Fortinet black logo

Handbook

Best practices

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:667717
Download PDF

Best practices

This is a short list of WAN optimization and explicit proxy best practices.

  • WAN optimization tunnel sharing is recommended for similar types of WAN optimization traffic. However, tunnel sharing for different types of traffic is not recommended. For example, aggressive and non-aggressive protocols should not share the same tunnel. See Best practices.
  • Active-passive HA is the recommended HA configuration for WAN optimization. See Best practices.
  • Configure WAN optimization authentication with specific peers. Accepting any peer is not recommended as this can be less secure. See.
  • Set the explicit proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit web proxy. See .
  • Set the explicit FTP proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit FTP proxy. See .
  • Do not enable the explicit web or FTP proxy on an interface connected to the Internet. This is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you must enable the proxy on such an interface make sure authentication is required to use the proxy. See .

Best practices

This is a short list of WAN optimization and explicit proxy best practices.

  • WAN optimization tunnel sharing is recommended for similar types of WAN optimization traffic. However, tunnel sharing for different types of traffic is not recommended. For example, aggressive and non-aggressive protocols should not share the same tunnel. See Best practices.
  • Active-passive HA is the recommended HA configuration for WAN optimization. See Best practices.
  • Configure WAN optimization authentication with specific peers. Accepting any peer is not recommended as this can be less secure. See.
  • Set the explicit proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit web proxy. See .
  • Set the explicit FTP proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit FTP proxy. See .
  • Do not enable the explicit web or FTP proxy on an interface connected to the Internet. This is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you must enable the proxy on such an interface make sure authentication is required to use the proxy. See .