-profile default

end

When you set the detection mode to off the policy becomes a manual mode WAN optimization policy. On the web-based manager the WAN optimization part of the policy changes to the following:

Enable WAN Optimization Manual (Profile: default, Peer: Peer-Fgt-2)

To configure the server-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the server-side FortiGate unit:

Local Host ID Server-Fgt

2. Select Apply.

3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:

Peer Host ID Client-Fgt

IP Address 172.20.34.12

4. Select OK.

5. Enter the following CLI command to add an explicit proxy policy to accept WAN optimization tunnel connections.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2

Monitoring WAN optimization peer performance

Leave a reply

Monitoring WAN optimization peer performance

The WAN optimization peer monitor lists all of the WAN optimization peers that a FortiGate unit can perform WAN optimization with. These include peers manually added to the configuration as well as discovered peers.

The monitor lists each peer’s name, IP address, and peer type. The peer type indicates whether the peer was manually added or discovered. To show WAN optimization performance, for each peer the monitor lists the percent of traffic reduced by the peer in client-side WAN optimization configurations and in server-side configurations (also called gateway configurations).

To view the peer monitor, go to WAN Opt. & Cache > Peer Monitor.

Secure tunneling

Leave a reply

Secure tunneling

You can configure WAN optimization rules to use AES-128bit-CBC SSL to encrypt the traffic in the WAN optimization tunnel. WAN optimization uses FortiASIC acceleration to accelerate SSL decryption and encryption of the secure tunnel. Peer-to-peer secure tunnels use the same TCP port as non-secure peer-to-peer tunnels (TCP port 7810).

To use secure tunneling, you must select Enable Secure Tunnel in a WAN optimization rule and add an authentication group. The authentication group specifies the certificate or pre-shared key used to set up the secure tunnel. The Peer Acceptance setting of the authentication group does not affect secure tunneling.

The FortiGate units at each end of the secure tunnel must have the same authentication group with the same name and the same configuration, including the same pre-shared key or certificate. To use certificates you must install the same certificate on both FortiGate units.

For active-passive WAN optimization you can select Enable Secure Tunnel only in the active rule. In peer-to- peer WAN optimization you select Enable Secure Tunnel in the WAN optimization rule on both FortiGate units.

For information about active-passive and peer-to-peer WAN optimization, see Manual (peer-to-peer) and active- passive WAN optimization on page 2844

For a secure tunneling configuration example, see Example Adding secure tunneling to an active-passive WAN optimization configuration on page 2880.

How FortiGate units process tunnel requests for peer authentication

Leave a reply

How FortiGate units process tunnel requests for peer authentication

When a client-side FortiGate unit attempts to start a WAN optimization tunnel with a peer server-side FortiGate unit, the tunnel request includes the following information:

the client-side local host ID
the name of an authentication group, if included in the rule that initiates the tunnel
if an authentication group is used, the authentication method it specifies: pre-shared key or certificate
the type of tunnel (secure or not).

For information about configuring the local host ID, peers and authentication groups, see Configuring peers on page 2861 and Configuring authentication groups on page 2862.

The authentication group is optional unless the tunnel is a secure tunnel. For more information, see Secure tunneling on page 2864.

If the tunnel request includes an authentication group, the authentication will be based on the settings of this group as follows:

The server-side FortiGate unit searches its own configuration for the name of the authentication group in the tunnel request. If no match is found, the authentication fails.
If a match is found, the server-side FortiGate unit compares the authentication method in the client and server authentication groups. If the methods do not match, the authentication fails.
If the authentication methods match, the server-side FortiGate unit tests the peer acceptance settings in its copy of the authentication group.
If the setting is Accept Any Peer, the authentication is successful.
If the setting is Specify Peer, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the peer name in the server-side authentication group. If the names match, authentication is successful. If a match is not found, authentication fails.
If the setting is Accept Defined Peers, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the server-side peer list. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the tunnel request does not include an authentication group, authentication will be based on the client-side local host ID in the tunnel request. The server-side FortiGate unit searches its peer list to match the client-side local host ID in the tunnel request. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the server-side FortiGate unit successfully authenticates the tunnel request, the server-side FortiGate unit sends back a tunnel setup response message. This message includes the server-side local host ID and the authentication group that matches the one in the tunnel request.

