Fortinet white logo
Fortinet white logo

Administration Guide

WAN optimization

WAN optimization

FortiProxy WAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, web caching, SSL offloading, and secure tunneling. Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiProxy units to reduce the amount of data transmitted across the WAN. Web caching stores web pages o FortiProxy units to reduce latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web servers onto FortiProxy SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.

You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS traffic, you can also apply protocol optimization and web caching.

You can configure a FortiProxy unit to be an explicit web proxy server for both IPv4 and IPv6 traffic and an explicit FTP proxy server. Users on your internal network can browse the Internet through the explicit web proxy server or connect to FTP servers through the explicit FTP proxy server. You can also configure these proxies to protect access to web or FTP servers behind the FortiProxy unit using a reverse proxy configuration.

Web caching can be applied to any HTTP or HTTPS traffic, this includes normal traffic accepted by a security policy, explicit web proxy traffic, and WAN optimization traffic.

You can also configure a FortiProxy unit to operate as a Web Cache Communication Protocol (WCCP) client or server. WCCP provides the ability to offload web caching to one or more redundant web caching servers.

FortiProxy units can also apply security profiles to traffic as part of a WAN optimization, explicit web proxy, explicit FTP proxy, web cache and WCCP configuration. Security policies that include any of these options can also include settings to apply all forms of security profiles supported by your FortiProxy unit.

To check how much memory has been allocated for the WAN-optimization daemon (WAD), use the diagnose wad memory track [<mem-id>] command.

WAN optimization supports TLS 1.3.

WAN optimization transparent mode

WAN optimization is transparent to users. This means that with WAN optimization in place, clients connect to servers in the same way as they would without WAN optimization. However, servers receiving packets after WAN optimization “see” different source addresses depending on whether or not transparent mode is selected for WAN optimization. If transparent mode is selected, WAN optimization keeps the original source address of the packets, so servers appear to receive traffic directly from clients. Routing on the server network should be configured to route traffic with client source IP addresses from the server-side FortiProxy unit to the server and back to the server-side FortiProxy unit.

note icon

Some protocols, for example CIFS, may not function as expected if transparent mode is not selected. In most cases, for CIFS WAN optimization you should select transparent mode and make sure the server network can route traffic as described to support transparent mode.

If transparent mode is not selected, the source address of the packets received by servers is changed to the address of the server-side FortiProxy unit interface that sends the packets to the servers. So servers appear to receive packets from the server-side FortiProxy unit. Routing on the server network is simpler in this case because client addresses are not involved. All traffic appears to come from the server-side FortiProxy unit and not from individual clients.

note icon

Do not confuse WAN optimization transparent mode with FortiProxy transparent mode. WAN optimization transparent mode is similar to source NAT. FortiProxy transparent mode is a system setting that controls how the FortiProxy unit processes traffic. See Transparent and NAT/route modes.

WAN optimization topologies

The WAN optimization topologies are described in the following sections:

Basic WAN optimization topology

The basic FortiProxy WAN optimization topology consists of two FortiProxy units operating as WAN optimization peers intercepting and optimizing traffic crossing the WAN between the private networks.

Security device and WAN optimization topology

FortiProxy units can be deployed as security devices that protect private networks connected to the WAN and also perform WAN optimization. In this configuration, the FortiProxy units are configured as typical security devices for the private networks and are also configured for WAN optimization. The WAN optimization configuration intercepts traffic to be optimized as it passes through the FortiProxy unit and uses a WAN optimization tunnel with another FortiProxy unit to optimize the traffic that crosses the WAN.

You can also deploy WAN optimization on single-purpose FortiProxy units that only perform WAN optimization. In the out of path WAN optimization topology shown below, FortiProxy units are located on the WAN outside of the private networks. You can also install the WAN optimization FortiProxy units behind the security devices on the private networks.

The WAN optimization configuration is the same for FortiProxy units deployed as security devices and for single-purpose WAN optimization FortiProxy units. The only differences would result from the different network topologies.

Out-of-path WAN optimization topology

In an out-of-path topology, one or both of the FortiProxy units configured for WAN optimization are not directly in the main data path. Instead, the out-of-path FortiProxy unit is connected to a device on the data path, and the device is configured to redirect sessions to be optimized to the out-of-path FortiProxy unit.

