Fortinet white logo
Fortinet white logo

Administration Guide

Overview

Overview

The following topics provide an overview on WAN optimization:

Client/server architecture

Traffic across a WAN typically consists of clients on a client network communicating across a WAN with a remote server network. The clients do this by starting communication sessions from the client network across a WAN to the server network. When you have FortiGates on each end, you can optimize these sessions by adding a WAN optimization profile.

To use WAN optimization, the FortiGate units can operate in either NAT or transparent mode. The client-side and server-side FortiGate units do not have to be operating in the same mode. The client-side FortiGate unit is located between the client network and the WAN. The server-side FortiGate unit is located between the server network and the WAN.

Note

WAN optimization profiles are only added to the client-side. The server-side FortiGate unit employs the WAN optimization settings set in the WAN optimization profile on the client-side FortiGate unit.

Profiles

Use WAN optimization profiles to apply WAN optimization techniques to traffic to be optimized. In a WAN optimization profile you can select the protocols to be optimized and for HTTP protocol. You can also enable SSL offloading (if supported), secure tunneling, byte caching, transparent mode, and optionally select an authentication group. You can edit the default WAN optimization profile or create new ones. See Configuration examples for sample configuration.

Transparent mode

Servers receiving packets after WAN optimization see different source addresses depending on whether or not you select Transparent Mode. See Transparent mode for more information.

Authentication group Select this option and select an authentication group so that the client and server-side FortiGate units must authenticate with each other before starting the WAN optimization tunnel. See Peers and authentication groups for more information.
Protocol Select CIFS, FTP, HTTP, MAPI or TCP to apply protocol optimization for the selected protocols. See Protocol optimization for more information.
SSL Offloading

Select to apply SSL offloading for HTTPS traffic. You can use SSL offloading to offload SSL encryption and decryption from one or more HTTP servers to the FortiGate unit. If you enable this option, you must also use one of the following option to achieve SSL offloading:

  • Enable ssl profile with ssl deep-inspection in the WAN optimization firewall policy on the client-side and use the CLI command config firewall ssl-server to add an SSL server on the server-side for each HTTP server that you want to offload SSL encryption and decryption for.

  • Enable ssl profile with ssl deep-inspection in the WAN optimization firewall policy on client-side and WAN optimization proxy policy on server-side to accept SSL encrypted traffic.

SSL Secure Tunneling

The WAN optimization tunnel is encrypted using SSL encryption. You must also add an authentication group to the profile. See Secure tunneling for more information.

Byte Caching

Select to apply WAN optimization byte caching to the sessions accepted by this rule. See Byte caching for more information.

Overview

Overview

The following topics provide an overview on WAN optimization:

Client/server architecture

Traffic across a WAN typically consists of clients on a client network communicating across a WAN with a remote server network. The clients do this by starting communication sessions from the client network across a WAN to the server network. When you have FortiGates on each end, you can optimize these sessions by adding a WAN optimization profile.

To use WAN optimization, the FortiGate units can operate in either NAT or transparent mode. The client-side and server-side FortiGate units do not have to be operating in the same mode. The client-side FortiGate unit is located between the client network and the WAN. The server-side FortiGate unit is located between the server network and the WAN.

Note

WAN optimization profiles are only added to the client-side. The server-side FortiGate unit employs the WAN optimization settings set in the WAN optimization profile on the client-side FortiGate unit.

Profiles

Use WAN optimization profiles to apply WAN optimization techniques to traffic to be optimized. In a WAN optimization profile you can select the protocols to be optimized and for HTTP protocol. You can also enable SSL offloading (if supported), secure tunneling, byte caching, transparent mode, and optionally select an authentication group. You can edit the default WAN optimization profile or create new ones. See Configuration examples for sample configuration.

Transparent mode

Servers receiving packets after WAN optimization see different source addresses depending on whether or not you select Transparent Mode. See Transparent mode for more information.

Authentication group Select this option and select an authentication group so that the client and server-side FortiGate units must authenticate with each other before starting the WAN optimization tunnel. See Peers and authentication groups for more information.
Protocol Select CIFS, FTP, HTTP, MAPI or TCP to apply protocol optimization for the selected protocols. See Protocol optimization for more information.
SSL Offloading

Select to apply SSL offloading for HTTPS traffic. You can use SSL offloading to offload SSL encryption and decryption from one or more HTTP servers to the FortiGate unit. If you enable this option, you must also use one of the following option to achieve SSL offloading:

  • Enable ssl profile with ssl deep-inspection in the WAN optimization firewall policy on the client-side and use the CLI command config firewall ssl-server to add an SSL server on the server-side for each HTTP server that you want to offload SSL encryption and decryption for.

  • Enable ssl profile with ssl deep-inspection in the WAN optimization firewall policy on client-side and WAN optimization proxy policy on server-side to accept SSL encrypted traffic.

SSL Secure Tunneling

The WAN optimization tunnel is encrypted using SSL encryption. You must also add an authentication group to the profile. See Secure tunneling for more information.

Byte Caching

Select to apply WAN optimization byte caching to the sessions accepted by this rule. See Byte caching for more information.