Fortinet black logo

Administration Guide

Secure tunneling configuration example

Note

Please ensure that the Prerequisites are met before proceeding with the configuration example.

See Secure tunneling for conceptual information.

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.30.120.1. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

General configuration steps

This section breaks down the configuration for this example into smaller procedures:

  1. Configure the client-side FortiGate unit:

    • Add peers.

    • Add an authentication group.

    • Add an active WAN optimization firewall policy.

  2. Configure the server-side FortiGate unit:

    • Add peers.

    • Add the same authentication group.

    • Add a passive WAN optimization firewall policy.

    • Add a WAN optimization proxy policy.

Configuring WAN optimization with secure tunneling from the GUI

Use the following steps to configure the example configuration from the GUI.

To configure the client-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Client-Fgt
    3. Click OK.

  2. Create the server-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Server-Fgt
      IP address 192.168.20.1
    3. Click OK.

  3. Go to WAN Opt. & Cache > Authentication Groups to add the authentication group to be used for secure tunneling:

    1. Click Create New and configure the following settings:

      Name Auth-Secure-Tunnel
      Authentication Method Pre-shared key

      Pre-shared key

      ********

      Accept peer(s)

      Defined Peers Only

    2. Click OK.

  4. Go to WAN Opt. & Cache > Profiles to add a WAN optimization profile that enables secure tunneling and includes the authentication group:

    1. Click Create New.

    2. Enter a Name:

      Name Secure-wan-opt-pro
    3. Enable Authentication group:

      Authentication group Auth-Secure-Tunnel
    4. In the Protocol Options section, edit HTTP:

      1. Set Status to Enable.

      2. Click Apply.

      3. Set SSL Secure Tunneling to Enable.

      4. Click Apply.

    5. Click OK.

  5. Go to Policy & Objects > Firewall Policy to add an active WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port2
      Outgoing Interface port3
      Source all
      Destination all
      Schedule always
      Service

      HTTP

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Active
      Profile Secure-wan-opt-pro
    5. Click OK.

To configure the server-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Server-Fgt
    3. Click OK.

  2. Create the client-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Client-Fgt
      IP address 172.30.120.1
    3. Click OK.

  3. Go to WAN Opt. & Cache > Authentication Groups to add the authentication group to be used for secure tunneling:

    1. Click Create New and configure the following settings:

      Name Auth-Secure-Tunnel
      Authentication Method Pre-shared key

      Pre-shared key

      ********

      Accept peer(s)

      Defined Peers Only

    2. Click OK.

  4. Go to Policy & Objects > Firewall Policy to add an passive WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port4
      Outgoing Interface port5
      Source all
      Destination all
      Schedule always
      Service

      ALL

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Passive
      Passive Option Default
    5. Click OK.

  5. Add a WAN optimization proxy policy from the CLI:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end

Configuring WAN optimization with secure tunneling from the CLI

Use the following steps to configure the example configuration from the CLI.

To configure the client-side FortiGate unit:
  1. Change the Host ID of the client-side FortiGate:

    config wanopt settings
        set host-id Client-Fgt
    end
  2. Add the Host ID of the server-side FortiGate:

    config wanopt peer
        edit Server-Fgt
            set ip 192.168.20.1
        next
    end
  3. Add a new authentication group to be used for secure tunneling:

    config wanopt auth-group
        edit Auth-Secure-Tunnel
            set auth-method psk
            set peer-accept defined
            set psk ********
        next
    end
  4. Add a WAN optimization profile that enabled secure tunneling and includes the authentication group, enables HTTP protocol optimization, and enables secure tunneling for HTTP traffic:

    config wanopt profile
        edit Secure-wan-opt-pro
            set auth-group Auth-Secure-Tunnel
            config http
                set status enable
                set secure-tunnel enable
            end
        next
    end
  5. Add an active WAN optimization firewall policy that enables secure tunneling:

    config firewall policy
        edit 0
            set srcintf port2
            set dstintf port3
            set srcaddr all
            set dstaddr all
            set action accept
            set service HTTP
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection active
            set wanopt-profile Secure-wan-opt-pro
        next
    end
    
To configure the server-side FortiGate unit:
  1. Change the Host ID of the server-side FortiGate:

    config wanopt settings
        set host-id Server-Fgt
    end
    
  2. Add the Host ID of the client-side FortiGate:

    config wanopt peer
        edit Client-Fgt
            set ip 172.30.120.1
        next
    end
  3. Add an authentication group to be used for secure tunneling:

    config wanopt auth-group
        edit Auth-Secure-Tunnel
            set auth-method psk
            set peer-accept defined
            set psk ********
        next
    end
  4. Add a passive WAN optimization firewall policy:

    config firewall policy
        edit 0
            set srcintf port4
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set service ALL
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set wanopt-passive-opt default
        next
    end
  5. Add a WAN optimization proxy policy:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end
    
Note

Please ensure that the Prerequisites are met before proceeding with the configuration example.

See Secure tunneling for conceptual information.

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.30.120.1. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server-Fgt and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

General configuration steps

This section breaks down the configuration for this example into smaller procedures:

  1. Configure the client-side FortiGate unit:

    • Add peers.

    • Add an authentication group.

    • Add an active WAN optimization firewall policy.

