Monitoring Web caching performance

Leave a reply

Example Web caching of HTTP and HTTPS Internet content for users on an internal net- work

This example describes how to configure web caching of HTTP and HTTPS for users on a private network connecting to the Internet.

 

Network topology and assumptions

This example includes a client network with subnet address 10.31.101.0 connecting to web servers on the Internet. All of the users on the private network access the Internet though a single general security policy on the FortiGate unit that accepts all sessions connecting to the Internet. Web caching for HTTP and HTTPS traffic is added to this security policy.

Since users on the private network have unrestricted access to the Internet and can be accessing many web servers the webcache-https is set to any and users may see error messages on their web browsers when accessing HTTPS content.

Initially, security profiles are not selected so the example caches all HTTP traffic on TCP port 80 and HTTPS traffic on port 443. The example also describes how to configure the security policy to cache HTTP traffic on port 80 and 8080 by adding a proxy options profile that looks for HTTP traffic on TCP ports 80 and 8080. The example also describes how to configure the security policy to cache HTTPS traffic on port 443 and 8443 using the same proxy options profile.

 

Example web caching topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Add HTTP web caching to the security policy that all users on the private network use to connect to the Internet.

2. Add HTTPS web caching.

3. Add a protocol options profile to look for HTTP traffic on ports 80 and 8080 and HTTPS traffic on ports 443 and 8443 and add this protocol options profile to the security policy.

If you perform any additional actions between procedures, your configuration may have different results.

 

Configuration Steps – web-based manager

Use the following steps to configure the example configuration from the FortiGate web-based manager.

 

 

To add HTTP web caching to a security policy

1. Go to Policy & Objects > IPv4 Policy and add a security policy that allows all users on the internal network to access the Internet.

Incoming Interface                   Internal

Source Address                        all

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

2. Select Enable NAT and select Use Destination Interface Address.

3. Turn on Web cache.

4. Select OK.

 

To add HTTPS web caching

1. From the CLI enter the following command to add HTTPS web caching to the policy.

Assume the index number of the policy is 5.

config firewall policy edit 5

set webcache-https any end

 

To cache HTTP traffic on port 80 and 8080

1. Go to Network > Explicit Proxy and edit the default proxy options profile.

 

You could also add a new profile.

2. Under Protocol Port Mapping enable HTTP and under Inspection Ports enter 80,8080.

3. Go to Policy & Objects > IPv4 Policy, edit the security policy and

 

 

To cache HTTPS traffic on ports 443 and 8443

1. Go to Security Profiles > SSL Inspection and edit the certificate-inspection SSL/SSH inspection profile.

 

You could also use the deepinspection profile or add a new profile.

2. Under SSL Inspection Options select Multiple Clients Connecting to Multiple Servers.

3. Make sure Inspect All Ports is not selected.

4. Make sure HTTPS is turned on and enter 443,8443.

5. From the CLI, enter the following command to add the default proxy options profile and the certificate– inspection SSL SSH profile to the firewall policy.

config firewall policy edit 5

set utm-status enable

set profile-protocol-options default

set ssl-ssh-profile certificate-inspection end

 

You need to use the CLI to add the protocol options profile unless you also add a secur- ity profile that uses proxy-based inspection.

 

Configuration Steps – CLI

Use the following steps to configure the example configuration from the FortiGate CLI.

 

 

To add HTTP and HTTPS web caching to a security policy

1. Enter the following command to add a security policy that allows all users on the internal network to access the

Internet and that includes web caching of HTTP and HTTPS traffic.

config firewall policy edit 0

set srcintf internal set srcaddr all

set dstintf wan1 set distinf all

set schedule always set service ANY

set action accept set nat enable

set webcache enable

set webcache-https any end

 

To cache HTTP traffic on port 80 and 8080 and HTTPS traffic on ports 443 and 8443

1. Enter the following command to edit the default proxy options profile to configure it to look for HTTP traffic on ports 80 and 8080:

config firewall profile-protocol-options edit default

config http

set status enable set ports 80 8080

end

2. Enter the following command to edit the certificationinspection SSL SSH options profile to configure it to look for HTTPS traffic on ports 443 and 8443:

config firewall ssl-ssh-profile edit certificate-inspection

config https

set status certificate-inspection set ports 443 8443

end

3. Enter the following command to add the default proxy options profile and the certificate-inspection SSL SSH

profile to the firewall policy.

config firewall policy edit 5

set utm-status enable

set profile-protocol-options default

set ssl-ssh-profile certificate-inspection end

Pages: 1 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.