Description

The article explains the best practices of WAN Optimization.

Scope

FortiGate.

Solution

1. WAN Optimization features require significant memory resources and generate a high amount of I/O on disk. Before enabling WAN Optimization, ensure that the memory usage is not too high.
2. If possible, avoid other disk-intensive features such as heavy traffic logging on the same disk as the one configured for WAN Optimization needs.
3. In general, it is preferable to enable the Transparent Mode checkbox and ensure that routing between the two endpoints is acceptable.
4. Some protocols may not work well without enabling Transparent Mode.
5. Make sure that both sides' Profile names, Peer-id, and Authentication profiles have the same Name.
   
6. In the case of a Wan-OPT tunnel failover required, the loop-back interface can be used on both sides.

Other best practices for utilizing the WAN Optimization feature follow.

Sharing the WAN Opt. tunnel for traffic of the same nature.
WAN optimization tunnel sharing is recommended for similar types of WAN optimization traffic (such as CIFS traffic from different servers).
However, tunnel sharing for different types of traffic is not recommended. For example, aggressive and non-aggressive protocols should not share the same tunnel.

Ordering WAN Opt. rules appropriately:

1. Precise, port-specific WAN Optimization rules should be at the top of the list.
2. Generic rules, such as overall TCP, should be at the bottom of the list.
3. Avoiding mixing protocols in a WAN Opt. tunnel.
4. Different protocols may be more or less talkative or interactive.
5. Web caching for HTTPS traffic is not supported if WAN optimization or FTP proxy is enabled: i.e., if srcintf is ftp-proxy or wanopt.
6. Mixing protocols in a tunnel may result in a delay for some of them. It is recommended to define protocol-specific wan-optimization rules and restrict the ports to the necessary ones only for performance reasons.
   

Ensure that the WAN Optimization rules cover TCP ports 139 and 445 (on the same or two different rules). Also, ensure that Transparent Mode is selected.

Setting correct configuration options for MAPI WAN Opt:
For MAPI WAN Optimization, only specify a rule with TCP port 135 (unless the MAPI control port is configured differently).
Derived data sessions using other random ports will be handled by the CIFS wan-optimization daemon even with only the control port configured.

Testing WAN Opt. in a lab:

1. Ensure that WAN emulators are used to simulate the WAN. If no WAN emulator is used, it is expected to have better results without WAN Optimization than with WAN Optimization.
2. To test the difference between cold transfers (first-time transfers) and warm transfers, it is recommended to generate a random file of the cold transfer to ensure that the test is the first time that the file has been seen.
3. Regarding network address translation (NAT).
   
   

Selecting the NAT feature in a security policy does not have any influence on WAN Optimization traffic.
The following scenario for the IPsec connection has been tested and verified: 
Client → FGT1 → FGT2 → Internal Network.

On FW2, WAN optimization has been enabled specifically for TCP traffic. Additionally, the internal destination network has been configured in the IPsec Phase 2 selectors. In the corresponding firewall policy that handles this traffic, TCP optimization is applied. As a result, when the client attempts to telnet to the internal network defined in the Phase 2 selector, the FW2 interface responds to the SYN packets directly instead of waiting for a response from the actual internal server.

High Availability.
There is no benefit to using active-active mode, so for pure WAN Optimization needs, use active-passive mode.

Authentication with specific peers.
WAN optimization authentication with specific peers, accepting any peer is not recommended, as this can be less secure.