Fortinet black logo

Handbook

Active-passive WAN optimization

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:496922
Download PDF

Active-passive WAN optimization

In active-passive WAN optimization you add an active WAN optimization policy to the client-side FortiGate unit and you add a WAN optimization tunnel policy and a passive WAN optimization policy to the server-side FortiGate unit.

The active policy accepts the traffic to be optimized and sends it down the WAN optimization tunnel to the server-side FortiGate unit. The active policy can also apply security profiles and other features to traffic before it exits the client-side FortiGate unit.

A tunnel explicit proxy policy on the sever-side FortiGate unit allows the server-side FortiGate unit to form a WAN optimization tunnel with the client-side FortiGate unit. The passive WAN optimization policy is required because of the active policy on the client-side FortiGate unit. You can also use the passive policy to apply WAN optimization transparent mode and features such as security profiles, logging, traffic shaping and web caching to the traffic before it exits the server-side FortiGate unit.

Network topology and assumptions

On the client-side FortiGate unit this example configuration includes a WAN optimization profile that optimizes CIFS, HTTP, and FTP traffic and an active WAN optimization policy. The active policy also applies virus scanning to the WAN optimization traffic.

On the server-side FortiGate unit, the passive policy applies application control to the WAN optimization traffic.

In this example, WAN optimization transparent mode is selected in the WAN optimization profile and the passive WAN optimization policy accepts this transparent mode setting. This means that the optimized packets maintain their original source and destination addresses. As a result, routing on the client network must be configured to route packets for the server network to the client-side FortiGate unit. Also the routing configuration on the server network must be able to route packets for the client network to the server-side FortiGate unit.

Example active-passive WAN optimization topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Configure the client-side FortiGate unit:
    • Add peers.
    • Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.
    • Add firewall addresses for the client and web server networks.
    • Add an active WAN optimization policy.
  2. Configure the server-side FortiGate unit by:
    • Add peers.
    • Add firewall addresses for the client and web server networks.
    • Add a passive WAN optimization policy.
    • Add a WAN optimization tunnel policy.

Configuring basic active-passive WAN optimization - GUI

Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit GUI.

To configure the client-side FortiGate unit
  1. Go to WAN Opt. & Cache > Peersand enter a Local Host ID for the client-side FortiGate unit:
    Local Host IDClient-Fgt
  2. Select Apply.
  3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:
    Peer Host IDServer-Fgt
    IP Address192.168.20.1
  4. Select OK.
  5. Go to WAN Opt. & Cache > Profilesand select Create New to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:
    NameCustom-wan-opt-pro
    Transparent ModeSelect
  6. Select the CIFS protocol, select Byte Caching and set the Port to 445.
  7. Select the FTP protocol, select Byte Caching and set the Port to 21.
  8. Select the HTTP protocol, select Byte Caching and set the Port to 80.
  9. Select OK.
  10. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.
    CategoryAddress
    Address NameClient-Net
    TypeIP Range
    Subnet / IP Range172.20.120.100-172.20.120.200
    Interfaceport1
  11. Select Create New to add an address for the web server network.
    CategoryAddress
    Address NameWeb-Server-Net
    TypeSubnet
    Subnet / IP Range192.168.10.0/24
    Interfaceport2
  12. Go to Policy & Objects > IPv4 Policy and select Create New to add an active WAN optimization security policy:
    Incoming Interfaceport1
    Source AddressClient-Net
    Outgoing Interfaceport2
    Destination AddressWeb-Server-Net
    Schedulealways
    ServiceHTTP
    FTP
    SMB
    ActionACCEPT
  13. Turn on WAN Optimization and configure the following settings:
    WAN Optimizationactive
    ProfileCustom-wan-opt-pro
  14. Turn on Antivirus and select the default antivirus profile.
  15. Select OK.
To configure the server-side FortiGate unit
  1. Go to WAN Opt. & Cache > Peersand enter a Local Host ID for the server-side FortiGate unit:
    Local Host IDServer-Fgt
  2. Select Apply.
  3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:
    Peer Host IDClient-Fgt
    IP Address172.30.120.1
  4. Select OK.
  5. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.
    CategoryAddress
    Address NameClient-Net
    TypeIP Range
    Subnet / IP Range172.20.120.100-172.20.120.200
    Interfaceport1
  6. Select Create New to add a firewall address for the web server network.
    CategoryAddress
    Address NameWeb-Server-Net
    TypeSubnet
    Subnet / IP Range192.168.10.0/24
    Interfaceport2
  7. Select OK.
  8. Select Policy & Objects > IPv4 Policy and select Create New to add a passive WAN optimization policy that applies application control.
    Incoming Interfaceport2
    Source AddressClient-Net
    Outgoing Interfaceport1
    Destination AddressWeb-Server-Net
    Schedulealways
    ServiceALL
    ActionACCEPT
  9. Turn on WAN Optimization and configure the following settings:
    WAN Optimizationpassive
    Passive Optiondefault
  10. Select OK.
  11. From the CLI enter the following command to add a WAN optimization tunnel explicit proxy policy.

    configure firewall proxy-policy

    edit 0

    set proxy wanopt

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    end

Configuring basic active-passive WAN optimization - CLI

Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit CLI.

