Example Adding secure tunneling to an active-passive WAN optimization configuration

Leave a reply

Configuring WAN optimization with secure tunneling – CLI

Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit CLI.

 

To the client-side FortiGate unit

1. Add the Local Host ID to the client-side FortiGate configuration:

config wanopt settings set host-id Client-Fgt

end

2. Add the server-side Local Host ID to the client-side peer list:

config wanopt peer edit Server-Fgt

set ip 192.168.20.1 end

3. Add a new authentication group to be used for secure tunneling:

config wanopt auth-group edit Auth-Secure-Tunnel

set auth-method psk set psk 2345678

end

Leave peer-accept at its default value.

4. Add a WAN optimization profile that enables secure tunneling and includes the authentication group, enables

HTTP protocol optimization, and enables secure tunneling and byte caching for HTTP traffic:

config wanopt profile edit Secure-wan-op-pro

set auth-group Auth-Secure-Tunnel config http

set status enable

set secure-tunnel enable set byte-caching enable set port 80

end end

5. Add a firewall address for the client network.

config firewall address edit Client-Net

set type ipmask

set subnet 172.20.120.0 255.255.255.0 set associated-interface port1

end

6. Add a firewall address for the web server network.

config firewall address edit Web-Server-Net

set type ipmask

set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

7. Add an active WAN optimization security policy that includes the WAN optimization profile that enables secure tunneling and that applies virus scanning:

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr Client-Net

set dstaddr Web-Server-Net set action accept

set service HTTP

set schedule always set wanopt enable

set wanopt-detection active

set wanopt-profile Secure-wan-opt-pro end

 

To configure the server-side FortiGate unit

1. Add the Local Host ID to the server-side FortiGate configuration:

config wanopt settings set host-id Server-Fgt

end

2. Add the client-side Local Host ID to the server-side peer list:

config wanopt peer edit Client-Fgt

set ip 172.20.120.1

end

3. Add an authentication group to be used for secure tunneling:

config wanopt auth-group edit Auth-Secure-Tunnel

set auth-method psk set psk 2345678

end

Leave peer-accept at its default value.

4. Add a firewall address for the client network.

config firewall address edit Client-Net

set type ipmask

set subnet 172.20.120.0 255.255.255.0 set associated-interface port1

end

5. Add a firewall address for the web server network.

config firewall address edit Web-Server-Net

set type ipmask

set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

6. Add a passive WAN optimization policy.

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr Client-Net

set dstaddr Web-Server-Net set action accept

set service ALL

set schedule always set wanopt enable

set wanopt-detection passive set wanopt-passive-opt default

end

7. Add a WAN optimization tunnel explicit proxy policy.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end

Pages: 1 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.