FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff
Description
In a manual (peer to peer) configuration the WAN optimization tunnel can be set up between one client-side FortiGate and one server-side FortiGate.
The peer ID of the server-side FortiGate is added to the client-side WAN optimization policy.
When the client-side FortiGate initiates a tunnel with the server-side FortiGate , the packets that initiate the tunnel include information that allows the server-side FortiGate to determine that it is a manual tunnel request.
The server-side FortiGate does not require a WAN optimization profile; Add the client peer host ID and IP address to the server-side FortiGate unit peer list and from the CLI an explicit proxy policy to accept WAN optimization tunnel connections.

Solution
Network topology:

- Client side FortiGate has wan IP address 10.109.17.11 and has lan network 10.220.0.0/20
- Server side FortiGate has wan IP address 10.109.17.10 and has lan network 10.230.0.0/20

Configuring the Client side FortiGate:

1) Enable the feature 'WAN OPT. & Cache'.




From CLI:
# config system settings
    set gui-wanopt-cache enable <-----
end
2) Add peers.

Go to WAN Opt. & Cache -> Peers and enter a Local Host ID for the client-side FortiGate.




Select 'Create NEW' and add the server-side FortiGate Peer Host ID and IP Address for the server-side FortiGate:





3) Configure a WAN optimization profile to optimize traffic (In this case, HTTP traffic).




4) Add a manual WAN optimization security policy.

- Create a policy from LAN towards WAN with manual wanopt set:
# config firewall policy
    edit 3
        set name "wan-opt-policy"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "lan"
        set dstaddr "server-lan"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set wanopt enable
        set wanopt-detection off
        set wanopt-profile "default"
        set wanopt-peer "Server-FGT"
    next
end
Configuring the Server side FortiGate:

1) Set a Host ID and Add peer.





# config wanopt settings
    set host-id "Server-FGT"
end

# config wanopt peer
    edit "client-FGT"
        set ip 10.109.17.11
    next
end
2) Add a WAN optimization tunnel explicit proxy policy.
# configure firewall proxy-policy
    edit 0
        set proxy wanopt
        set dstintf port1
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
    next
end
Verification:

- Initiate traffic from client network to server network.
- Tunnel would be created between the 2 peers on TCP port 7810.
- Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output for the client-side FortiGate shows 10 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to off).
FG3H1E-3 # diag wad tunnel list

Tunnel: id=11 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=3 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=484 bytes_out=884

Tunnel: id=10 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=3 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=100 bytes_out=164

Tunnel: id=8 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=9 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=3 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=6 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=7 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=2 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=132 bytes_out=224

Tunnel: id=4 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=5 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=2 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=1 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnel: id=3 type=manual
    vd=0 shared=no uses=0 state=2
    peer name=Server-FGT id=1 ip=10.109.17.10
    SSL-secured-tunnel=no auth-grp=
    bytes_in=68 bytes_out=104

Tunnels total=11 manual=11 auto=0
Related document.
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/715540/fortios-wan-optimizati...


Contributors