wanopt profile
Use this command to configure WAN optimization profiles that work in conjunction with security policies to accept specific traffic. All sessions accepted by a firewall policy, that include a WAN optimization profile, and that match that WAN optimization profile, are processed by WAN optimization. WAN optimization profiles must be added to the FortiGates at each end of the tunnel. To learn more about WAN optimization, including profiles and configuration examples, see WAN optimization.
config wanopt profile
edit {name}
# Configure WAN optimization profiles.
set name {string} Profile name. size[35]
set transparent {enable | disable} Enable/disable transparent mode.
set comments {string} Comment. size[255]
set auth-group {string} Optionally add an authentication group to restrict access to the WAN Optimization tunnel to peers in the authentication group. size[35] - datasource(s): wanopt.auth-group.name
config http
set status {enable | disable} Enable/disable HTTP WAN Optimization.
set secure-tunnel {enable | disable} Enable/disable securing the WAN Opt tunnel using SSL. Secure and non-secure tunnels use the same TCP port (7810).
set byte-caching {enable | disable} Enable/disable byte-caching for HTTP. Byte caching reduces the amount of traffic by caching file data sent across the WAN and in future serving if from the cache.
set prefer-chunking {dynamic | fix} Select dynamic or fixed-size data chunking for HTTP WAN Optimization.
dynamic Select dynamic data chunking to help to detect persistent data chunks in a changed file or in an embedded unknown protocol.
fix Select fixed data chunking.
set tunnel-sharing {private | shared | express-shared} Tunnel sharing mode for aggressive/non-aggressive and/or interactive/non-interactive protocols.
private For profiles that accept aggressive protocols such as HTTP and FTP so that these aggressive protocols do not share tunnels with less-aggressive protocols.
shared For profiles that accept nonaggressive and non-interactive protocols.
express-shared For profiles that accept interactive protocols such as Telnet.
set log-traffic {enable | disable} Enable/disable logging.
set port {integer} Single port number or port number range for HTTP. Only packets with a destination port number that matches this port number or range are accepted by this profile. range[1-65535]
set ssl {enable | disable} Enable/disable SSL/TLS offloading (hardware acceleration) for HTTPS traffic in this tunnel.
set ssl-port {integer} Port on which to expect HTTPS traffic for SSL/TLS offloading. range[1-65535]
set unknown-http-version {reject | tunnel | best-effort} How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.
reject Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
tunnel Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.
best-effort Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.
set tunnel-non-http {enable | disable} Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port.
config cifs
set status {enable | disable} Enable/disable HTTP WAN Optimization.
set secure-tunnel {enable | disable} Enable/disable securing the WAN Opt tunnel using SSL. Secure and non-secure tunnels use the same TCP port (7810).
set byte-caching {enable | disable} Enable/disable byte-caching for HTTP. Byte caching reduces the amount of traffic by caching file data sent across the WAN and in future serving if from the cache.
set prefer-chunking {dynamic | fix} Select dynamic or fixed-size data chunking for HTTP WAN Optimization.
dynamic Select dynamic data chunking to help to detect persistent data chunks in a changed file or in an embedded unknown protocol.
fix Select fixed data chunking.
set tunnel-sharing {private | shared | express-shared} Tunnel sharing mode for aggressive/non-aggressive and/or interactive/non-interactive protocols.
private For profiles that accept aggressive protocols such as HTTP and FTP so that these aggressive protocols do not share tunnels with less-aggressive protocols.
shared For profiles that accept nonaggressive and non-interactive protocols.
express-shared For profiles that accept interactive protocols such as Telnet.
set log-traffic {enable | disable} Enable/disable logging.
set port {integer} Single port number or port number range for CIFS. Only packets with a destination port number that matches this port number or range are accepted by this profile. range[1-65535]
config mapi
set status {enable | disable} Enable/disable HTTP WAN Optimization.
set secure-tunnel {enable | disable} Enable/disable securing the WAN Opt tunnel using SSL. Secure and non-secure tunnels use the same TCP port (7810).
set byte-caching {enable | disable} Enable/disable byte-caching for HTTP. Byte caching reduces the amount of traffic by caching file data sent across the WAN and in future serving if from the cache.
