Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Active-passive WAN optimization configuration example

    Active-passive WAN optimization configuration example

    Note

    Please ensure that the Prerequisites are met before proceeding with the configuration example.

    See Active-passive configurations for conceptual information.

    This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.30.120.1. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

    General configuration steps

    This section breaks down the configuration for this example into smaller procedures:

    1. Configure the client-side FortiGate unit:

      • Add peers.

      • Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.

      • Add an active WAN optimization firewall policy.

    2. Configure the server-side FortiGate unit:

      • Add peers.

      • Add a passive WAN optimization firewall policy.

      • Add a WAN optimization proxy policy.

    Configuring active-passive WAN optimization from the GUI

    Use the following steps to configure the example configuration from the GUI.

    To configure the client-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Client-Fgt

      3. Click OK.

    2. Create the server-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Server-Fgt
        IP address 192.168.20.1

      3. Click OK.

    3. Go to WAN Opt & Cache > Profiles to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

      1. Select Create New.

      2. Enter the profile name:

        Name Custom-wan-opt-pro

      3. In the Protocol Options section:

        1. Edit CIFS.

        2. Set Status to Enable.

        3. Click Apply.

        4. Repeat these steps to edit and enable FTP and HTTP.

      4. Click OK.

    4. Go to Policy & Objects > Firewall Policy to add an active WAN optimization firewall policy:

      1. Click Create New.

      2. Enter a Name and configure the following settings:

        Incoming Interface port2
        Outgoing Interface port3
        Source all
        Destination all
        Schedule always
        Service

        HTTP

        FTP

        SMB
        Action ACCEPT

      3. Set Inspection Mode to Proxy-based.

      4. Enable WAN optimization and configure the following settings:

        WAN Optimization Active
        Profile Custom-wan-opt-pro

      5. Click OK.

    To configure the server-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Server-Fgt

      3. Click OK.

    2. Create the client-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Client-Fgt
        IP address 172.30.120.1

      3. Click OK.

    3. Go to Policy & Objects > Firewall Policy to add a passive WAN optimization firewall policy:

      1. Click Create New.

      2. Enter a Name and configure the following settings:

        Incoming Interface port4
        Outgoing Interface port5
        Source all
        Destination all
        Schedule always
        Service

        ALL
        Action ACCEPT

      3. Set Inspection Mode to Proxy-based.

      4. Enable WAN Optimization and configure the following settings:

        WAN Optimization Passive
        Passive Option Default

      5. Click OK.

    4. Add a WAN optimization proxy policy from the CLI:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end

    Configuring basic active-passive WAN optimization from the CLI

    Use the following steps to configure the example configuration from the CLI.

    To configure the client-side FortiGate unit:

    1. Change the Host ID of the client-side FortiGate:

      config wanopt settings
    set host-id Client-Fgt
end

    2. Add the Host ID of the server-side FortiGate:

      config wanopt peer
    edit Server-Fgt
        set ip 192.168.20.1
    next
end

    3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

      config wanopt profile
    edit Custom-wan-opt-pro
        config cifs
            set status enable
        end
        config http
            set status enable
        end
        config ftp
            set status enable
        end
    next
end

    4. Add an active WAN optimization firewall policy:

      config firewall policy
    edit 0
        set srcintf port2
        set dstintf port3
        set srcaddr all
        set dstaddr all
        set action accept
        set service HTTP FTP SMB
        set schedule always
        set inspection-mode proxy
        set wanopt enable
        set wanopt-detection active
        set wanopt-profile Custom-wan-opt-pro
    next
end
    To configure the server-side FortiGate unit:

    1. Change the Host ID of the server-side FortiGate:

      config wanopt settings
    set host-id Server-Fgt
end

    2. Add the Host ID of the client-side FortiGate:

      config wanopt peer
    edit Client-Fgt
        set ip 172.30.120.1
    next
end

    3. Add a passive WAN optimization firewall policy:

      config firewall policy
    edit 0
        set srcintf port4
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set service ALL
        set schedule always
        set inspection-mode proxy
        set wanopt enable
        set wanopt-detection passive
        set wanopt-passive-opt default
    next
end

    4. Add a WAN optimization proxy policy:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
    Previous
    Next

    Active-passive WAN optimization configuration example

    Active-passive WAN optimization configuration example

    Note

    Please ensure that the Prerequisites are met before proceeding with the configuration example.