The client-side FortiGate unit then performs the same authentication procedure as the server-side FortiGate unit did. If both sides succeed, tunnel setup continues.

Configuring peers

When you configure peers, you first need to add the local host ID that identifies the FortiGate unit for WAN optimization and then add the peer host ID and IP address of each FortiGate unit with which a FortiGate unit can create WAN optimization tunnels.

To configure WAN optimization peers – web-based manager:

1. Go to WAN Opt. & Cache > Peers.

2. For Local Host ID, enter the local host ID of this FortiGate unit and select Apply. If you add this FortiGate unit as a peer to another FortiGate unit, use this ID as its peer host ID.

The local or host ID can contain up to 25 characters and can include spaces.

3. Select Create New to add a new peer.

4. For Peer Host ID, enter the peer host ID of the peer FortiGate unit. This is the local host ID added to the peer FortiGate unit.

5. For IP Address, add the IP address of the peer FortiGate unit. This is the source IP address of tunnel requests sent by the peer, usually the IP address of the FortiGate interface connected to the WAN.

6. Select OK.

To configure WAN optimization peers – CLI:

In this example, the local host ID is named HQ_Peer and has an IP address of 172.20.120.100. Three peers are added, but you can add any number of peers that are on the WAN.

1. Enter the following command to set the local host ID to HQ_Peer.

config wanopt settings set host-id HQ_peer

end

2. Enter the following commands to add three peers.

config wanopt peer edit Wan_opt_peer_1

set ip 172.20.120.100 next

edit Wan_opt_peer_2

set ip 172.30.120.100 next

edit Wan_opt_peer_3

set ip 172.40.120.100 end

Configuring authentication groups

You need to add authentication groups to support authentication and secure tunneling between WAN optimization peers.

To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must have an authentication group with the same name and settings. You add the authentication group to a peer-to- peer or active rule on the client-side FortiGate unit. When the server-side FortiGate unit receives a tunnel start request from the client-side FortiGate unit that includes an authentication group, the server-side FortiGate unit finds an authentication group in its configuration with the same name. If both authentication groups have the same certificate or pre-shared key, the peers can authenticate and set up the tunnel.

Authentication groups are also required for secure tunneling.

To add authentication groups, go to WAN Opt. & Cache > Authentication Groups.

To add an authentication group – web-based manager:

Use the following steps to add any kind of authentication group. It is assumed that if you are using a local certificate to authenticate, it is already added to the FortiGate unit

1. Go to WAN Opt. & Cache > Authentication Groups.

2. Select Create New.

3. Add a Name for the authentication group.

You will select this name when you add the authentication group to a WAN optimization rule.

4. Select the Authentication Method.

Select Certificate if you want to use a certificate to authenticate and encrypt WAN optimization tunnels. You must select a local certificate that has been added to this FortiGate unit. (To add a local certificate, go to System > Certificates.) Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and certificate.

Select Pre–shared key if you want to use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. You must add the Password (or pre-shared key) used by the authentication group. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and password. The password must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.

5. Configure Peer Acceptance for the authentication group.

Select Accept Any Peer if you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used for WAN optimization with the FortiClient application or with FortiGate units that do not have static IP addresses, for example units that use DHCP.

Select Accept Defined Peers if you want to authenticate with peers added to the peer list only.

Select Specify Peer and select one of the peers added to the peer list to authenticate with the selected peer only.

6. Select OK.

7. Add the authentication group to a WAN optimization rule to apply the authentication settings in the authentication group to the rule.

To add an authentication group that uses a certificate- CLI:

Enter the following command to add an authentication group that uses a certificate and can authenticate all peers added to the FortiGate unit configuration.

In this example, the authentication group is named auth_grp_1 and uses a certificate named Example_ Cert.

config wanopt auth-group edit auth_grp_1

set auth-method cert set cert Example_Cert set peer-accept defined

end

To add an authentication group that uses a pre-shared key – CLI:

Enter the following command to add an authentication group that uses a pre-shared key and can authenticate only the peer added to the authentication group.