To configure the client-side FortiGate unit
  1. Add the Local Host ID to the client-side FortiGate configuration:

    config wanopt settings

    set host-id Client-Fgt

    end

  2. Add the server-side Local Host ID to the client-side peer list:

    config wanopt peer

    edit Server-Fgt

    set ip 192.168.20.1

    end

  3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic.

    config wanopt profile

    edit Custom-wan-opt-pro

    config cifs

    set status enable

    set byte-caching enable

    set port 445

    end

    config http

    set status enable

    set byte-caching enable

    set port 80

    end

    config ftp

    set status enable

    set byte-caching enable

    set port 21

    end

    end

  4. Add a firewall address for the client network.

    config firewall address

    edit Client-Net

    set type iprange

    set start-ip 172.20.120.100

    set end-ip 172.20.120.200

    set associated-interface port1

    end

  5. Add a firewall address for the web server network.

    config firewall address

    edit Web-Server-Net

    set type ipmask

    set subnet 192.168.10.0 255.255.255.0

    set associated-interface port2

    end

  6. Add an active WAN optimization security policy that applies virus scanning:

    config firewall policy

    edit 0

    set srcintf port1

    set dstintf port2

    set srcaddr Client-net

    set dstaddr Web-Server-Net

    set action accept

    set service HTTP FTP SMB

    set schedule always

    set wanopt enable

    set wanopt-detection active

    set wanopt-profile Custom-wan-opt-pro

    end

To configure the server-side FortiGate unit
  1. Add the Local Host ID to the server-side FortiGate configuration:

    config wanopt settings

    set host-id Server-Fgt

    end

  2. Add the client-side Local Host ID to the server-side peer list:

    config wanopt peer

    edit Client-Fgt

    set ip 172.20.120.1

    end

  3. Add a firewall address for the client network.

    config firewall address

    edit Client-Net

    set type iprange

    set start-ip 172.20.120.100

    set end-ip 172.20.120.200

    set associated-interface port1

    end

  4. Add a firewall address for the web server network.

    config firewall address

    edit Web-Server-Net

    set type ipmask

    set subnet 192.168.10.0 255.255.255.0

    set associated-interface port2

    end

  5. Add a passive WAN optimization policy.

    config firewall policy

    edit 0

    set srcintf port1

    set dstintf port2

    set srcaddr Client-Net

    set dstaddr Web-Server-Net

    set action accept

    set service ALL

    set schedule always

    set wanopt enable

    set wanopt-detection passive

    set wanopt-passive-opt default

    end

  6. Add a WAN optimization tunnel explicit proxy policy.

    configure firewall proxy-policy

    edit 0

    set proxy wanopt

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    end

Testing and troubleshooting the configuration

To test the configuration attempt to start a web browsing session between the client network and the web server network. For example, from a PC on the client network browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the client network you should be able to connect to this web server over the WAN optimization tunnel.

If you can connect, check WAN optimization monitoring. If WAN optimization has been forwarding the traffic the WAN optimization monitor should show the protocol that has been optimized (in this case HTTP) and the reduction rate in WAN bandwidth usage.

If you can’t connect you can try the following to diagnose the problem:

  • Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
  • Confirm that the security policy on the Client-Side FortiGate unit is accepting traffic for the 192.168.10.0 network and that this security policy does not include security profiles. You can do this by checking the FortiGate session table from the dashboard. Look for sessions that use the policy ID of this policy.
  • Check routing on the FortiGate units and on the client and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the client network must allow packets destined for the web server network to be received by the client-side FortiGate unit, and packets from the server-side FortiGate unit must be able to reach the web servers etc.

You can use the following get and diagnose commands to display information about how WAN optimization is operating

Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output shows 3 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to on).

diagnose wad tunnel list

Tunnel: id=139 type=auto

vd=0 shared=no uses=0 state=1

peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test

bytes_in=744 bytes_out=76

Tunnel: id=141 type=auto

vd=0 shared=no uses=0 state=1

peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test

bytes_in=727 bytes_out=76

Tunnel: id=142 type=auto

vd=0 shared=no uses=0 state=1

peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test

bytes_in=727 bytes_out=76

Tunnels total=3 manual=0 auto=3

Active-passive WAN optimization

In active-passive WAN optimization you add an active WAN optimization policy to the client-side FortiGate unit and you add a WAN optimization tunnel policy and a passive WAN optimization policy to the server-side FortiGate unit.

