Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit CLI.
To configure the client-side FortiGate unit
1. Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings set host-id Client-Fgt end
2. Add the server-side Local Host ID to the client-side peer list:
config wanopt peer edit Server-Fgt set ip 192.168.20.1 end
3. Add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic.
config wanopt profile
4. Add a firewall address for the client network.
config firewall address
5. Add a firewall address for the web server network.
config firewall address
6. Add add an active WAN optimization security policy that applies virus scanning:
config firewall policy edit 0
set srcintf port1 set dstintf port2 set srcaddr Client-net set dstaddr Web-Server-Net set action accept
set service HTTP FTP SMB set schedule always set wanopt enable
set wanopt-detection active
set wanopt-profile Custom-wan-opt-pro set utm-status enable
set av-profile default end
To configure the server-side FortiGate unit
1. Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings set host-id Server-Fgt end
2. Add the client-side Local Host ID to the server-side peer list:
config wanopt peer edit Client-Fgt set ip 172.20.120.1 end
3. Add a firewall address for the client network.
config firewall address edit Client-Net
set type iprange
set startip 172.20.120.100 set endip 172.20.120.200
set associated-interface port1 end
4. Add a firewall address for the web server network.
config firewall address edit Web-Server-Net
set type ipmask
set subnet 192.168.10.0 255.255.255.0 set associated-interface port2
end
Fortinet Technologies Inc. Page 64 FortiOS™ Handbook - WAN Optimization, Web Cache, Explicit
5. Add a WAN optimization tunnel policy.
config firewall policy
6. Add a passive WAN optimization policy that applies application control.
config firewall policy
Testing and troubleshooting the configuration
To test the configuration attempt to start a web browsing session between the client network and the web server network. For example, from a PC on the client network browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the client network you should be able to connect to this web server over the WAN optimization tunnel.
If you can connect, check WAN optimization monitoring (go to WAN Opt. & Cache > Monitor >
Monitor). If WAN optimization has been forwarding the traffic the WAN optimization monitor should show the protocol that has been optimized (in this case HTTP) and the reduction rate in WAN bandwidth usage.
If you can’t connect you can try the following to diagnose the problem:
• Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
• Confirm that the security policy on the Client-Side FortiGate unit is accepting traffic for the 192.168.10.0 network and that this security policy does not include security profiles. You can do this by checking the FortiGate session table from the dashboard. Look for sessions that use the policy ID of this policy
• Check routing on the FortiGate units and on the client and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to
communicate with each other, routing on the client network must allow packets destined for
the web server network to be received by the client-side FortiGate unit, and packets from the server-side FortiGate unit must be able to reach the web servers etc.
You can use the following get and diagnose commands to display information about how WAN optimization is operating
Enter the following command to display WAN optimization tunnel protocol statistics. The http tunnel and tcp tunnel parts of the command output below shows that WAN optimization has been processing HTTP and TCP packets.
get test wad 11
wad tunnel protocol stats:
http tunnel
bytes_in=1751767 bytes_out=325468 ftp tunnel
bytes_in=0 bytes_out=0 cifs tunnel
bytes_in=0 bytes_out=0 mapi tunnel
bytes_in=0 bytes_out=0 tcp tunnel
bytes_in=3182253 bytes_out=200702 maintenance tunnel
bytes_in=11800 bytes_out=15052
Enter the following command to display the current WAN optimization peers. You can use this command to make sure all peers are configured correctly. The command output for the client-side FortiGate unit shows one peer with IP address 192.168.20.1, peer name Web-servers, and with 10 active tunnels.
get test wad 26
peer name=Web-servers ip=192.168.20.1 vd=0 version=1 tunnels(active/connecting/failover)=10/0/0
sessions=0 n_retries=0 version_valid=true
Fortinet Technologies Inc. Page 66 FortiOS™ Handbook - WAN Optimization, Web Cache, Explicit
Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output shows 3 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to on).
diagnose wad tunnel list Tunnel: id=139 type=auto
vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test bytes_in=744 bytes_out=76
Tunnel: id=141 type=auto
vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test bytes_in=727 bytes_out=76
Tunnel: id=142 type=auto
vd=0 shared=no uses=0 state=1 peer name= id=0 ip=unknown
SSL-secured-tunnel=no auth-grp=test bytes_in=727 bytes_out=76
Tunnels total=3 manual=0 auto=3