In this example, the authentication group is named auth_peer, the peer that the group can authenticate is named Server_net, and the authentication group uses 123456 as the pre-shared key. In practice you should use a more secure pre-shared key.

config wanopt auth-group edit auth_peer

set auth-method psk set psk 123456

set peer-accept one set peer Server_net

end

To add an authentication group that accepts WAN optimization connections from any peer – web-based manager

Add an authentication group that accepts any peer for situations where you do not have the Peer Host IDs or IP Addresses of the peers that you want to perform WAN optimization with. This setting is most often used for WAN optimization with the FortiClient application or with FortiGate units that do not have static IP addresses, for example units that use DHCP. An authentication group that accepts any peer is less secure than an authentication group that accepts defined peers or a single peer.

The example below sets the authentication method to Pre–shared key. You must add the same password to all FortiGate units using this authentication group.

1. Go to WAN Opt. & Cache > Authentication Groups.

2. Select Create New to add a new authentication group.

3. Configure the authentication group:

Name Specify any name.

Authentication Method Pre-shared key

Password Enter a pre-shared key.

Peer Acceptance Accept Any Peer

To add an authentication group that accepts WAN optimization connections from any peer – CLI:

In this example, the authentication group is named auth_grp_1. It uses a certificate named WAN_Cert and accepts any peer.

config wanopt auth-group edit auth_grp_1

set auth-method cert set cert WAN_Cert

set peer-accept any end

Peers and authentication groups

Leave a reply

Peers and authentication groups

All communication between WAN optimization peers begins with one WAN optimization peer (or client-side FortiGate unit) sending a WAN optimization tunnel request to another peer (or server-side FortiGate unit). During this process, the WAN optimization peers identify and optionally authenticate each other.

Basic WAN optimization peer requirements

WAN optimization requires the following configuration on each peer. For information about configuring local and peer host IDs, see Configuring peers on page 2861.

The peer must have a unique host ID.
Unless authentication groups are used, peers authenticate each other using host ID values. Do not leave the local host ID at its default value.
The peer must know the host IDs and IP addresses of all of the other peers that it can start WAN optimization tunnels with. This does not apply if you use authentication groups that accept all peers.
All peers must have the same local certificate installed on their FortiGate units if the units authenticate by local certificate. Similarly, if the units authenticate by pre-shared key (password), administrators must know the password. The type of authentication is selected in the authentication group. This applies only if you use authentication groups.

Accepting any peers

Strictly speaking, you do not need to add peers. Instead you can configure authentication groups that accept any peer. However, for this to work, both peers must have the same authentication group (with the same name) and both peers must have the same certificate or pre-shared key.

Accepting any peer is useful if you have many peers or if peer IP addresses change. For example, you could have many travelling FortiClient peers with IP addresses that are always changing as the users travel to different customer sites. This configuration is also useful if you have FortiGate units with dynamic external IP addresses (using DHCP or PPPoE). For most other situations, this method is not recommended and is not a best practice as it is less secure than accepting defined peers or a single peer. For more information, see Configuring authentication groups on page 2862.

WAN optimization configuration summary

Leave a reply

WAN optimization configuration summary

This section includes a client-side and a server-side WAN Optimization configuration summary.:

Client-side configuration summary

WAN optimization profile

Enter the following command to view WAN optimization profile CLI options:

tree wanopt profile

— [profile] –*name (36)

|- transparent

|- comments

|- auth-group (36)

|- <http> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

|- port (1,65535)

|- ssl

|- ssl-port (1,65535)

|- unknown-http-version

+- tunnel-non-http

|- <cifs> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

|- <mapi> — status

|- secure-tunnel

|- byte-caching

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

|- <ftp> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

+- <tcp> — status

|- secure-tunnel

|- byte-caching

|- byte-caching-opt

|- tunnel-sharing

|- log-traffic

|- port

|- ssl

+- ssl-port (1,65535)

Local host ID and peer settings

config wanopt settings set host-id client

end

config wanopt peer edit server

set ip 10.10.2.82 end

Security policies

Two client-side WAN optimization security policy configurations are possible. One for active-passive WAN optimization and one for manual WAN optimization.

Active/passive mode on the client-side

config firewall policy edit 2

set srcintf internal set dstintf wan1

set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

set wanopt enable <<< enable WAN optimization

set wanopt-detection active <<< set the mode to active/passive

set wanopt-profile “default” <<< select the wanopt profile

next end

Manual mode on the client-side

config firewall policy edit 2

set srcintf internal set dstintf wan1

set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

set wanopt enable <<< enable WAN optimization

set wanopt-detection off <<< sets the mode to manual

set wanopt-profile “default” <<< select the wanopt profile

set wanopt-peer “server” <<< set the only peer to do wanopt

with (required for manual mode)

next end

server–side configuration summary

Local host ID and peer settings

config wanopt settings

set host-id server end

config wanopt peer edit client

set ip 10.10.2.81

end

Security policies

Two server-side WAN optimization security policy configurations are possible. One for active-passive WAN optimization and one for manual WAN optimization.

