Use the following steps to configure the example WAN optimization configuration from the FortiGate unit CLI.
To add the firewall addresses and security policy 1 Add the firewall address for the client network:
Subnet / IP Range 192.168.10.*
Interface Any
Source Interface/Zone port1
Source Address Client_Net
Destination Interface/Zone port2
Destination Address Web_Server_Net
Schedule always
Service HTTP
Action ACCEPT
Mode Web Cache Only
Source 172.20.120.*
Destination 192.168.10.*
Port
80
Usually you would set the port to 80 to cache normal HTTP traffic. But you can change the Port to a different number (for example 8080) or to a port number range so that the FortiGate unit provides web caching for HTTP traffic using other ports.
Transparent Mode Select Transparent Mode
Enable SSL
Do not select Enable SSL.
In this example SSL offloading is disabled. For an example of a reverse proxy Web Cache Only configuration that also includes SSL offloading, see “Example: SSL offloading for a WAN optimization tunnel” on page 124.
Web Caching only WAN optimization Web caching
config firewall address edit Client_Net
set type iprange
set start-ip 172.20.120.0 set end-ip 172.20.120.255 end
2 Add the firewall address for the web server network:
config firewall address edit Web_Server_Net
set type iprange
set start-ip 192.168.10.0 set end-ip 192.168.10.255 end
3 Add a security policy that accepts traffic to be web cached:
config firewall policy edit 2
set srcintf port1 set dstintf port2 set srcaddr Client_Net set dstaddr Web_Server_Net set action accept
set service HTTP set schedule always end
end
To add a Web Cache Only WAN optimization rule 1 Add the following Web Cache Only rule:
config wanopt rule edit 2
set mode webcache-only
set src-ip 172.20.120.0-172.20.120.255 set dst-ip 192.168.10.0-192.168.10.255 set port 80
set peer Peer_Fgt_2 end
Accept default settings for transparent (enable), status (enable), ssl (disable), unknown-http-version (tunnel), and tunnel-non-http (disable).
2 If required, use the move command to move the rule to a different position in the list.
The order of the rules in the list significantly affects how the rules are applied. For more information, see “How list order affects rule matching” on page 46 and “Moving a rule to a different position in the rule list” on page 47.
In this example, SSL offloading is disabled. For an example of a reverse proxy Web Cache Only configuration that also includes SSL offloading, see “Example: SSL offloading for a WAN optimization tunnel” on page 124.
Web caching Web Caching only WAN optimization
Testing and troubleshooting the configuration
To test the configuration, attempt to start a web browsing session between the client network and the web server network. For example, from a PC on the client network, browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the user network you should be able to connect to this web server over the WAN optimization tunnel.
If you can connect, check WAN optimization monitoring in WAN Opt. & Cache > Monitor
> Monitor. If WAN optimization has been forwarding the traffic, the WAN optimization monitor should show the HTTP protocol that has been optimized and the reduction rate in WAN bandwidth usage.
If you cannot connect, try the following to diagnose the problem:
• Review your configuration and make sure all details, such as address ranges, peer names and IP addresses, are correct.
• Confirm that the security policy on the Client-Side FortiGate unit is accepting traffic for the 192.168.10.0 network and that this security policy does not include UTM options. You can do this by checking the FortiGate session table from the dashboard.
Look for sessions that use the policy ID of this policy
• Check routing on the FortiGate units and on the user and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the user network must allow packets destined for the web server network to be received by the client side FortiGate unit, and packets from the server side FortiGate unit must be able to reach the web servers etc.
You can use the following get and diagnose commands to display information about how WAN optimization is operating
Enter the following command on the client-side FortiGate unit to display WAN
optimization tunnel protocol statistics. The http tunnel and tcp tunnel parts of the command output below shows that WAN optimization has been processing HTTP packets. If the http bytes in and bytes out fields are zero, then WAN optimization is not accepting HTTP packets.
get test wad 11
wad tunnel protocol stats:
http tunnel
bytes_in=1749865 bytes_out=25926 ftp tunnel
bytes_in=0 bytes_out=0 cifs tunnel
bytes_in=0 bytes_out=0 mapi tunnel
bytes_in=0 bytes_out=0 tcp tunnel
bytes_in=0 bytes_out=0 maintenance tunnel
bytes_in=0 bytes_out=0
You can use the following command to display information about the WAN optimization web cache daemon. The command will only display information if the web cache daemon is running and the statistics displayed show the number of open connections and other indications of activity:
diagnose wacs stats
Disk 0 /Internal-2B6375792136C707/wa_cs