set tunnel-sharing {private | shared | express-shared} Tunnel sharing mode for aggressive/non-aggressive and/or interactive/non-interactive protocols.
private For profiles that accept aggressive protocols such as HTTP and FTP so that these aggressive protocols do not share tunnels with less-aggressive protocols.
shared For profiles that accept nonaggressive and non-interactive protocols.
express-shared For profiles that accept interactive protocols such as Telnet.
set log-traffic {enable | disable} Enable/disable logging.
set port {integer} Single port number or port number range for MAPI. Only packets with a destination port number that matches this port number or range are accepted by this profile. range[1-65535]
config ftp
set status {enable | disable} Enable/disable HTTP WAN Optimization.
set secure-tunnel {enable | disable} Enable/disable securing the WAN Opt tunnel using SSL. Secure and non-secure tunnels use the same TCP port (7810).
set byte-caching {enable | disable} Enable/disable byte-caching for HTTP. Byte caching reduces the amount of traffic by caching file data sent across the WAN and in future serving if from the cache.
set prefer-chunking {dynamic | fix} Select dynamic or fixed-size data chunking for HTTP WAN Optimization.
dynamic Select dynamic data chunking to help to detect persistent data chunks in a changed file or in an embedded unknown protocol.
fix Select fixed data chunking.
set tunnel-sharing {private | shared | express-shared} Tunnel sharing mode for aggressive/non-aggressive and/or interactive/non-interactive protocols.
private For profiles that accept aggressive protocols such as HTTP and FTP so that these aggressive protocols do not share tunnels with less-aggressive protocols.
shared For profiles that accept nonaggressive and non-interactive protocols.
express-shared For profiles that accept interactive protocols such as Telnet.
set log-traffic {enable | disable} Enable/disable logging.
set port {integer} Single port number or port number range for FTP. Only packets with a destination port number that matches this port number or range are accepted by this profile. range[1-65535]
config tcp
set status {enable | disable} Enable/disable HTTP WAN Optimization.
set secure-tunnel {enable | disable} Enable/disable securing the WAN Opt tunnel using SSL. Secure and non-secure tunnels use the same TCP port (7810).
set byte-caching {enable | disable} Enable/disable byte-caching for HTTP. Byte caching reduces the amount of traffic by caching file data sent across the WAN and in future serving if from the cache.
set byte-caching-opt {mem-only | mem-disk} Select whether TCP byte-caching uses system memory only or both memory and disk space.
mem-only Byte caching with memory only.
mem-disk Byte caching with memory and disk.
set tunnel-sharing {private | shared | express-shared} Tunnel sharing mode for aggressive/non-aggressive and/or interactive/non-interactive protocols.
private For profiles that accept aggressive protocols such as HTTP and FTP so that these aggressive protocols do not share tunnels with less-aggressive protocols.
shared For profiles that accept nonaggressive and non-interactive protocols.
express-shared For profiles that accept interactive protocols such as Telnet.
set log-traffic {enable | disable} Enable/disable logging.
set port {string} Single port number or port number range for TCP. Only packets with a destination port number that matches this port number or range are accepted by this profile.
set ssl {enable | disable} Enable/disable SSL/TLS offloading.
set ssl-port {integer} Port on which to expect HTTPS traffic for SSL/TLS offloading. range[1-65535]
next
end
Additional information
The following section is for those options that require additional explanation.
transparent {enable | disable}
Enable (by default) or disable transparent mode for this profile. When enabled, WAN optimization keeps the original source address of the packets, so servers appear to receive traffic directly from clients. When disabled, the source address of the packets received by servers is changed to the address of the FortiGate interface, so servers appear to receive packets from the FortiGate. Routing on the server network is simpler in this case because client addresses are not involved, however the server won't be able to tell which individual client is sending traffic.
comments <comments>
Optional comments.
auth-group <group>
Note: Assigning an authentication group is mandatory if secure-tunnel has been enabled for the profile. Peer authentication group to be used by this WAN optimization profile. Both client and server FortiGates must add the same authentication group, with both the same names and pre-shared key or certificate.
