Fortinet black logo

Administration Guide

Manual (peer-to-peer) WAN optimization configuration example

Manual (peer-to-peer) WAN optimization configuration example

Note

Please ensure that the Prerequisites are met before proceeding with the configuration example.

See Manual (peer to peer) configurations for conceptual information.

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.20.34.12. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt with a WAN IP address of 192.168.30.12. This unit is in front of a web server network with IP address 192.168.10.0.

This example customizes the default WAN optimization profile on the client-side FortiGate unit and adds it to the WAN optimization firewall policy. You can also create a new WAN optimization profile.

General configuration steps

This section breaks down the configuration for this example into smaller procedures:

  1. Configure the client-side FortiGate unit:

    • Add peers.

    • Configure the default WAN optimization profile to optimize HTTP traffic.

    • Add a manual WAN optimization firewall policy.

  2. Configure the server-side FortiGate unit:

    • Add peers.

    • Add a WAN optimization proxy policy.

Configuring manual WAN optimization from the GUI

Use the following steps to configure the example configuration from the GUI:

To configure the client-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Client-Fgt
    3. Click OK.

  2. Create the server-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Server-Fgt
      IP address 192.168.30.12
    3. Click OK.

  3. Go to WAN Opt. & Cache > Profiles and edit the default profile:

    1. Select the default profile and click Edit.

    2. Under Protocol Options, edit HTTP.

    3. Set Status to Enable and click Apply.

    4. Click OK.

  4. Go to Policy & Objects > Firewall Policy to add a manual WAN optimization firewall policy to the client-side FortiGate unit that accepts traffic to be optimized:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port2
      Outgoing Interface port3
      Source all
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Manual
      Profiles default
      Peers Server-Fgt
    5. Click OK to save the policy.

To configure the server-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Server-Fgt
    3. Click OK.

  2. Create the client-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Client-Fgt
      IP address 172.20.34.12
    3. Click OK.

  3. Enter the following CLI command to add a WAN optimization proxy policy to accept WAN optimization tunnel connections:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end

Configuring basic WAN optimization from the CLI

Use the following steps to configure the example configuration from the CLI.

To configure the client-side FortiGate unit:
  1. Change the Host ID of the client-side FortiGate:

    config wanopt settings
        set host-id Client-Fgt
    end
  2. Add the Host ID of the server-side FortiGate:

    config wanopt peer
        edit Server-Fgt
            set ip 192.168.30.12
        next
    end
  3. Edit the default WAN optimization profile and enable HTTP WAN optimization:

    config wanopt profile
        edit default
            config http
                set status enable
            end
        next
    end
  4. Add a WAN optimization firewall policy to accept the traffic to be optimized:

    config firewall policy
        edit 0
            set srcintf port2
            set dstintf port3
            set srcaddr all
            set dstaddr all
            set action accept
            set service ALL
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-profile default
            set wanopt-detection off
            set wanopt-peer Server-Fgt
        next
    end

When you set the detection mode to off, the policy becomes a manual mode WAN optimization firewall, which is reflected on the GUI.

To configure the server-side FortiGate unit:
  1. Change the Host ID of the server-side FortiGate:

    config wanopt settings
        set host-id Server-Fgt
    end
  2. Add the Host ID of the client-side FortiGate:

    config wanopt peer
        edit Client-Fgt
            set ip 172.20.34.12
        next
    end
  3. Add a WAN optimization proxy policy:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end

Manual (peer-to-peer) WAN optimization configuration example

Note

Please ensure that the Prerequisites are met before proceeding with the configuration example.

See Manual (peer to peer) configurations for conceptual information.

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.20.34.12. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt with a WAN IP address of 192.168.30.12. This unit is in front of a web server network with IP address 192.168.10.0.

This example customizes the default WAN optimization profile on the client-side FortiGate unit and adds it to the WAN optimization firewall policy. You can also create a new WAN optimization profile.

General configuration steps

This section breaks down the configuration for this example into smaller procedures:

  1. Configure the client-side FortiGate unit:

    • Add peers.

    • Configure the default WAN optimization profile to optimize HTTP traffic.

    • Add a manual WAN optimization firewall policy.

  2. Configure the server-side FortiGate unit:

    • Add peers.

    • Add a WAN optimization proxy policy.

Configuring manual WAN optimization from the GUI

Use the following steps to configure the example configuration from the GUI:

To configure the client-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Client-Fgt
    3. Click OK.

  2. Create the server-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Server-Fgt
      IP address 192.168.30.12
    3. Click OK.

  3. Go to WAN Opt. & Cache > Profiles and edit the default profile:

    1. Select the default profile and click Edit.

    2. Under Protocol Options, edit HTTP.

    3. Set Status to Enable and click Apply.

    4. Click OK.

  4. Go to Policy & Objects > Firewall Policy to add a manual WAN optimization firewall policy to the client-side FortiGate unit that accepts traffic to be optimized:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port2
      Outgoing Interface port3
      Source all
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Manual
      Profiles default
      Peers Server-Fgt
    5. Click OK to save the policy.

To configure the server-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Server-Fgt
    3. Click OK.

  2. Create the client-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Client-Fgt
      IP address 172.20.34.12
    3. Click OK.

  3. Enter the following CLI command to add a WAN optimization proxy policy to accept WAN optimization tunnel connections:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end

Configuring basic WAN optimization from the CLI

Use the following steps to configure the example configuration from the CLI.

To configure the client-side FortiGate unit:
  1. Change the Host ID of the client-side FortiGate:

    config wanopt settings
        set host-id Client-Fgt
    end
  2. Add the Host ID of the server-side FortiGate:

    config wanopt peer
        edit Server-Fgt
            set ip 192.168.30.12
        next
    end
  3. Edit the default WAN optimization profile and enable HTTP WAN optimization:

    config wanopt profile
        edit default
            config http
                set status enable
            end
        next
    end
  4. Add a WAN optimization firewall policy to accept the traffic to be optimized:

    config firewall policy
        edit 0
            set srcintf port2
            set dstintf port3
            set srcaddr all
            set dstaddr all
            set action accept
            set service ALL
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-profile default
            set wanopt-detection off
            set wanopt-peer Server-Fgt
        next
    end

When you set the detection mode to off, the policy becomes a manual mode WAN optimization firewall, which is reflected on the GUI.

To configure the server-side FortiGate unit:
  1. Change the Host ID of the server-side FortiGate:

    config wanopt settings
        set host-id Server-Fgt
    end
  2. Add the Host ID of the client-side FortiGate:

    config wanopt peer
        edit Client-Fgt
            set ip 172.20.34.12
        next
    end
  3. Add a WAN optimization proxy policy:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end