  2. Configure the server-side FortiGate unit:

    • Add peers.

    • Add the same authentication group.

    • Add a passive WAN optimization firewall policy.

    • Add a WAN optimization proxy policy.

Configuring WAN optimization with secure tunneling from the GUI

Use the following steps to configure the example configuration from the GUI.

To configure the client-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the client-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Client-Fgt
    3. Click OK.

  2. Create the server-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Server-Fgt
      IP address 192.168.20.1
    3. Click OK.

  3. Go to WAN Opt. & Cache > Authentication Groups to add the authentication group to be used for secure tunneling:

    1. Click Create New and configure the following settings:

      Name Auth-Secure-Tunnel
      Authentication Method Pre-shared key

      Pre-shared key

      ********

      Accept peer(s)

      Defined Peers Only

    2. Click OK.

  4. Go to WAN Opt. & Cache > Profiles to add a WAN optimization profile that enables secure tunneling and includes the authentication group:

    1. Click Create New.

    2. Enter a Name:

      Name Secure-wan-opt-pro
    3. Enable Authentication group:

      Authentication group Auth-Secure-Tunnel
    4. In the Protocol Options section, edit HTTP:

      1. Set Status to Enable.

      2. Click Apply.

      3. Set SSL Secure Tunneling to Enable.

      4. Click Apply.

    5. Click OK.

  5. Go to Policy & Objects > Firewall Policy to add an active WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port2
      Outgoing Interface port3
      Source all
      Destination all
      Schedule always
      Service

      HTTP

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Active
      Profile Secure-wan-opt-pro
    5. Click OK.

To configure the server-side FortiGate unit:
  1. Go to WAN Opt. & Cache > Peers and change the Host ID of the server-side FortiGate unit:

    1. Click Change. The Host ID pane opens.

    2. Enter a new Host ID:

      Host ID Server-Fgt
    3. Click OK.

  2. Create the client-side FortiGate unit peer:

    1. Select Create New. The New WAN Optimization Peer opens.

    2. Configure the following settings:

      Peer Host ID Client-Fgt
      IP address 172.30.120.1
    3. Click OK.

  3. Go to WAN Opt. & Cache > Authentication Groups to add the authentication group to be used for secure tunneling:

    1. Click Create New and configure the following settings:

      Name Auth-Secure-Tunnel
      Authentication Method Pre-shared key

      Pre-shared key

      ********

      Accept peer(s)

      Defined Peers Only

    2. Click OK.

  4. Go to Policy & Objects > Firewall Policy to add an passive WAN optimization firewall policy:

    1. Click Create New.

    2. Enter a Name and configure the following settings:

      Incoming Interface port4
      Outgoing Interface port5
      Source all
      Destination all
      Schedule always
      Service

      ALL

      Action ACCEPT
    3. Set Inspection Mode to Proxy-based.

    4. Enable WAN Optimization and configure the following settings:

      WAN Optimization Passive
      Passive Option Default
    5. Click OK.

  5. Add a WAN optimization proxy policy from the CLI:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end

Configuring WAN optimization with secure tunneling from the CLI

Use the following steps to configure the example configuration from the CLI.

To configure the client-side FortiGate unit:
  1. Change the Host ID of the client-side FortiGate:

    config wanopt settings
        set host-id Client-Fgt
    end
  2. Add the Host ID of the server-side FortiGate:

    config wanopt peer
        edit Server-Fgt
            set ip 192.168.20.1
        next
    end
  3. Add a new authentication group to be used for secure tunneling:

    config wanopt auth-group
        edit Auth-Secure-Tunnel
            set auth-method psk
            set peer-accept defined
            set psk ********
        next
    end
  4. Add a WAN optimization profile that enabled secure tunneling and includes the authentication group, enables HTTP protocol optimization, and enables secure tunneling for HTTP traffic:

    config wanopt profile
        edit Secure-wan-opt-pro
            set auth-group Auth-Secure-Tunnel
            config http
                set status enable
                set secure-tunnel enable
            end
        next
    end
  5. Add an active WAN optimization firewall policy that enables secure tunneling:

    config firewall policy
        edit 0
            set srcintf port2
            set dstintf port3
            set srcaddr all
            set dstaddr all
            set action accept
            set service HTTP
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection active
            set wanopt-profile Secure-wan-opt-pro
        next
    end
    
To configure the server-side FortiGate unit:
  1. Change the Host ID of the server-side FortiGate:

    config wanopt settings
        set host-id Server-Fgt
    end
    
  2. Add the Host ID of the client-side FortiGate:

    config wanopt peer
        edit Client-Fgt
            set ip 172.30.120.1
        next
    end
  3. Add an authentication group to be used for secure tunneling:

    config wanopt auth-group
        edit Auth-Secure-Tunnel
            set auth-method psk
            set peer-accept defined
            set psk ********
        next
    end
  4. Add a passive WAN optimization firewall policy:

    config firewall policy
        edit 0
            set srcintf port4
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set service ALL
            set schedule always
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set wanopt-passive-opt default
        next
    end
  5. Add a WAN optimization proxy policy:

    config firewall proxy-policy
        edit 0
            set proxy wanopt
            set dstintf port5
            set srcaddr all
            set dstaddr all
            set action accept
            set schedule always
            set service ALL
        next
    end