Secure web gateway, WAN optimization, web caching and WCCP

Secure web gateway, WAN optimization, web caching and WCCP

You can use FortiGate WAN optimization and web caching to improve performance and security of traffic passing between locations on your wide area network (WAN) or from the Internet to your web servers. You can also use the FortiGate unit as an explicit FTP and web proxy server. If your FortiGate unit supports web caching, you can also add web caching to any HTTP sessions including WAN optimization, explicit web proxy and other HTTP sessions.

the next sections of this document describes how FortiGate WAN optimization, web caching, explicit web proxy, explicit FTP proxy and WCCP work and also describes how to configure these features.

Before you begin

Before you begin to configure WAN optimization, Web caching, explicit proxies or WCCP, take a moment to note the following:

  • To use WAN optimization and web caching, your FortiGate unit must support these features and not all do. In general your FortiGate unit must include a hard disk to support these features. See “FortiGate models that support WAN optimization” on page 263. Most FortiGate units support Explicit Web and FTP proxies.
  • To be able to configure WAN optimization and web caching from the web manager you should begin by going to System > Feature Visibility and turning on WAN Opt. & Cache.
  • To be able to configure the Web and FTP proxies from the web manager you should begin by going to System > Feature Visibility and turning on Explicit Proxy.
  • If you enable virtual domains (VDOMs) on the FortiGate unit, WAN optimization, web caching, and the explicit web and FTP proxies are available separately for each VDOM.
  • This guide is based on the assumption that you are a FortiGate administrator. It is not intended for others who may also use the FortiGate unit, such as FortiClient administrators or end users.
  • FortiGate WAN optimization is proprietary to Fortinet. FortiGate WAN optimization will not work with other vendors’ WAN optimization or acceleration features.
  • FortiGate web caching, explicit web and FTP proxies, and WCCP support known standards for these features. See the appropriate chapters of this document for details.

At this stage, the following installation and configuration conditions are assumed:

  • For WAN optimization you have already successfully installed two or more FortiGate units at various locations across your WAN.
  • For web caching, the explicit proxies and WCCP you have already successfully installed one or more FortiGate units on your network.
  • You have administrative access to the web-based manager and/or CLI. l The FortiGate units are integrated into your WAN or other networks l The operation mode has been configured. l The system time, DNS settings, administrator password, and network interfaces have been configured. l Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed.

Secure web gateway, WAN optimization, web caching and WCCP          FortiGate models that support WAN optimization

  • You Fortinet products have been registered. Register your Fortinet products at the Fortinet Technical Support web site, https://support.fortinet.com.

FortiGate models that support WAN optimization

WAN optimization is available on FortiGate models with internal storage that also support SSL acceleration.

Internal storage includes high-capacity internal hard disks, AMC hard disk modules, FortiGate Storage Modules (FSMs) or over 4 Gbytes of internal flash storage. All of these storage locations can provide similar web caching and byte caching performance. If you add more than one storage location (for example, by creating multiple partitions on a storage device, by using more than one FSM, or by using an FSM and AMC hard disk in the same FortiGate unit) you can configure different storage locations for web caching and byte caching.

Distributing WAN optimization, explicit proxy, and web caching to multiple CPU cores

By default WAN optimization, explicit proxy and web caching is handled by half of the CPU cores in a FortiGate unit. For example, if your FortiGate unit has 4 CPU cores, by default two will be used for WAN optimization, explicit proxy and web caching. You can use the following command to change the number of CPU cores that are used.

config system global set wad-worker-count <number>

end

The value for <number> can be between 1 and the total number of CPU cores in your FortiGate unit. Adding more cores may enhance WAN optimization, explicit proxy and web caching performance and reduce the performance of other FortiGate systems.

Dispatching traffic to WAD worker based on source affinity

The wad-worker balancing algorithm supports a more balanced dispersal of traffic to the wad processes even, if the bulk of the traffic is coming from a small set of, or single source.

By default, dispatching traffic to WAD workers is based on source affinity. This may negatively affect performance when users have another explicit proxy in front of the FortiGate. Source affinity causes the FortiGate to process the traffic as if it originated from the single (or small set of ) ip address of the outside proxy. This results in the use of one, or a small number, of WAD processes.

By disabling wad-source-affinity the traffic is balanced over all of the WAD processes. When the wadsource-affinity is disabled, the WAD dispatcher will not assign the traffic based on the source IP, but will assign the traffic to available workers in a round-robin fashion.

Toggling disk usage for logging or wan-opt                  Secure web gateway, WAN optimization, web caching and WCCP

Handling the traffic by different WAD workers results in losing some of the benefits of using source affinity, as is explained by the warning message that appears when it is disabled:

“WARNING: Disabling this option results in some features to be unsupported. IP-based user authentication, disclaimer messages, security profile override, authentication cookies, MAPI scanning, and some video caches such as YouTube are not supported.

Do you want to continue? (y/n)”

CLI

config system global set wad-source-affinity {enable|disable}

end

Toggling disk usage for logging or wan-opt

Both logging and WAN Optimization use hard disk space to save data. In FortiOS, you cannot use the same hard disk for WAN Optimization and logging.

  • If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
  • If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

On the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

You can also change disk usage from the CLI using the following command:

configure system global set disk-usage {log | wanopt}

end

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Visibility and turn on WAN Optimization.

Enabling WAN optimization affects more than just disk logging

In addition to affecting WAN Optimization, the following table shows other features affected by the FortiGate disk configuration.

Features affected by Disk Usage as per the number of internal hard disks on the FortiGate

Feature Logging Only (1 hard disk) WAN Opt. Only

(1 hard disk)

Logging & WAN Opt.

(2 hard disks)

Logging Supported Not supported Supported
Report/Historical FortiView Supported Not supported Supported
Firewall Packet

Capture (Policy

Capture and

Interface Capture)

Supported Not supported Supported
AV Quarantine Supported Not supported Supported
IPS Packet Capture Supported. Not supported Supported
DLP Archive Supported Not supported Supported
Sandbox

DB & Results

FortiSandbox database and results are also stored on disk, but will not be affected by this feature.
This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.