Share your WAN Optimization experiences here

veechee · ‎05-05-2011

So I finally took the time to try WAN Optimization between two FortiGate' s. Both are 60C' s with 32 GB Class 10 SD cards installed, and 29 GB provisioned for WAN Optimization storage space. There are Windows servers at each site with SMB file shares. I did a rule set on each site to cache traffic requested by client PCs to the servers on each side. I made two rules: one for port 445, which I think was enough, but just in case I also made one for 49152-65535, which is the random port range Server 2008/Vista+ use in conjunction with port 445. The results were fairly immediate and somewhat impressive. Downloading a 30 MB file will take 10 mins the first time, and only ~1 minute the second time - peaking at 2 MB/s file transfer versus maybe 40 KB/s for a non-cached file. However, I do notice increased latency versus before, so I' m reluctant to roll out optimization to the server to server traffic (the servers seem to use 445 for a lot of communication) and to traffic outside of CIFS/SMB. I do think this has great potential but the Fortinet docs and knowledge base are lacking on examples for site-to-site traffic optimization (e.g., generic TCP optimization mentioned in the " Inside FortiOS" sheet but totally absent in any examples). If people are interested in my rule sets that I got to work I' d be happy to share them, and conversely I' d love to hear from others that have deployed WAN Optimization and where it is benefiting them.

romanr · ‎06-07-2011

Hi, As Outlook uses local caching of the exchange mailboxes by default in versions 2007 and 2010, Mapi support is somehow a legacy thing... without local caching of the clients you should get some good results with MAPI! br, Roman

Maik · ‎06-07-2011

roman are the " good results with MAPI" only a guess or did you actually test and see it by yourself?

romanr · ‎06-08-2011

Maik, I had some good resulsts with Mapi in lab testing only... But as the new Outlook version do cache the mailboxes very well (which also can get activated in 2003), the MAPI caching will in real life only be really helpful for public folders or so... if they get used... We had some very bad experiences though with CIFS when used with DFS in a 2008R2 network... sometimes the traffic between the FGTs maxed out without traffic from the clients... So we did not implement it in a real production environment... br, Roman

Maik · ‎06-08-2011

Then it looks like i need to update my WanOpt know how. It' s currently based on a support ticket information which became outdated with your test: " [...] MAPI protocol is currently supported for the purposes of identifying traffic. This is why you can observe that protocol is recognized, but is not actually optimized. [...] Current implementation only support general TCP acceleration for MAPI traffic, which may reduce latency for MAPI traffic through WAN. Other possible optimization such as byte-caching, compression, pre-fetching are not implemented." the MR3 release notes did not indicate a feature update in that direction, so I did not test again. back to lab

mbrowndcm · ‎06-09-2011

Thanks guys for your responses. This information greatly deters me from implementing WAN optimization for CIFS. Thanks, Matt

" â€¦you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]

Carl_Wallmark · ‎06-09-2011

i just came across this article, maybe this is causing the delays: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31764&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=19880856&stateId=0 0 19882354

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

mbrowndcm · ‎06-09-2011

Signing is not packet encryption. Would be interesting to test anyway.

" â€¦you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]

kinderu28 · ‎06-16-2011

Hey guys, I' ve changed my topology a little bit,but encountered a problem.Now i have a computer between the 2 FG(which is also my server side) The idea that i had was: i' ve configured an ipsec tunnel between the 2 fg so that all traffic from the internal intf to the wan intf passes through the ipsec tunnel. My question is if i can apply wan optimization over the ipsec tunnel. I am asking this because i don' t seem to get the wan opt tunnels up. I' ve used active passive arhitecture with transparent mode enabled. My topology is smth like this: client - fg1 --wan1-- server --wan1-- fg2 ................................. |_____internal_| So the server is between the FG' s and has also a connection to the fg2 (in order for the traffic to arrive somewhere ) Like i said, can i apply wan opt over the ipsec tunnel?If so(and hope so),i must be missing something oblivious. Thanks a lot

veechee · ‎06-16-2011

I don' t totally understand your topology, but yes you can apply WAN Optimization over the IPSec links. Disregard the parts in the guide about using encrypted WAN Optimized tunnels and just set un-encrypted ones between local IPs on either side of the IPSec tunnel.

mbrowndcm · ‎06-16-2011

Take a long look at this: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32430&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=20290805&stateId=0%200%2020292067 You can remove a large portion of the configs and get what you want.

" â€¦you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]

Share your WAN Optimization experiences here

Nominate a Forum Post for Knowledge Article Creation