The following out-of-path FortiProxy units are configured for WAN optimization and connected directly to FortiProxy units in the data path. The FortiProxy units in the data path use a method such as policy routing to redirect traffic to be optimized to the out-of-path FortiProxy units. The out-of-path FortiProxy units establish a WAN optimization tunnel between each other and optimize the redirected traffic.

Out-of-path WAN optimization

One of the benefits of out-of-path WAN optimization is that out-of-path FortiProxy units only perform WAN optimization and do not have to process other traffic. An in-path FortiProxy unit configured for WAN optimization also has to process other non-optimized traffic on the data path.

The out-of-path FortiProxy units can operate in NAT/Route or transparent mode.

Other out-of-path topologies are also possible. For example, you can install the out-of-path FortiProxy units on the private networks instead of on the WAN. Also, the out-of-path FortiProxy units can have one connection to the network instead of two. In a one-arm configuration such as this, security policies and routing have to be configured to send the WAN optimization tunnel out the same interface as the one that received the traffic.

Topology for multiple networks

As shown in the following figure, you can create multiple WAN optimization configurations between many private networks. Whenever WAN optimization occurs, it is always between two FortiProxy units, but you can configure any FortiProxy unit to perform WAN optimization with any of the other FortiProxy units that are part of your WAN.

WAN optimization among multiple networks

You can also configure WAN optimization between FortiProxy units with different roles on the WAN. FortiProxy units configured as security devices and for WAN optimization can perform WAN optimization as if they are single-purpose FortiProxy units just configured for WAN optimization.

WAN optimization with web caching

You can add web caching to a WAN optimization topology when users on a private network communicate with web servers located across the WAN on another private network.

WAN optimization with web-caching topology

The topology above is the same as that shown in Basic WAN optimization topology with the addition of web caching to the FortiProxy unit in front of the private network that includes the web servers. You can also add web caching to the FortiProxy unit that is protecting the private network. In a similar way, you can add web caching to any WAN optimization topology.

WAN optimization

WAN optimization

FortiProxy WAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, web caching, SSL offloading, and secure tunneling. Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiProxy units to reduce the amount of data transmitted across the WAN. Web caching stores web pages o FortiProxy units to reduce latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web servers onto FortiProxy SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.

You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS traffic, you can also apply protocol optimization and web caching.

You can configure a FortiProxy unit to be an explicit web proxy server for both IPv4 and IPv6 traffic and an explicit FTP proxy server. Users on your internal network can browse the Internet through the explicit web proxy server or connect to FTP servers through the explicit FTP proxy server. You can also configure these proxies to protect access to web or FTP servers behind the FortiProxy unit using a reverse proxy configuration.

Web caching can be applied to any HTTP or HTTPS traffic, this includes normal traffic accepted by a security policy, explicit web proxy traffic, and WAN optimization traffic.

You can also configure a FortiProxy unit to operate as a Web Cache Communication Protocol (WCCP) client or server. WCCP provides the ability to offload web caching to one or more redundant web caching servers.

FortiProxy units can also apply security profiles to traffic as part of a WAN optimization, explicit web proxy, explicit FTP proxy, web cache and WCCP configuration. Security policies that include any of these options can also include settings to apply all forms of security profiles supported by your FortiProxy unit.

To check how much memory has been allocated for the WAN-optimization daemon (WAD), use the diagnose wad memory track [<mem-id>] command.

WAN optimization supports TLS 1.3.

WAN optimization transparent mode

WAN optimization is transparent to users. This means that with WAN optimization in place, clients connect to servers in the same way as they would without WAN optimization. However, servers receiving packets after WAN optimization “see” different source addresses depending on whether or not transparent mode is selected for WAN optimization. If transparent mode is selected, WAN optimization keeps the original source address of the packets, so servers appear to receive traffic directly from clients. Routing on the server network should be configured to route traffic with client source IP addresses from the server-side FortiProxy unit to the server and back to the server-side FortiProxy unit.

note icon

Some protocols, for example CIFS, may not function as expected if transparent mode is not selected. In most cases, for CIFS WAN optimization you should select transparent mode and make sure the server network can route traffic as described to support transparent mode.