config {http | cifs | mapi | ftp | tcp}
Use this configuration method to determine various WAN optimization settings for each protocol. The table below depicts those entries that are available for certain protocols (port numbers are the default values for each protocol):
| Protocols | http | cifs | mapi | ftp | tcp |
|---|---|---|---|---|---|
| byte-caching-opt | ✔ | ||||
| prefer-chunking | ✔ | ✔ | ✔ | ||
| port | 80 | 445 | 135 | 21 | 1-65535 |
| ssl | ✔ | ✔ | |||
| ssl-port | 443 | 443 990 995 465 993 | |||
| unknown-http-version | ✔ | ||||
| tunnel-non-http | ✔ |
status {enable | disable}
Enable or disable (by default) the profile.
secure-tunnel {enable | disable}
Note: This entry can only be enabled when an authentication group has already been assigned to the profile (see the auth-group entry above).
Enable or disable (by default) the use of AES-128bit-CBC SSL to encrypt and secure traffic in the WAN optimization tunnel.
The FortiGates use FortiASIC acceleration to accelerate SSL decryption and encryption of the secure tunnel. The secure tunnel uses the same TCP port as a non-secure tunnel (TCP port 7810).
byte-caching {enable | disable}
Enable (by default, except tcp which is set to disable) or disable WAN optimization byte caching for the traffic accepted by this profile.
Byte caching is a WAN optimization technique that reduces the amount of data that has to be transmitted across a WAN by caching file data to be retrieved later, as required.
byte-caching-opt {mem-only | mem-disk}
Note: This entry is only available when configuring tcp.
Byte caching method:
- mem-only: Byte caching with memory only (set by default).
- mem-disk: Byte caching with memory and disk.
prefer-chunking {dynamic | fix}
Note: This entry is only available when configuring either http, cifs, or ftp.
Data chunking preference:
- dynamic: Dynamic data chunking preferred. Use to help detect persistent data chunks in a changed file or in an embedded unknown protocol.
- fix: Fixed-size data chunking preferred (set by default).
Note that, while prefer-chunking is not available in tcp or mapi, TCP chunking algorithm will be dynamic, so long as byte-caching-opt is set to mem-disk.
MAPI only uses dynamic, and thus has no option.
tunnel-sharing {private | shared | express-shared}
Tunnel sharing mode:
- private: Used for profiles that accept aggressive protocols such as HTTP and FTP so as to not share tunnels with less-aggressive protocols (set by default).
- shared: Used for profiles that accept non-aggressive and non-interactive protocols.
- express-shared: Used for profiles that accept interactive protocols, such as Telnet.
log-traffic {enable | disable}
Enable (by default) or disable traffic logging.
port <number>
Port used by each protocol for the profile. Only packets whose destination port number matches this port number or port number range will be accepted by and subject to this profile.
Set the value between 1-65535 (default values vary between each protocol; see table above).
ssl {enable | disable}
Note: This entry is only available when configuring either http or tcp.
Enable or disable (by default) SSL offloading for HTTPS traffic.
If enabled, the profile will be ready to accept SSL-encrypted traffic (HTTPS traffic) because ssl-port will become available and is set to 443 by default (see entry below).
Also, when enabled, you must add an SSL server for each HTTP server that you want to offload SSL encryption/decryption for by using the config wanopt ssl-server command.
ssl-port <https-ports>
Note: This entry is only available when ssl is set to enable.
Ports used for HTTPS traffic offloading. Set value between 1-65535 (default values vary between each protocol; see table above).
unknown-http-version {reject | tunnel | best-effort}
Note: This entry is only available when configuring http.
Action to take when an unknown version of HTTP is encountered. Unknown HTTP sessions are those that don't comply with HTTP 0.9, 1.0, or 1.1.
- reject: Rejects requests with unknown HTTP version.
- tunnel: Tunnels requests with unknown HTTP version (set by default).
- best-effort: Proceeds with best effort.
tunnel-non-http {enable | disable}
Note: This entry is only available when configuring http.
Enable to pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web-caching. TCP protocol optimization is applied to non-HTTP sessions. Disable (by default) to drop non-HTTP sessions that were otherwise accepted by the profile.