Tag Archives: fortinet Example Adding secure tunneling to an active-passive WAN optimization configuration

Example Adding secure tunneling to an active-passive WAN optimization configuration

Example Adding secure tunneling to an active-passive WAN optimization configuration

This example shows how to configure two FortiGate units for active-passive WAN optimization with secure tunneling. The same authentication group is added to both FortiGate units. The authentication group includes a password (or pre-shared key) and has Peer Acceptance set to Accept any Peer. An active policy is added to the client-side FortiGate unit and a passive policy to the server-side FortiGate unit. The active policy includes a profile that performs secure tunneling, optimizes HTTP traffic, and uses Transparent Mode and byte caching.

The authentication group is named AuthSecure-Tunnel and the password for the pre-shared key is 2345678. The topology for this example is shown below. This example includes web-based manager configuration steps followed by equivalent CLI configuration steps. For information about secure tunneling, see Secure tunneling on page 2864.

 

Network topology and assumptions

This example configuration includes a client-side FortiGate unit called Client-net with a WAN IP address of 172.30.120.1.This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Web-servers and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

 

Example active-passive WAN optimization and secure tunneling topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Configure the client-side FortiGate unit:

  • Add peers.
  • Add an authentication group.
  • Add an active WAN optimization policy.

2. Configure the server-side FortiGate unit.

  • Add peers.
  • Add the same authentication group
  • Add a passive WAN optimization policy that applies application control.
  • Add a WAN optimization tunnel policy.

Also note that if you perform any additional actions between procedures, your configuration may have different results.

 

Configuring WAN optimization with secure tunneling – web-based manager

Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit web-based manager. (CLI steps follow.)

 

To configure the client-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the client-side FortiGate unit:

 

Local Host ID                            Client-Fgt

2. Select Apply to save your setting.

3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:

 

Peer Host ID                               Server-Fgt

IP Address                                 192.168.20.1

4. Select OK.

5. Go to WAN Opt. & Cache > Authentication Groups and select Create New to add the authentication group to be used for secure tunneling:

 

Name                                           Auth-Secure-Tunnel

Authentication Method            Pre-shared key

Password                                   2345678

Peer Acceptance                       Accept Any Peer

6. Select OK.

7. Go to WAN Opt. & Cache > Profiles and select Create New to add a WAN optimization profile that enables secure tunneling and includes the authentication group:

 

Name                                           Secure-wan-op-pro

Transparent Mode                    Select

Authentication Group              Auth-Secure-tunnel

8. Select the HTTP protocol, select Secure Tunneling and Byte Caching and set the Port to 80.

9. Select OK.

10. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the client network.

 

Category                                     Address

Name                                           Client-Net

Type                                            Subnet

Subnet / IP Range                     172.20.120.0/24

Interface                                     port1

11. Select Create New to add a firewall address for the web server network.

 

Category                                     Address

Address Name                           Web-Server-Net

Type                                            Subnet

Subnet / IP Range                     192.168.10.0/24

Interface                                     port2

12. Go to Policy & Objects > IPv4 Policy and select Create New to add an active WAN optimization security policy:

 

Incoming Interface                   port1

Source Address                        Client-Net

Outgoing Interface                   port2

Destination Address                 Web-Server-Net

Schedule                                    always

Service                                       HTTP

Action                                         ACCEPT

13. Turn on WAN Optimization and configure the following settings:

 

WAN Optimization                    active

Profile                                         Secure-wan-opt-pro

14. Select OK.

 

To configure the server-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the server-side FortiGate unit:

 

Local Host ID                            Server-Fgt

2. Select Apply to save your setting.

3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:

Peer Host ID                               Client-Fgt

IP Address                                 172.30.120.1

4. Select OK.

5. Go to WAN Opt. & Cache > Authentication Groups and select Create New and add an authentication group to be used for secure tunneling:

Name                                           Auth-Secure-Tunnel

Authentication Method            Pre-shared key

Password                                   2345678

Peer Acceptance                       Accept Any Peer

6. Select OK.

7. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the client network.

Category                                     Address

Name                                           Client-Net

Type                                            Subnet

Subnet / IP Range                     172.20.120.0/24

Interface                                     port1

8. Select Create New to add a firewall address for the web server network.

Category                                     Address

Address Name                           Web-Server-Net

Type                                            Subnet

Subnet / IP Range                     192.168.10.0/24

Interface                                     port2

9. Select OK.

10. Select Create New to add a passive WAN optimization policy that applies application control.

Incoming Interface                   port2

Source Address                        Client-Net

Outgoing Interface                   port1

Destination Address                 Web-Server-Net

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

11. Turn on WAN Optimization and configure the following settings:

WAN Optimization                    passive

Passive Option                          default

12. Select OK.

13. From the CLI enter the following command to add a WAN optimization tunnel explicit proxy policy.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end