If transparent mode is not selected, the source address of the packets received by servers is changed to the address of the server-side FortiProxy unit interface that sends the packets to the servers. So servers appear to receive packets from the server-side FortiProxy unit. Routing on the server network is simpler in this case because client addresses are not involved. All traffic appears to come from the server-side FortiProxy unit and not from individual clients.

note icon

Do not confuse WAN optimization transparent mode with FortiProxy transparent mode. WAN optimization transparent mode is similar to source NAT. FortiProxy transparent mode is a system setting that controls how the FortiProxy unit processes traffic. See Transparent and NAT/route modes.

WAN optimization topologies

The WAN optimization topologies are described in the following sections:

Basic WAN optimization topology

The basic FortiProxy WAN optimization topology consists of two FortiProxy units operating as WAN optimization peers intercepting and optimizing traffic crossing the WAN between the private networks.

Security device and WAN optimization topology

FortiProxy units can be deployed as security devices that protect private networks connected to the WAN and also perform WAN optimization. In this configuration, the FortiProxy units are configured as typical security devices for the private networks and are also configured for WAN optimization. The WAN optimization configuration intercepts traffic to be optimized as it passes through the FortiProxy unit and uses a WAN optimization tunnel with another FortiProxy unit to optimize the traffic that crosses the WAN.

You can also deploy WAN optimization on single-purpose FortiProxy units that only perform WAN optimization. In the out of path WAN optimization topology shown below, FortiProxy units are located on the WAN outside of the private networks. You can also install the WAN optimization FortiProxy units behind the security devices on the private networks.

The WAN optimization configuration is the same for FortiProxy units deployed as security devices and for single-purpose WAN optimization FortiProxy units. The only differences would result from the different network topologies.

Out-of-path WAN optimization topology

In an out-of-path topology, one or both of the FortiProxy units configured for WAN optimization are not directly in the main data path. Instead, the out-of-path FortiProxy unit is connected to a device on the data path, and the device is configured to redirect sessions to be optimized to the out-of-path FortiProxy unit.

The following out-of-path FortiProxy units are configured for WAN optimization and connected directly to FortiProxy units in the data path. The FortiProxy units in the data path use a method such as policy routing to redirect traffic to be optimized to the out-of-path FortiProxy units. The out-of-path FortiProxy units establish a WAN optimization tunnel between each other and optimize the redirected traffic.

Out-of-path WAN optimization

One of the benefits of out-of-path WAN optimization is that out-of-path FortiProxy units only perform WAN optimization and do not have to process other traffic. An in-path FortiProxy unit configured for WAN optimization also has to process other non-optimized traffic on the data path.

The out-of-path FortiProxy units can operate in NAT/Route or transparent mode.

Other out-of-path topologies are also possible. For example, you can install the out-of-path FortiProxy units on the private networks instead of on the WAN. Also, the out-of-path FortiProxy units can have one connection to the network instead of two. In a one-arm configuration such as this, security policies and routing have to be configured to send the WAN optimization tunnel out the same interface as the one that received the traffic.

Topology for multiple networks

As shown in the following figure, you can create multiple WAN optimization configurations between many private networks. Whenever WAN optimization occurs, it is always between two FortiProxy units, but you can configure any FortiProxy unit to perform WAN optimization with any of the other FortiProxy units that are part of your WAN.

WAN optimization among multiple networks

You can also configure WAN optimization between FortiProxy units with different roles on the WAN. FortiProxy units configured as security devices and for WAN optimization can perform WAN optimization as if they are single-purpose FortiProxy units just configured for WAN optimization.

WAN optimization with web caching

You can add web caching to a WAN optimization topology when users on a private network communicate with web servers located across the WAN on another private network.

WAN optimization with web-caching topology

The topology above is the same as that shown in Basic WAN optimization topology with the addition of web caching to the FortiProxy unit in front of the private network that includes the web servers. You can also add web caching to the FortiProxy unit that is protecting the private network. In a similar way, you can add web caching to any WAN optimization topology.