Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Created on ‎03-07-2021 11:09 AM Edited on ‎02-05-2024 09:53 AM By Moderator

Article Id 191660

Technical Tip: Configuring manual (peer-to-peer) WAN optimization

Description
In a manual (peer to peer) configuration the WAN optimization tunnel can be set up between one client-side FortiGate and one server-side FortiGate.
The peer ID of the server-side FortiGate is added to the client-side WAN optimization policy.
When the client-side FortiGate initiates a tunnel with the server-side FortiGate , the packets that initiate the tunnel include information that allows the server-side FortiGate to determine that it is a manual tunnel request.
The server-side FortiGate does not require a WAN optimization profile; Add the client peer host ID and IP address to the server-side FortiGate unit peer list and from the CLI an explicit proxy policy to accept WAN optimization tunnel connections.

Solution

Network topology:

- Client side FortiGate has wan IP address 10.109.17.11 and has lan network 10.220.0.0/20
- Server side FortiGate has wan IP address 10.109.17.10 and has lan network 10.230.0.0/20

Configuring the Client side FortiGate:

1) Enable the feature 'WAN OPT. & Cache'.
 
 
From CLI:
# config system settings
    set gui-wanopt-cache enable <-----
end
2) Add peers.

Go to WAN Opt. & Cache -> Peers and enter a Local Host ID for the client-side FortiGate.
 
 


Select 'Create NEW' and add the server-side FortiGate Peer Host ID and IP Address for the server-side FortiGate:

 
 
3) Configure a WAN optimization profile to optimize traffic (In this case, HTTP traffic).
 
 
 
 
4) Add a manual WAN optimization security policy.

- Create a policy from LAN towards WAN with manual wanopt set:
# config firewall policy
    edit 3
        set name "wan-opt-policy"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "lan"
        set dstaddr "server-lan"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set wanopt enable
        set wanopt-detection off
        set wanopt-profile "default"
        set wanopt-peer "Server-FGT"
    next
end
Configuring the Server side FortiGate:

1) Set a Host ID and Add peer.
 
 

 
 
# config wanopt settings
    set host-id "Server-FGT"
end

# config wanopt peer
    edit "client-FGT"
        set ip 10.109.17.11
    next
end
2) Add a WAN optimization tunnel explicit proxy policy.
# configure firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port1
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
Verification:

- Initiate traffic from client network to server network.
- Tunnel would be created between the 2 peers on TCP port 7810.
- Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output for the client-side FortiGate shows 10 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to off).
FG3H1E-3 # diag wad tunnel list

Tunnel: id=11 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=3 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=484 bytes_out=884

Tunnel: id=10 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=3 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=100 bytes_out=164

Tunnel: id=8 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=9 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=3 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=6 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=7 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=2 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=132 bytes_out=224

Tunnel: id=4 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=5 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=1 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=3 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnels total=11 manual=11 auto=0
Related document.
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/715540/fortios-wan-optimizati...

 

4288
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.