The active policy accepts the traffic to be optimized and sends it down the WAN optimization tunnel to the server-side FortiGate unit. The active policy can also apply security profiles and other features to traffic before it exits the client-side FortiGate unit.

A tunnel explicit proxy policy on the sever-side FortiGate unit allows the server-side FortiGate unit to form a WAN optimization tunnel with the client-side FortiGate unit. The passive WAN optimization policy is required because of the active policy on the client-side FortiGate unit. You can also use the passive policy to apply WAN optimization transparent mode and features such as security profiles, logging, traffic shaping and web caching to the traffic before it exits the server-side FortiGate unit.

Network topology and assumptions

On the client-side FortiGate unit this example configuration includes a WAN optimization profile that optimizes CIFS, HTTP, and FTP traffic and an active WAN optimization policy. The active policy also applies virus scanning to the WAN optimization traffic.

On the server-side FortiGate unit, the passive policy applies application control to the WAN optimization traffic.

In this example, WAN optimization transparent mode is selected in the WAN optimization profile and the passive WAN optimization policy accepts this transparent mode setting. This means that the optimized packets maintain their original source and destination addresses. As a result, routing on the client network must be configured to route packets for the server network to the client-side FortiGate unit. Also the routing configuration on the server network must be able to route packets for the client network to the server-side FortiGate unit.

Example active-passive WAN optimization topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Configure the client-side FortiGate unit:
    • Add peers.
    • Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.
    • Add firewall addresses for the client and web server networks.
    • Add an active WAN optimization policy.
  2. Configure the server-side FortiGate unit by:
    • Add peers.
    • Add firewall addresses for the client and web server networks.
    • Add a passive WAN optimization policy.
    • Add a WAN optimization tunnel policy.

Configuring basic active-passive WAN optimization - GUI

Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit GUI.

To configure the client-side FortiGate unit
  1. Go to WAN Opt. & Cache > Peersand enter a Local Host ID for the client-side FortiGate unit:
    Local Host IDClient-Fgt
  2. Select Apply.
  3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:
    Peer Host IDServer-Fgt
    IP Address192.168.20.1
  4. Select OK.
  5. Go to WAN Opt. & Cache > Profilesand select Create New to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:
    NameCustom-wan-opt-pro
    Transparent ModeSelect
  6. Select the CIFS protocol, select Byte Caching and set the Port to 445.
  7. Select the FTP protocol, select Byte Caching and set the Port to 21.
  8. Select the HTTP protocol, select Byte Caching and set the Port to 80.
  9. Select OK.
  10. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.
    CategoryAddress
    Address NameClient-Net
    TypeIP Range
    Subnet / IP Range172.20.120.100-172.20.120.200
    Interfaceport1
  11. Select Create New to add an address for the web server network.
    CategoryAddress
    Address NameWeb-Server-Net
    TypeSubnet
    Subnet / IP Range192.168.10.0/24
    Interfaceport2
  12. Go to Policy & Objects > IPv4 Policy and select Create New to add an active WAN optimization security policy:
    Incoming Interfaceport1
    Source AddressClient-Net
    Outgoing Interfaceport2
    Destination AddressWeb-Server-Net
    Schedulealways
    ServiceHTTP
    FTP
    SMB
    ActionACCEPT
  13. Turn on WAN Optimization and configure the following settings:
    WAN Optimizationactive
    ProfileCustom-wan-opt-pro
  14. Turn on Antivirus and select the default antivirus profile.
  15. Select OK.
To configure the server-side FortiGate unit
  1. Go to WAN Opt. & Cache > Peersand enter a Local Host ID for the server-side FortiGate unit:
    Local Host IDServer-Fgt
  2. Select Apply.
  3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:
    Peer Host IDClient-Fgt
    IP Address172.30.120.1
  4. Select OK.
  5. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.
    CategoryAddress
    Address NameClient-Net
    TypeIP Range
    Subnet / IP Range172.20.120.100-172.20.120.200
    Interfaceport1
  6. Select Create New to add a firewall address for the web server network.
    CategoryAddress
    Address NameWeb-Server-Net
    TypeSubnet
    Subnet / IP Range192.168.10.0/24
    Interfaceport2
  7. Select OK.
  8. Select Policy & Objects > IPv4 Policy and select Create New to add a passive WAN optimization policy that applies application control.
    Incoming Interfaceport2
    Source AddressClient-Net
    Outgoing Interfaceport1
    Destination AddressWeb-Server-Net
    Schedulealways
    ServiceALL
    ActionACCEPT
  9. Turn on WAN Optimization and configure the following settings:
    WAN Optimizationpassive
    Passive Optiondefault
  10. Select OK.
  11. From the CLI enter the following command to add a WAN optimization tunnel explicit proxy policy.

    configure firewall proxy-policy

    edit 0

    set proxy wanopt

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    end

Configuring basic active-passive WAN optimization - CLI

Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit CLI.

