WAN Opt Configuration examples

Configuring basic peer-to-peer WAN optimization – CLI

Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit CLI.

 

To configure the client-side FortiGate unit

1. Add the Local Host ID to the client-side FortiGate configuration:

config wanopt settings set host-id Client-Fgt

end

2. Add the server-side Local Host ID to the client-side peer list:

config wanopt peer edit Server-Fgt

set ip 192.168.30.12 end

3. Add a firewall address for the client network.

config firewall address edit Client-Net

set type ipmask

set subnet 172.20.120.0 255.255.255.0 set associated-interface port1

end

4. Add a firewall address for the web server network.

config firewall address edit Web-Server-Net

set type ipmask

set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

5. Edit the default WAN optimization profile, select transparent mode, enable HTTP WAN optimization and enable byte caching for HTTP. Leave the HTTP Port set to 80.

config wanopt profile edit default

set transparent enable config http

set status enable

set byte-caching enable end

end

6. Add a WAN optimization security policy to the client-side FortiGate unit to accept the traffic to be optimized:

config firewall policy edit 0

set srcintf port1 set dstintf port2 set srcaddr all set dstaddr all set action accept set service ALL

set schedule always set wanopt enable

set wanopt-profile default set wanopt-detection off set wanopt-peer Server-Fgt

end

 

To configure the server-side FortiGate unit

1. Add the Local Host ID to the server-side FortiGate configuration:

config wanopt settings set host-id Server-Fgt

end

2. Add the client-side Local Host ID to the server-side peer list:

config wanopt peer edit Client-Fgt

set ip 192.168.30.12 end

3. Add a WAN optimization tunnel explicit proxy policy.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end

 

Testing and troubleshooting the configuration

To test the configuration attempt to start a web browsing session between the client network and the web server network. For example, from a PC on the client network browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the client network you should be able to connect to this web server over the WAN optimization tunnel.

If you can connect, check WAN optimization monitoring. If WAN optimization has been forwarding the traffic the WAN optimization monitor should show the protocol that has been optimized (in this case HTTP) and the reduction rate in WAN bandwidth usage.

If you can’t connect you can try the following to diagnose the problem:

  • Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
  • Confirm that the security policy on the client-side FortiGate unit is accepting traffic for the 192.168.10.0 network.

You can do this by checking the policy monitor (Monitor > Firewall Monitor). Look for sessions that use the policy

ID of this policy.

  • Check routing on the FortiGate units and on the client and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the client network must allow packets destined for the web server network to be received by the client-side FortiGate unit, and packets from the server-side FortiGate unit must be able to reach the web servers.

 

You can use the following get and diagnose commands to display information about how WAN optimization is operating.

Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output for the client-side FortiGate unit shows 10 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to off).

diagnose wad tunnel list

Tunnel: id=100 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=100 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=348 bytes_out=384

 

Tunnel: id=99 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=99 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=348 bytes_out=384

 

Tunnel: id=98 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=98 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=348 bytes_out=384

 

Tunnel: id=39 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=39 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=1068 bytes_out=1104

 

Tunnel: id=7 type=manual

 

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=7 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=1228 bytes_out=1264

 

Tunnel: id=8 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=8 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=1228 bytes_out=1264

 

Tunnel: id=5 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=5 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=1228 bytes_out=1264

 

Tunnel: id=4 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=4 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=1228 bytes_out=1264

 

Tunnel: id=1 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=1 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=1228 bytes_out=1264

 

Tunnel: id=2 type=manual

vd=0 shared=no uses=0 state=3

peer name=Web-servers id=2 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

bytes_in=1228 bytes_out=1264

 

Tunnels total=10 manual=10 auto=0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.