Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit CLI.
To configure peers on the client-side FortiGate unit and add a security policy 1 Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings set host-id User_net end
2 Add the server-side Local Host ID to the client-side peer list:
config wanopt peer edit Web_servers set ip 192.168.20.1 end
3 Add a security policy to the client-side FortiGate unit to accept the traffic to be optimized:
To add the active rules to the client-side FortiGate unit
1 Add the following active rule to optimize CIFS traffic for IP addresses 172.20.120.100 to 172.20.120.200:
Accept default settings for transparent (enable), status (enable), mode (full), byte-caching (enable), ssl (disable), secure-tunnel (disable),
auth-group (null), unknown-http-version (tunnel), and tunnel-non-http (disable).
2 Add the following active rule to optimize HTTP traffic for IP addresses 172.20.120.100 to 172.20.120.150:
Example: Active-passive WAN optimization WAN optimization configuration examples
Accept default settings for transparent (enable), proto (http), status
(enable), mode (full), byte-caching (enable), ssl (disable), secure-tunnel (disable), auth-group (null), unknown-http-version (tunnel), and tunnel-non-http (disable).
3 Add the following active rule to optimize FTP traffic from IP addresses 172.20.120.151 172.20.120.200:
Accept default settings for transparent (enable), status (enable), mode (full), byte-caching (enable), ssl (disable), secure-tunnel (disable), auth-group (null), unknown-http-version (tunnel), and tunnel-non-http (disable).
4 If required, use the move command to change the order of the rules in the list so that the HTTP and FTP rules are above the CIFS rule in the list. You may need to do this if you have other WAN optimization rules in the list.
For more information, see “How list order affects rule matching” on page 46 and
“Moving a rule to a different position in the rule list” on page 47.
To configure the server-side FortiGate unit
1 Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings set host-id Web_servers end
2 Add the client-side Local Host ID to the server-side peer list:
config wanopt peer edit User_net
set ip 172.20.120.1 end
3 Add the following passive rule to the server-side FortiGate unit:
config wanopt rule
WAN optimization configuration examples Example: Active-passive WAN optimization
end
Accept default settings for status (enable) and mode (full).
4 If required, use the move command to move the rule to a different position in the list so that the tunnel request from the client-side FortiGate unit matches with this rule.
For more information, see “Moving a rule to a different position in the rule list” on page 47.
Testing and troubleshooting the configuration
To test the configuration attempt to start a web browsing session between the user network and the web server network. For example, from a PC on the user network browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the user network you should be able to connect to this web server over the WAN optimization tunnel.
If you can connect, check WAN optimization monitoring (go to WAN Opt. & Cache >
Monitor > Monitor). If WAN optimization has been forwarding the traffic the WAN optimization monitor should show the protocol that has been optimized (in this case HTTP) and the reduction rate in WAN bandwidth usage.
If you can’t connect you can try the following to diagnose the problem:
• Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
• Confirm that the security policy on the Client-Side FortiGate unit is accepting traffic for the 192.168.10.0 network and that this security policy does not include UTM options. You can do this by checking the FortiGate session table from the dashboard.
Look for sessions that use the policy ID of this policy
• Check routing on the FortiGate units and on the user and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the user network must allow packets destined for the web server network to be received by the client side FortiGate unit, and packets from the server side FortiGate unit must be able to reach the web servers etc.
You can use the following get and diagnose commands to display information about how WAN optimization is operating
Enter the following command to display WAN optimization tunnel protocol statistics. The http tunnel and tcp tunnel parts of the command output below shows that WAN
optimization has been processing HTTP and TCP packets.
get test wad 11
wad tunnel protocol stats:
http tunnel
bytes_in=1751767 bytes_out=325468 ftp tunnel
bytes_in=0 bytes_out=0 cifs tunnel
bytes_in=0 bytes_out=0 mapi tunnel
bytes_in=0 bytes_out=0 tcp tunnel
bytes_in=3182253 bytes_out=200702 maintenance tunnel
bytes_in=11800 bytes_out=15052
Example: Adding secure tunneling to an active-passive WAN optimization configuration WAN optimization configuration examples
Enter the following command to display the current WAN optimization peers. You can use this command to make sure all peers are configured correctly. The command output for the client side FortiGate unit shows one peer with IP address 192.168.20.1, peer name Web_servers, and with 10 active tunnels.
get test wad 26
peer name=Web_servers ip=192.168.20.1 vd=0 version=1 tunnels(active/connecting/failover)=10/0/0
sessions=0 n_retries=0 version_valid=true
Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output shows 3 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to on).
diagnose wad tunnel list Tunnel: id=139 type=auto
vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test bytes_in=744 bytes_out=76
Tunnel: id=141 type=auto
vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test bytes_in=727 bytes_out=76
Tunnel: id=142 type=auto
vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test bytes_in=727 bytes_out=76
Tunnels total=3 manual=0 auto=3