Description
In a manual (peer to peer) configuration the WAN optimization tunnel can be set up between one client-side FortiGate and one server-side FortiGate.
The peer ID of the server-side FortiGate is added to the client-side WAN optimization policy.
When the client-side FortiGate initiates a tunnel with the server-side FortiGate , the packets that initiate the tunnel include information that allows the server-side FortiGate to determine that it is a manual tunnel request.
The server-side FortiGate does not require a WAN optimization profile; Add the client peer host ID and IP address to the server-side FortiGate unit peer list and from the CLI an explicit proxy policy to accept WAN optimization tunnel connections.
Solution
Network topology:
- Client side FortiGate has wan IP address 10.109.17.11 and has lan network 10.220.0.0/20
- Server side FortiGate has wan IP address 10.109.17.10 and has lan network 10.230.0.0/20
Configuring the Client side FortiGate:
1) Enable the feature 'WAN OPT. & Cache'.
From CLI:
# config system settings2) Add peers.
set gui-wanopt-cache enable <-----
end
Go to WAN Opt. & Cache -> Peers and enter a Local Host ID for the client-side FortiGate.
Select 'Create NEW' and add the server-side FortiGate Peer Host ID and IP Address for the server-side FortiGate:
3) Configure a WAN optimization profile to optimize traffic (In this case, HTTP traffic).4) Add a manual WAN optimization security policy.
- Create a policy from LAN towards WAN with manual wanopt set:
# config firewall policyConfiguring the Server side FortiGate:
edit 3
set name "wan-opt-policy"
set srcintf "port1"
set dstintf "port2"
set srcaddr "lan"
set dstaddr "server-lan"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set wanopt enable
set wanopt-detection off
set wanopt-profile "default"
set wanopt-peer "Server-FGT"
next
end
1) Set a Host ID and Add peer.# config wanopt settings2) Add a WAN optimization tunnel explicit proxy policy.
set host-id "Server-FGT"
end
# config wanopt peer
edit "client-FGT"
set ip 10.109.17.11
next
end
# configure firewall proxy-policyVerification:
edit 0
set proxy wanopt
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end
- Initiate traffic from client network to server network.
- Tunnel would be created between the 2 peers on TCP port 7810.
- Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output for the client-side FortiGate shows 10 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to off).
FG3H1E-3 # diag wad tunnel listRelated document.
Tunnel: id=11 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=3 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=484 bytes_out=884
Tunnel: id=10 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=3 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=100 bytes_out=164
Tunnel: id=8 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=2 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnel: id=9 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=3 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnel: id=6 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=2 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnel: id=7 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=2 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnel: id=2 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=1 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=132 bytes_out=224
Tunnel: id=4 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=1 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnel: id=5 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=2 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnel: id=1 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=1 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnel: id=3 type=manual
vd=0 shared=no uses=0 state=2
peer name=Server-FGT id=1 ip=10.109.17.10
SSL-secured-tunnel=no auth-grp=
bytes_in=68 bytes_out=104
Tunnels total=11 manual=11 auto=0
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/715540/fortios-wan-optimizati...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.