FortiClient WAN optimization

FortiClient WAN optimization

FortiClient WAN optimization supports protocol optimization and byte caching in IPsec VPN and SSL VPN tunnels between FortiClient and a FortiGate unit. To add WAN optimization to FortiClient, configure FortiClient Advanced settings and enable WAN optimization. This setting can then apply WAN optimization to any IPsec or SSL VPN tunnel between FortiClient and FortiGate, if the FortiGate IPsec or SSL VPN configuration also includes WAN optimization.

When FortiClient with WAN optimization enabled attempts to connect a server-side FortiGate unit, FortiClient automatically detects if WAN optimization has been added to the FortiGate tunnel configuration. If WAN optimization is detected and FortiClient can successfully negotiate with the FortiGate unit, WAN optimization starts.

FortiClient WAN optimization topology

FortiClient WAN optimization over IPsec VPN configuration example

This example shows how to add WAN optimization to a FortiClient IPsec VPN. The IPsec VPN tunnel allows remote FortiClient users to connect to the internal network behind the FortiGate unit.

Example FortiClient WAN optimization configuration

To configure the FortiGate unit

Because computers running FortiClient can have IP addresses that change often, it is usually not practical to add FortiClient peers to the FortiGate WAN optimization peer list. Instead, a FortiGate unit that accepts WAN optimization tunnel requests from FortiClient is usually configured to accept any peer. This example does this by adding a WAN optimization authentication group with Peer acceptance set to Accept Any Peer.

FortiClient WAN                     over IPsec VPN configuration example                               FortiClient WAN optimization

In addition this example includes a wanopt to internal policy to allow WAN optimization traffic reach the internal network. Finally passive WAN optimization is added to the ssl.root policy because WAN optimization is accepting traffic from the IPsec VPN tunnel.

  1. Go to WAN Opt. & Cache > Authentication Groups and select Create New.
  2. Configure the WAN optimization authentication group:
Name auth-fc
Authentication Method Certificate
Certificate Fortinet_Firmware
Accept Peer(s) Any
  1. Select OK.
  2. Go to WAN Opt. & Cache > Profilesand select the “+” icon to add a new profile).
  3. Add a profile for FortiClient WAN optimization sessions:
Name Fclient_Pro
Transparent Mode enabled
Authentication Group enabled, auth-fc
  1. Select any Protocols and any settings for each protocol.
  2. Select OK.
  3. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the internal network that FortiClient users can access.
Category Address
Address Name Internal-Server-Net
Type IP Range
Subnet / IP Range 192.168.10.0/24
Interface internal
  1. Enter the following CLI command to add an explicit proxy policy to accept WAN optimization tunnel connections. configure firewall proxy-policy edit 0 set proxy wanopt set dstintf internal set srcaddr all set dstaddr all set action accept set schedule always set service ALL

next end

FortiClient WAN                                                   FortiClient WAN optimization over IPsec VPN configuration example

To set up IPsec VPN to support WAN optimization

  1. Go to VPN > IPsec Wizard, enter a Name for the IPsec VPN and select Dialup – FortiClient (Windows, Mac OS, Android).
  2. Follow the wizard steps to configure the VPN. No special WAN optimization settings are required.
  3. Go to Policy & Objects > IPv4 Policy and edit the policy created by the wizard.

This policy has the IPsec VPN interface created by the wizard as the source interface.

  1. Turn on WAN Optimization and configure the following settings:
Enable WAN Optimization passive
Passive Option default
  1. Select OK.

To configure FortiClient and start the WAN optimization SSL VPN connection

  1. Open FortiClient, configure Advanced settings, and select Enable WAN optimization.
  2. Add a new IPsec VPN connection.

Set the Server to the WAN1 IP address of the FortiGate unit (172.20.120.30 in this example).

No other settings are required for this example. You can add authentication in the form of a user name and password if required by the FortiGate unit.

  1. Start the IPsec VPN tunnel.

You should be connected to the IPsec VPN tunnel and traffic in it should be optimized.

 

Turning on web caching for HTTP and HTTPS traffic

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.