Example Active-passive WAN optimization
In active-passive WAN optimization you add an active WAN optimization policy to the client-side FortiGate unit and you add a WAN optimization tunnel policy and a passive WAN optimization policy to the server-side FortiGate unit.
The active policy accepts the traffic to be optimized and sends it down the WAN optimization tunnel to the server- side FortiGate unit. The active policy can also apply security profiles and other features to traffic before it exits the client-side FortiGate unit.
A tunnel explicit proxy policy on the sever-side FortiGate unit allows the server-side FortiGate unit to form a WAN optimization tunnel with the client-side FortiGate unit. The passive WAN optimization policy is required because of the active policy on the client-side FortiGate unit. You can also use the passive policy to apply WAN optimization transparent mode and features such as security profiles, logging, traffic shaping and web caching to the traffic before it exits the server-side FortiGate unit.
Network topology and assumptions
On the client-side FortiGate unit this example configuration includes a WAN optimization profile that optimizes CIFS, HTTP, and FTP traffic and an active WAN optimization policy. The active policy also applies virus scanning to the WAN optimization traffic.
On the server-side FortiGate unit, the passive policy applies application control to the WAN optimization traffic.
In this example, WAN optimization transparent mode is selected in the WAN optimization profile and the passive WAN optimization policy accepts this transparent mode setting. This means that the optimized packets maintain their original source and destination addresses. As a result, routing on the client network must be configured to route packets for the server network to the client-side FortiGate unit. Also the routing configuration on the server network must be able to route packets for the client network to the server-side FortiGate unit.
Example active-passive WAN optimization topology
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:
1. Configure the client-side FortiGate unit:
- Add peers.
- Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.
- Add firewall addresses for the client and web server networks.
- Add an active WAN optimization policy.
- 2. Configure the server-side FortiGate unit by:
- Add peers.
- Add firewall addresses for the client and web server networks.
- Add a passive WAN optimization policy.
- Add a WAN optimization tunnel policy.
Configuring basic active-passive WAN optimization – web-based manager
Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit web-based manager.
To configure the client-side FortiGate unit
1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the client-side FortiGate unit:
Local Host ID Client-Fgt
2. Select Apply.
3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:
Peer Host ID Server-Fgt
IP Address 192.168.20.1
4. Select OK.
5. Go to WAN Opt. & Cache > Profiles and select Create New to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:
Name Custom-wan-opt-pro
Transparent Mode Select
6. Select the CIFS protocol, select Byte Caching and set the Port to 445.
7. Select the FTP protocol, select Byte Caching and set the Port to 21.
8. Select the HTTP protocol, select Byte Caching and set the Port to 80.
9. Select OK.
10. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.
Category Address
Address Name Client-Net
Type IP Range
Subnet / IP Range 172.20.120.100-172.20.120.200
Interface port1
11. Select Create New to add an address for the web server network.
Category Address
Address Name Web-Server-Net
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface port2
12. Go to Policy & Objects > IPv4 Policy and select Create New to add an active WAN optimization security policy:
Incoming Interface port1
Source Address Client-Net
Outgoing Interface port2
Destination Address Web-Server-Net
Schedule always
Service HTTP FTP SMB
Action ACCEPT
13. Turn on WAN Optimization and configure the following settings:
WAN Optimization active
Profile Custom-wan-opt-pro
14. Turn on Antivirus and select the default antivirus profile.
15. Select OK.
To configure the server-side FortiGate unit
1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the server-side FortiGate unit:
Local Host ID Server-Fgt
2. Select Apply.
3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:
Peer Host ID Client-Fgt
IP Address 172.30.120.1
4. Select OK.
5. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.
Category Address
Address Name Client-Net
Type IP Range
Subnet / IP Range 172.20.120.100-172.20.120.200
Interface port1
6. Select Create New to add a firewall address for the web server network.
Category Address
Address Name Web-Server-Net
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface port2
7. Select OK.
8. Select Policy & Objects > IPv4 Policy and select Create New to add a passive WAN optimization policy that applies application control.
Incoming Interface port2
Source Address Client-Net
Outgoing Interface port1
Destination Address Web-Server-Net
Schedule always
Service ALL
Action ACCEPT
9. Turn on WAN Optimization and configure the following settings:
WAN Optimization passive
Passive Option default
10. Select OK.
11. From the CLI enter the following command to add a WAN optimization tunnel explicit proxy policy.
configure firewall explicit-proxy-policy edit 0
set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept
set schedule always set service ALL
next end