    See Active-passive configurations for conceptual information.

    This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.30.120.1. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

    General configuration steps

    This section breaks down the configuration for this example into smaller procedures:

    1. Configure the client-side FortiGate unit:

      • Add peers.

      • Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.

      • Add an active WAN optimization firewall policy.

    2. Configure the server-side FortiGate unit:

      • Add peers.

      • Add a passive WAN optimization firewall policy.

      • Add a WAN optimization proxy policy.

    Configuring active-passive WAN optimization from the GUI

    Use the following steps to configure the example configuration from the GUI.

    To configure the client-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Client-Fgt

      3. Click OK.

    2. Create the server-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Server-Fgt
        IP address 192.168.20.1

      3. Click OK.

    3. Go to WAN Opt & Cache > Profiles to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

      1. Select Create New.

      2. Enter the profile name:

        Name Custom-wan-opt-pro

      3. In the Protocol Options section:

        1. Edit CIFS.

        2. Set Status to Enable.

        3. Click Apply.

        4. Repeat these steps to edit and enable FTP and HTTP.

      4. Click OK.

    4. Go to Policy & Objects > Firewall Policy to add an active WAN optimization firewall policy:

      1. Click Create New.

      2. Enter a Name and configure the following settings:

        Incoming Interface port2
        Outgoing Interface port3
        Source all
        Destination all
        Schedule always
        Service

        HTTP

        FTP

        SMB
        Action ACCEPT

      3. Set Inspection Mode to Proxy-based.

      4. Enable WAN optimization and configure the following settings:

        WAN Optimization Active
        Profile Custom-wan-opt-pro

      5. Click OK.

    To configure the server-side FortiGate unit:

    1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

      1. Click Change. The Host ID pane opens.

      2. Enter a new Host ID:

        Host ID Server-Fgt

      3. Click OK.

    2. Create the client-side FortiGate unit peer:

      1. Select Create New. The New WAN Optimization Peer opens.

      2. Configure the following settings:

        Peer Host ID Client-Fgt
        IP address 172.30.120.1

      3. Click OK.

    3. Go to Policy & Objects > Firewall Policy to add a passive WAN optimization firewall policy:

      1. Click Create New.

      2. Enter a Name and configure the following settings:

        Incoming Interface port4
        Outgoing Interface port5
        Source all
        Destination all
        Schedule always
        Service

        ALL
        Action ACCEPT

      3. Set Inspection Mode to Proxy-based.

      4. Enable WAN Optimization and configure the following settings:

        WAN Optimization Passive
        Passive Option Default

      5. Click OK.

    4. Add a WAN optimization proxy policy from the CLI:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end

    Configuring basic active-passive WAN optimization from the CLI

    Use the following steps to configure the example configuration from the CLI.

    To configure the client-side FortiGate unit:

    1. Change the Host ID of the client-side FortiGate:

      config wanopt settings
    set host-id Client-Fgt
end

    2. Add the Host ID of the server-side FortiGate:

      config wanopt peer
    edit Server-Fgt
        set ip 192.168.20.1
    next
end

    3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

      config wanopt profile
    edit Custom-wan-opt-pro
        config cifs
            set status enable
        end
        config http
            set status enable
        end
        config ftp
            set status enable
        end
    next
end

    4. Add an active WAN optimization firewall policy:

      config firewall policy
    edit 0
        set srcintf port2
        set dstintf port3
        set srcaddr all
        set dstaddr all
        set action accept
        set service HTTP FTP SMB
        set schedule always
        set inspection-mode proxy
        set wanopt enable
        set wanopt-detection active
        set wanopt-profile Custom-wan-opt-pro
    next
end
    To configure the server-side FortiGate unit:

    1. Change the Host ID of the server-side FortiGate:

      config wanopt settings
    set host-id Server-Fgt
end

    2. Add the Host ID of the client-side FortiGate:

      config wanopt peer
    edit Client-Fgt
        set ip 172.30.120.1
    next
end

    3. Add a passive WAN optimization firewall policy:

      config firewall policy
    edit 0
        set srcintf port4
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set service ALL
        set schedule always
        set inspection-mode proxy
        set wanopt enable
        set wanopt-detection passive
        set wanopt-passive-opt default
    next
end

    4. Add a WAN optimization proxy policy:

      config firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port5
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
    Previous
    Next