Fortinet black logo

Administration Guide

Active-passive WAN optimization configuration example

Active-passive WAN optimization configuration example

Note

Please ensure that the Prerequisites are met before proceeding with the configuration example.

See Active-passive configurations for conceptual information.

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.30.120.1. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

General configuration steps

This section breaks down the configuration for this example into smaller procedures:

  1. Configure the client-side FortiGate unit:

    • Add peers.

    • Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.

    • Add an active WAN optimization firewall policy.

  2. Configure the server-side FortiGate unit:

    • Add peers.

    • Add a passive WAN optimization firewall policy.

    • Add a WAN optimization proxy policy.

Configuring active-passive WAN optimization from the GUI

Use the following steps to configure the example configuration from the GUI.

To configure the client-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Client-Fgt
    3. Click OK.

  2. Create the server-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Server-Fgt
      IP address 192.168.20.1
    3. Click OK.

  3. Go to WAN Opt & Cache > Profiles to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

    1. Select Create New.

    2. Enter the profile name:

      Name Custom-wan-opt-pro
    3. In the Protocol Options section:

      1. Edit CIFS.

      2. Set Status to Enable.

      3. Click Apply.

      4. Repeat these steps to edit and enable FTP and HTTP.

    4. Click OK.

  4. Go to Policy & Objects > Firewall Policy to add an active WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port2
      Outgoing Interface port3
      Source all
      Destination all
      Schedule always
      Service

      HTTP

      FTP

      SMB

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN optimization and configure the following settings:

      WAN Optimization Active
      Profile Custom-wan-opt-pro
    5. Click OK.

To configure the server-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Server-Fgt
    3. Click OK.

  2. Create the client-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Client-Fgt
      IP address 172.30.120.1
    3. Click OK.

  3. Go to Policy & Objects > Firewall Policy to add a passive WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port4
      Outgoing Interface port5
      Source all
      Destination all
      Schedule always
      Service

      ALL

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Passive
      Passive Option Default
    5. Click OK.

  4. Add a WAN optimization proxy policy from the CLI:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end
    

Configuring basic active-passive WAN optimization from the CLI

Use the following steps to configure the example configuration from the CLI.

To configure the client-side FortiGate unit:
  1. Change the Host ID of the client-side FortiGate:

    config wanopt settings
        set host-id Client-Fgt
    end
  2. Add the Host ID of the server-side FortiGate:

    config wanopt peer
        edit Server-Fgt
            set ip 192.168.20.1
        next
    end
  3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

    config wanopt profile
        edit Custom-wan-opt-pro
            config cifs
                set status enable
            end
            config http
                set status enable
            end
            config ftp
                set status enable
            end
        next
    end
  4. Add an active WAN optimization firewall policy:

    config firewall policy
        edit 0
            set srcintf port2
            set dstintf port3
            set srcaddr all
            set dstaddr all
            set action accept
            set service HTTP FTP SMB
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection active
            set wanopt-profile Custom-wan-opt-pro
        next
    end
To configure the server-side FortiGate unit:
  1. Change the Host ID of the server-side FortiGate:

    config wanopt settings
        set host-id Server-Fgt
    end
  2. Add the Host ID of the client-side FortiGate:

    config wanopt peer
        edit Client-Fgt
            set ip 172.30.120.1
        next
    end
  3. Add a passive WAN optimization firewall policy:

    config firewall policy
        edit 0
            set srcintf port4
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set service ALL
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set wanopt-passive-opt default
        next
    end
    
  4. Add a WAN optimization proxy policy:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end

Active-passive WAN optimization configuration example

Note

Please ensure that the Prerequisites are met before proceeding with the configuration example.

See Active-passive configurations for conceptual information.

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.30.120.1. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

General configuration steps

This section breaks down the configuration for this example into smaller procedures:

  1. Configure the client-side FortiGate unit:

    • Add peers.

    • Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.

    • Add an active WAN optimization firewall policy.

  2. Configure the server-side FortiGate unit:

    • Add peers.

    • Add a passive WAN optimization firewall policy.

    • Add a WAN optimization proxy policy.

Configuring active-passive WAN optimization from the GUI

Use the following steps to configure the example configuration from the GUI.

To configure the client-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Client-Fgt
    3. Click OK.

  2. Create the server-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Server-Fgt
      IP address 192.168.20.1
    3. Click OK.

  3. Go to WAN Opt & Cache > Profiles to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

    1. Select Create New.

    2. Enter the profile name:

      Name Custom-wan-opt-pro
    3. In the Protocol Options section:

      1. Edit CIFS.

      2. Set Status to Enable.

      3. Click Apply.

      4. Repeat these steps to edit and enable FTP and HTTP.

    4. Click OK.

  4. Go to Policy & Objects > Firewall Policy to add an active WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port2
      Outgoing Interface port3
      Source all
      Destination all
      Schedule always
      Service

      HTTP

      FTP

      SMB

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN optimization and configure the following settings:

      WAN Optimization Active
      Profile Custom-wan-opt-pro
    5. Click OK.

To configure the server-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Server-Fgt
    3. Click OK.

  2. Create the client-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Client-Fgt
      IP address 172.30.120.1
    3. Click OK.

  3. Go to Policy & Objects > Firewall Policy to add a passive WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port4
      Outgoing Interface port5
      Source all
      Destination all
      Schedule always
      Service

      ALL

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Passive
      Passive Option Default
    5. Click OK.

  4. Add a WAN optimization proxy policy from the CLI:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end
    

Configuring basic active-passive WAN optimization from the CLI

Use the following steps to configure the example configuration from the CLI.

To configure the client-side FortiGate unit:
  1. Change the Host ID of the client-side FortiGate:

    config wanopt settings
        set host-id Client-Fgt
    end
  2. Add the Host ID of the server-side FortiGate:

    config wanopt peer
        edit Server-Fgt
            set ip 192.168.20.1
        next
    end
  3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

    config wanopt profile
        edit Custom-wan-opt-pro
            config cifs
                set status enable
            end
            config http
                set status enable
            end
            config ftp
                set status enable
            end
        next
    end
  4. Add an active WAN optimization firewall policy:

    config firewall policy
        edit 0
            set srcintf port2
            set dstintf port3
            set srcaddr all
            set dstaddr all
            set action accept
            set service HTTP FTP SMB
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection active
            set wanopt-profile Custom-wan-opt-pro
        next
    end
To configure the server-side FortiGate unit:
  1. Change the Host ID of the server-side FortiGate:

    config wanopt settings
        set host-id Server-Fgt
    end
  2. Add the Host ID of the client-side FortiGate:

    config wanopt peer
        edit Client-Fgt
            set ip 172.30.120.1
        next
    end
  3. Add a passive WAN optimization firewall policy:

    config firewall policy
        edit 0
            set srcintf port4
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set service ALL
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set wanopt-passive-opt default
        next
    end
    
  4. Add a WAN optimization proxy policy:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end