Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Manual (peer-to-peer) WAN optimization configuration example

    Manual (peer-to-peer) WAN optimization configuration example

    Note

    Please ensure that the Prerequisites are met before proceeding with the configuration example.

    See Manual (peer to peer) configurations for conceptual information.

    This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.20.34.12. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt with a WAN IP address of 192.168.30.12. This unit is in front of a web server network with IP address 192.168.10.0.

    This example customizes the default WAN optimization profile on the client-side FortiGate unit and adds it to the WAN optimization firewall policy. You can also create a new WAN optimization profile.

    General configuration steps

    This section breaks down the configuration for this example into smaller procedures:

    1. Configure the client-side FortiGate unit:

      • Add peers.

      • Configure the default WAN optimization profile to optimize HTTP traffic.

      • Add a manual WAN optimization firewall policy.

    2. Configure the server-side FortiGate unit:

      • Add peers.

      • Add a WAN optimization proxy policy.

    Configuring manual WAN optimization from the GUI

    Use the following steps to configure the example configuration from the GUI:

    To configure the client-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Client-Fgt

      3. Click OK.

    2. Create the server-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Server-Fgt
        IP address 192.168.30.12

      3. Click OK.

    3. Go to WAN Opt. & Cache > Profiles and edit the default profile:

      1. Select the default profile and click Edit.

      2. Under Protocol Options, edit HTTP.

      3. Set Status to Enable and click Apply.

      4. Click OK.

    4. Go to Policy & Objects > Firewall Policy to add a manual WAN optimization firewall policy to the client-side FortiGate unit that accepts traffic to be optimized:

      1. Click Create New.

      2. Enter a Name and configure the following settings:

        Incoming Interface port2
        Outgoing Interface port3
        Source all
        Destination all
        Schedule always
        Service ALL
        Action ACCEPT

      3. Set Inspection Mode to Proxy-based.

      4. Enable WAN Optimization and configure the following settings:

        WAN Optimization Manual
        Profiles default
        Peers Server-Fgt

      5. Click OK to save the policy.

    To configure the server-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Server-Fgt

      3. Click OK.

    2. Create the client-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Client-Fgt
        IP address 172.20.34.12

      3. Click OK.

    3. Enter the following CLI command to add a WAN optimization proxy policy to accept WAN optimization tunnel connections:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end

    Configuring basic WAN optimization from the CLI

    Use the following steps to configure the example configuration from the CLI.

    To configure the client-side FortiGate unit:

    1. Change the Host ID of the client-side FortiGate:

      config wanopt settings
    set host-id Client-Fgt
end

    2. Add the Host ID of the server-side FortiGate:

      config wanopt peer
    edit Server-Fgt
        set ip 192.168.30.12
    next
end

    3. Edit the default WAN optimization profile and enable HTTP WAN optimization:

      config wanopt profile
    edit default
        config http
            set status enable
        end
    next
end

    4. Add a WAN optimization firewall policy to accept the traffic to be optimized:

      config firewall policy
    edit 0
        set srcintf port2
        set dstintf port3
        set srcaddr all
        set dstaddr all
        set action accept
        set service ALL
        set schedule always
        set inspection-mode proxy
        set wanopt enable
        set wanopt-profile default
        set wanopt-detection off
        set wanopt-peer Server-Fgt
    next
end

    When you set the detection mode to off, the policy becomes a manual mode WAN optimization firewall, which is reflected on the GUI.

    To configure the server-side FortiGate unit:

    1. Change the Host ID of the server-side FortiGate:

      config wanopt settings
    set host-id Server-Fgt
end

    2. Add the Host ID of the client-side FortiGate:

      config wanopt peer
    edit Client-Fgt
        set ip 172.20.34.12
    next
end

    3. Add a WAN optimization proxy policy:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
    Previous
    Next

    Manual (peer-to-peer) WAN optimization configuration example

    Manual (peer-to-peer) WAN optimization configuration example

    Note

    Please ensure that the Prerequisites are met before proceeding with the configuration example.

    See Manual (peer to peer) configurations for conceptual information.

    This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.20.34.12. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt with a WAN IP address of 192.168.30.12. This unit is in front of a web server network with IP address 192.168.10.0.

    This example customizes the default WAN optimization profile on the client-side FortiGate unit and adds it to the WAN optimization firewall policy. You can also create a new WAN optimization profile.

    General configuration steps

    This section breaks down the configuration for this example into smaller procedures:

    1. Configure the client-side FortiGate unit:

      • Add peers.

      • Configure the default WAN optimization profile to optimize HTTP traffic.

      • Add a manual WAN optimization firewall policy.

    2. Configure the server-side FortiGate unit:

      • Add peers.

      • Add a WAN optimization proxy policy.

    Configuring manual WAN optimization from the GUI

    Use the following steps to configure the example configuration from the GUI:

    To configure the client-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Client-Fgt

      3. Click OK.

    2. Create the server-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Server-Fgt
        IP address 192.168.30.12

      3. Click OK.

    3. Go to WAN Opt. & Cache > Profiles and edit the default profile:

      1. Select the default profile and click Edit.

      2. Under Protocol Options, edit HTTP.

      3. Set Status to Enable and click Apply.

      4. Click OK.

    4. Go to Policy & Objects > Firewall Policy to add a manual WAN optimization firewall policy to the client-side FortiGate unit that accepts traffic to be optimized:

      1. Click Create New.

      2. Enter a Name and configure the following settings:

        Incoming Interface port2
        Outgoing Interface port3
        Source all
        Destination all
        Schedule always
        Service ALL
        Action ACCEPT

      3. Set Inspection Mode to Proxy-based.

      4. Enable WAN Optimization and configure the following settings:

        WAN Optimization Manual
        Profiles default
        Peers Server-Fgt

      5. Click OK to save the policy.

    To configure the server-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Server-Fgt

      3. Click OK.

    2. Create the client-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Client-Fgt
        IP address 172.20.34.12

      3. Click OK.

    3. Enter the following CLI command to add a WAN optimization proxy policy to accept WAN optimization tunnel connections:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end

    Configuring basic WAN optimization from the CLI

    Use the following steps to configure the example configuration from the CLI.

    To configure the client-side FortiGate unit:

    1. Change the Host ID of the client-side FortiGate:

      config wanopt settings
    set host-id Client-Fgt
end

    2. Add the Host ID of the server-side FortiGate:

      config wanopt peer
    edit Server-Fgt
        set ip 192.168.30.12
    next
end

    3. Edit the default WAN optimization profile and enable HTTP WAN optimization:

      config wanopt profile
    edit default
        config http
            set status enable
        end
    next
end

    4. Add a WAN optimization firewall policy to accept the traffic to be optimized:

      config firewall policy
    edit 0
        set srcintf port2
        set dstintf port3
        set srcaddr all
        set dstaddr all
        set action accept
        set service ALL
        set schedule always
        set inspection-mode proxy
        set wanopt enable
        set wanopt-profile default
        set wanopt-detection off
        set wanopt-peer Server-Fgt
    next
end

    When you set the detection mode to off, the policy becomes a manual mode WAN optimization firewall, which is reflected on the GUI.

    To configure the server-side FortiGate unit:

    1. Change the Host ID of the server-side FortiGate:

      config wanopt settings
    set host-id Server-Fgt
end

    2. Add the Host ID of the client-side FortiGate:

      config wanopt peer
    edit Client-Fgt
        set ip 172.20.34.12
    next
end

    3. Add a WAN optimization proxy policy:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
    Previous
    Next