Tag Archives: fortigate WAN optimization and user and device identity policies

WAN optimization and user and device identity policies, load balancing and traffic shaping

Leave a reply

WAN optimization and user and device identity policies, load balancing and traffic shaping

Please note the following about WAN optimization and firewall policies:

  • WAN optimization is not compatible with firewall load balancing.
  • WAN optimization is compatible with source and destination NAT options in firewall policies (including firewall virtual IPs). If a virtual IP is added to a policy the traffic that exits the WAN optimization tunnel has its destination address changed to the virtual IPs mapped to IP address and port.
  • WAN optimization is compatible with user identity-based and device identity security policies. If a session is allowed after authentication or device identification the session can be optimized.

 

Traffic shaping

Traffic shaping works for WAN optimization traffic that is not in a WAN optimization tunnel. So traffic accepted by a WAN optimization security policy on a client-side FortiGate unit can be shaped on ingress. However, when the traffic enters the WAN optimization tunnel, traffic shaping is not applied.

 

In manual mode:

  • Traffic shaping works as expected on the client-side FortiGate unit.
  • Traffic shaping cannot be applied to traffic on the server-side FortiGate unit. In active-passive mode:
  • Traffic shaping works as expected on the client-side FortiGate unit.
  • If transparent mode is enabled in the WAN optimization profile, traffic shaping also works as expected on the server-side FortiGate unit.
  • If transparent mode is not enabled, traffic shaping works partially on the server-side FortiGate unit.