To configure the client-side FortiGate unit
  1. Add the Local Host ID to the client-side FortiGate configuration:

    config wanopt settings

    set host-id Client-Fgt

    end

  2. Add the server-side Local Host ID to the client-side peer list:

    config wanopt peer

    edit Server-Fgt

    set ip 192.168.20.1

    end

  3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic.

    config wanopt profile

    edit Custom-wan-opt-pro

    config cifs

    set status enable

    set byte-caching enable

    set port 445

    end

    config http

    set status enable

    set byte-caching enable

    set port 80

    end

    config ftp

    set status enable

    set byte-caching enable

    set port 21

    end

    end

  4. Add a firewall address for the client network.

    config firewall address

    edit Client-Net

    set type iprange

    set start-ip 172.20.120.100

    set end-ip 172.20.120.200

    set associated-interface port1

    end

  5. Add a firewall address for the web server network.

    config firewall address

    edit Web-Server-Net

    set type ipmask

    set subnet 192.168.10.0 255.255.255.0

    set associated-interface port2

    end

  6. Add an active WAN optimization security policy that applies virus scanning:

    config firewall policy

    edit 0

    set srcintf port1

    set dstintf port2

    set srcaddr Client-net

    set dstaddr Web-Server-Net

    set action accept

    set service HTTP FTP SMB

    set schedule always

    set wanopt enable

    set wanopt-detection active

    set wanopt-profile Custom-wan-opt-pro

    end

To configure the server-side FortiGate unit
  1. Add the Local Host ID to the server-side FortiGate configuration:

    config wanopt settings

    set host-id Server-Fgt

    end

  2. Add the client-side Local Host ID to the server-side peer list:

    config wanopt peer

    edit Client-Fgt

    set ip 172.20.120.1

    end

  3. Add a firewall address for the client network.

    config firewall address

    edit Client-Net

    set type iprange

    set start-ip 172.20.120.100

    set end-ip 172.20.120.200

    set associated-interface port1

    end

  4. Add a firewall address for the web server network.

    config firewall address

    edit Web-Server-Net

    set type ipmask

    set subnet 192.168.10.0 255.255.255.0

    set associated-interface port2

    end

  5. Add a passive WAN optimization policy.

    config firewall policy

    edit 0

    set srcintf port1

    set dstintf port2

    set srcaddr Client-Net

    set dstaddr Web-Server-Net

    set action accept

    set service ALL

    set schedule always

    set wanopt enable

    set wanopt-detection passive

    set wanopt-passive-opt default

    end

  6. Add a WAN optimization tunnel explicit proxy policy.

    configure firewall proxy-policy

    edit 0

    set proxy wanopt

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    end

Testing and troubleshooting the configuration

To test the configuration attempt to start a web browsing session between the client network and the web server network. For example, from a PC on the client network browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the client network you should be able to connect to this web server over the WAN optimization tunnel.

If you can connect, check WAN optimization monitoring. If WAN optimization has been forwarding the traffic the WAN optimization monitor should show the protocol that has been optimized (in this case HTTP) and the reduction rate in WAN bandwidth usage.

If you can’t connect you can try the following to diagnose the problem:

  • Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
  • Confirm that the security policy on the Client-Side FortiGate unit is accepting traffic for the 192.168.10.0 network and that this security policy does not include security profiles. You can do this by checking the FortiGate session table from the dashboard. Look for sessions that use the policy ID of this policy.
  • Check routing on the FortiGate units and on the client and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the client network must allow packets destined for the web server network to be received by the client-side FortiGate unit, and packets from the server-side FortiGate unit must be able to reach the web servers etc.

You can use the following get and diagnose commands to display information about how WAN optimization is operating

Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output shows 3 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to on).

diagnose wad tunnel list

Tunnel: id=139 type=auto

vd=0 shared=no uses=0 state=1

peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test

bytes_in=744 bytes_out=76

Tunnel: id=141 type=auto

vd=0 shared=no uses=0 state=1

peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test

bytes_in=727 bytes_out=76

Tunnel: id=142 type=auto

vd=0 shared=no uses=0 state=1

peer name= id=0 ip=unknown

SSL-secured-tunnel=no auth-grp=test

bytes_in=727 bytes_out=76

Tunnels total=3 manual=0 auto=3