Tunnels
All optimized traffic passes between the FortiGate units over a WAN optimization tunnel. Traffic in the tunnel can be sent in plain text or encrypted. Both plain text and the encrypted tunnels use TCP destination port 7810.
Secure tunneling
You can configure a WAN optimization profile to use SSL secure tunneling to encrypt the traffic in the WAN optimization tunnel using AES‑128bit‑CBC SSL. WAN optimization uses FortiASIC acceleration to accelerate SSL decryption and encryption of the secure tunnel. Secure tunneling can be enabled in both manual and active-passive WAN optimization configuration. See Manual and active-passive for more information.
To use secure tunneling, you must add an authentication group and enable SSL Secure Tunneling in a WAN optimization profile. The Accept peers(s) setting of the authentication group does not affect secure tunneling. See Secure tunneling configuration example for sample configuration.
Tunnel sharing
Tunnel sharing means multiple WAN optimization sessions share the same tunnel. It can improve performance by reducing the number of WAN optimization tunnels between FortiGate units. Having fewer tunnels means less data to manage. Also, tunnel setup requires more than one exchange of information between the ends of the tunnel. Once the tunnel is set up, each new session that shares the tunnel avoids tunnel setup delays.
Tunnel sharing also uses bandwidth more efficiently by reducing the chances that small packets will be sent down the tunnel. For example, suppose a FortiGate unit is processing five WAN optimization sessions and each session has 100 bytes to send. If these sessions use a shared tunnel, WAN optimization combines the packets from all five sessions into one 500-byte packet. If each session uses its own private tunnel, five 100-byte packets will be sent instead. Each packet also requires a TCP ACK reply. The combined packet in the shared tunnel requires one TCP ACK packet. The separate packets in the private tunnels require five.
Tunnel sharing is not always recommended and may not always be the best practice. For instance, aggressive and non-aggressive protocols should not share the same tunnel. An aggressive protocol can be defined as a protocol that is able to get more bandwidth than a non-aggressive protocol, for example, HTTP and FTP. If aggressive and non-aggressive protocols share the same tunnel, the aggressive protocols may take all of the available bandwidth. As a result, the performance of less aggressive protocols could be reduced.
To avoid this problem, rules for HTTP and FTP traffic should have their own tunnel. To do this, set tunnel-sharing
to private
for WAN optimization rules that accept HTTP or FTP traffic.
It is also useful to set tunnel-sharing
to express-shared
for applications, such as Telnet, that are very interactive but not aggressive.
Set tunnel-sharing
to shared
for applications that are not aggressive and are not sensitive to latency or delays.
Example configuration
To configure tunnel sharing for HTTP traffic in a WAN optimization profile:
config wanopt profile edit default config http set tunnel-sharing {express-shared | private | shared} end next end