Configuring basic active-passive WAN optimization – CLI

Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit CLI.

 

To configure the client-side FortiGate unit

1. Add the Local Host ID to the client-side FortiGate configuration:

config wanopt settings set host-id Client-Fgt

end

2. Add the server-side Local Host ID to the client-side peer list:

config wanopt peer edit Server-Fgt

set ip 192.168.20.1 end

3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic.

config wanopt profile

edit Custom-wan-opt-pro config cifs

set status enable

set byte-caching enable set port 445

end

config http

set status enable

set byte-caching enable set port 80

end

config ftp

set status enable

set byte-caching enable set port 21

end end

4. Add a firewall address for the client network.

config firewall address edit Client-Net

set type iprange

set start-ip 172.20.120.100 set end-ip 172.20.120.200

set associated-interface port1 end

5. Add a firewall address for the web server network.

config firewall address edit Web-Server-Net

set type ipmask

set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

6. Add an active WAN optimization security policy that applies virus scanning:

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr Client-net

set dstaddr Web-Server-Net set action accept

set service HTTP FTP SMB

set schedule always

set wanopt enable

set wanopt-detection active

set wanopt-profile Custom-wan-opt-pro end

 

To configure the server-side FortiGate unit

1. Add the Local Host ID to the server-side FortiGate configuration:

config wanopt settings set host-id Server-Fgt

end

2. Add the client-side Local Host ID to the server-side peer list:

config wanopt peer edit Client-Fgt

set ip 172.20.120.1 end

3. Add a firewall address for the client network.

config firewall address edit Client-Net

set type iprange

set start-ip 172.20.120.100 set end-ip 172.20.120.200

set associated-interface port1 end

4. Add a firewall address for the web server network.

config firewall address edit Web-Server-Net

set type ipmask

set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

5. Add a passive WAN optimization policy.

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr Client-Net

set dstaddr Web-Server-Net set action accept

set service ALL

set schedule always set wanopt enable

set wanopt-detection passive set wanopt-passive-opt default

end

6. Add a WAN optimization tunnel explicit proxy policy.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end

 

Testing and troubleshooting the configuration

To test the configuration attempt to start a web browsing session between the client network and the web server network. For example, from a PC on the client network browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the client network you should be able to connect to this web server over the WAN optimization tunnel.

If you can connect, check WAN optimization monitoring. If WAN optimization has been forwarding the traffic the WAN optimization monitor should show the protocol that has been optimized (in this case HTTP) and the reduction rate in WAN bandwidth usage.

If you can’t connect you can try the following to diagnose the problem:

• Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
• Confirm that the security policy on the Client-Side FortiGate unit is accepting traffic for the 192.168.10.0 network and that this security policy does not include security profiles. You can do this by checking the FortiGate session table from the dashboard. Look for sessions that use the policy ID of this policy.
• Check routing on the FortiGate units and on the client and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the client network must allow packets destined for the web server network to be received by the client-side FortiGate unit, and packets from the server-side FortiGate unit must be able to reach the web servers etc.

 

You can use the following get and diagnose commands to display information about how WAN optimization is operating Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output shows 3 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to on).

diagnose wad tunnel list

Tunnel: id=139 type=auto

vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test bytes_in=744 bytes_out=76

 

Tunnel: id=141 type=auto

vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test bytes_in=727 bytes_out=76

 

Tunnel: id=142 type=auto

vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test bytes_in=727 bytes_out=76

Tunnels total=3 manual=0 auto=3