Tag Archives: fortigate wan opt best practice

WAN optimization configuration summary

WAN optimization configuration summary

This section includes a client-side and a server-side WAN Optimization configuration summary.:

 

Client-side configuration summary

 

WAN optimization profile

Enter the following command to view WAN optimization profile CLI options:

tree wanopt profile

— [profile] –*name (36)

|- transparent

|- comments

|- auth-group (36)

|- <http> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

|- port (1,65535)

|- ssl

|- ssl-port (1,65535)

|- unknown-http-version

+- tunnel-non-http

|- <cifs> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

|- <mapi> — status

|- secure-tunnel

|- byte-caching

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

|- <ftp> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

+- <tcp> — status

|- secure-tunnel

|- byte-caching

|- byte-caching-opt

|- tunnel-sharing

|- log-traffic

|- port

|- ssl

+- ssl-port (1,65535)

 

Local host ID and peer settings

config wanopt settings set host-id client

end

config wanopt peer edit server

set ip 10.10.2.82 end

 

Security policies

Two client-side WAN optimization security policy configurations are possible. One for active-passive WAN optimization and one for manual WAN optimization.

 

Active/passive mode on the client-side

config firewall policy edit 2

set srcintf internal set dstintf wan1

set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

set wanopt enable <<< enable WAN optimization

set wanopt-detection active <<< set the mode to active/passive

set wanopt-profile “default” <<< select the wanopt profile

next end

 

Manual mode on the client-side

config firewall policy edit 2

set srcintf internal set dstintf wan1

set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

set wanopt enable <<< enable WAN optimization

set wanopt-detection off <<< sets the mode to manual

set wanopt-profile “default” <<< select the wanopt profile

set wanopt-peer “server” <<< set the only peer to do wanopt

with (required for manual mode)

next end

 

serverside configuration summary

 

Local host ID and peer settings

config wanopt settings

set host-id server end

config wanopt peer edit client

set ip 10.10.2.81

end

 

Security policies

Two server-side WAN optimization security policy configurations are possible. One for active-passive WAN optimization and one for manual WAN optimization.

 

Active/passive mode on server-side

config firewall policy

edit 2 <<< the passive mode policy

set srcintf wan1

set dstintf internal set srcaddr all

set dstaddr all set action accept set schedule always set service ALL

set wanopt enable

set wanopt-detection passive

set wanopt-passive-opt transparent end

config firewall explicit-proxy-policy

edit 3 <<< policy that accepts wanopt tunnel connections from the       server

set proxy wanopt <<< wanopt proxy type

set dstintf internal set srcaddr all

set dstaddr server-subnet set action accept

set schedule always set service ALL

next end

 

Manual mode on server-side

config firewall explicit-proxy-policy

edit 3 <<< policy that accepts wanopt tunnel connections from the       client

set proxy wanopt <<< wanopt proxy type

set dstintf internal set srcaddr all

set dstaddr server-subnet set action accept

set schedule always set service ALL

next end

Best practices

This is a short list of WAN optimization and explicit proxy best practices.

  • WAN optimization tunnel sharing is recommended for similar types of WAN optimization traffic. However, tunnel sharing for different types of traffic is not recommended. For example, aggressive and non-aggressive protocols should not share the same tunnel. See Tunnel sharing on page 2852.
  • Active-passive HA is the recommended HA configuration for WAN optimization. See WAN optimization and HA on page 2854.
  • Configure WAN optimization authentication with specific peers. Accepting any peer is not recommended as this can be less secure. SeeAccepting any peers on page 2860.
  • Set the explicit proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit web proxy. See The FortiGate explicit web proxy on page 2907.
  • Set the explicit FTP proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit FTP proxy. See General explicit FTP proxy configuration steps on page 2935.
  • Do not enable the explicit web or FTP proxy on an interface connected to the Internet. This is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you must enable the proxy on such an interface make sure authentication is required to use the proxy. See General explicit web proxy configuration steps on page 2908.