Active/passive mode on server-side

config firewall policy

edit 2 <<< the passive mode policy

set srcintf wan1

set dstintf internal set srcaddr all

set dstaddr all set action accept set schedule always set service ALL

set wanopt enable

set wanopt-detection passive

set wanopt-passive-opt transparent end

config firewall explicit-proxy-policy

edit 3 <<< policy that accepts wanopt tunnel connections from the server

set proxy wanopt <<< wanopt proxy type

set dstintf internal set srcaddr all

set dstaddr server-subnet set action accept

set schedule always set service ALL

next end

Manual mode on server-side

config firewall explicit-proxy-policy

edit 3 <<< policy that accepts wanopt tunnel connections from the client

set proxy wanopt <<< wanopt proxy type

set dstintf internal set srcaddr all

set dstaddr server-subnet set action accept

set schedule always set service ALL

next end

Best practices

This is a short list of WAN optimization and explicit proxy best practices.

WAN optimization tunnel sharing is recommended for similar types of WAN optimization traffic. However, tunnel sharing for different types of traffic is not recommended. For example, aggressive and non-aggressive protocols should not share the same tunnel. See Tunnel sharing on page 2852.
Active-passive HA is the recommended HA configuration for WAN optimization. See WAN optimization and HA on page 2854.
Configure WAN optimization authentication with specific peers. Accepting any peer is not recommended as this can be less secure. SeeAccepting any peers on page 2860.
Set the explicit proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit web proxy. See The FortiGate explicit web proxy on page 2907.
Set the explicit FTP proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit FTP proxy. See General explicit FTP proxy configuration steps on page 2935.
Do not enable the explicit web or FTP proxy on an interface connected to the Internet. This is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you must enable the proxy on such an interface make sure authentication is required to use the proxy. See General explicit web proxy configuration steps on page 2908.

Monitoring WAN optimization performance

Leave a reply

Monitoring WAN optimization performance

Using WAN optimization monitoring, you can confirm that a FortiGate unit is optimizing traffic and view estimates of the amount of bandwidth saved. The WAN optimization monitor presents collected log information in a graphical format to show network traffic summary and bandwidth optimization information.

To view the WAN optimization monitor, go to Monitor > WAN Opt. Monitor.

WAN optimization monitor

Traffic Summary

The traffic summary shows how WAN optimization is reducing the amount of traffic on the WAN for each WAN optimization protocol by showing the traffic reduction rate as a percentage of the total traffic. The traffic summary also shows the amount of WAN and LAN traffic. If WAN optimization is being effective the amount of WAN traffic should be lower than the amount of LAN traffic.

You can use the refresh icon to update the traffic summary display at any time. You can also set the amount of time for which the traffic summary shows data. The time period can vary from the last 10 minutes to the last month.

Bandwidth Optimization

This section shows network bandwidth optimization per time period. A line or column chart compares an application’s pre-optimized size (LAN data) with its optimized size (WAN data). You can select the chart type, the monitoring time period, and the protocol for which to display data. If WAN optimization is being effective the WAN bandwidth should be lower than the LAN bandwidth.

WAN optimization, web caching and memory usage

Leave a reply

WAN optimization, web caching and memory usage

To accelerate and optimize disk access and to provide better throughput and less latency FortiOS WAN optimization uses provisioned memory to reduce disk I/O and increase disk I/O efficiency. In addition, WAN optimization requires a small amount of additional memory per session for comprehensive flow control logic and efficient traffic forwarding.

When WAN optimization is enabled you will see a reduction in available memory. The reduction increases when more WAN optimization sessions are being processed. If you are thinking of enabling WAN optimization on an operating FortiGate unit, make sure its memory usage is not maxed out during high traffic periods.

In addition to using the system dashboard to see the current memory usage you can use the get test wad 2 command to see how much memory is currently being used by WAN optimization. See “get test {wad | wccpd} <test_level>” for more information.