Web Cache

kaslasma · ‎10-16-2010

Has anyone been successful at implementing basic web caching? I' m looking to implement with 4.2.1 or 4.2.2. Also, of any of the successful web caching deployments, has anyone tried to cache BITS for Windows updates? or whatever protocol Fortinet uses for the FortiClient updates? I know that a manager is capable of serving updates to the clients, but can a FG cache them as well? Thanks,

veechee · ‎10-18-2010

What kind of web cache do you want? Are you trying to do transparent web caching from WAN to LAN? I' d like to investigate this as well. I wonder if there is anyway to web cache/WAN optimize RPC over HTTPS hosted/SaaS MS Exchange traffic? Has anyone considered something like this? From what I was reading, the web cache for HTTPS needs to have the certificate imported, which likely makes this impossible as the host is not likely to share this.

kaslasma · ‎10-19-2010

Veechee, I wanted to do basic web caching. I have a large user count (250) behind a small internet connection (T1). I desperately needed a solution for all my windows update issue and I absolutely hate WSUS. I know that WAN Opt is a new feature for Fortinet. I' ve been a long time Fortinet user and understand all of their development / QA issues. This is a brief write up to help show others my result and generate some positive news to the Fortinet forums. I am running 4.2.2 on a 111C. I used the Web Caching document Fortinet provides on their docs site. My cache settings are default firmware load. http://docs.fortinet.com/fgt/handbook/fortigate_wanopt_cache_proxy-40-mr2.pdf Just like their guide says. I have a firewall policy allowing traffic to the internet. I then created a WAN Opt & Cache rule. I selected Web Cache Only, entered my internal subnet 10.1.1.* as the source (read the guide' s IP format as it doesn' t follow standard Fortinet allowance of CIDR notation), destination 0.0.0.0, port 80, and that' s it! One of the simplest " advanced" tasks I' ve deployed with my FG unit. I have attached a simple screen shot of the gains the past hour. This is a handful of computers downloading updates. This was taken while new updates were still being downloaded. I am continuing to see the reduction rate decrease. Again, this is a very basic configuration with computers downloading Windows Updates, not multiple users randomly browsing. The gains from updates alone are worth it for us! This will definitely help encourage more web caching deployments. With regard to the HTTPS traffic, I would assume this is referencing the same certificate setup used for Deep Inspection (SSL Interception) which would make it more than accomplishable. I hope this helps others out! Thanks,

veechee · ‎10-19-2010

Thanks for the positive report. Do you think a multiple rules could be created to allow cache only Windows Updates and updates from other vendors (I get a lot of traffic generated by Symantec LiveUpdate)? I have enough WAN speed that I don' t want to start caching everything users do. If I did, I think the web cache would just fill up with YouTube videos and Facebook pictures. j/k

Frosty · ‎12-15-2010

Sorry to dredge up an old thread, but I am trying to get this working with my 200B and not having any luck. I am on the latest firmware: v4.0,build0291,100824 (MR2 Patch 2) Wondering if someone here who actually has this working would be prepared to interact with me a bit via email, to compare settings? I thought it might be easiest if I screen capped mine for someone to take a look at, but probably don' t want to post them all here for security reasons.

veechee · ‎12-15-2010

Hi Stephen, I' m still eager to do this too. I tried what kaslasma did for a very short while, but I found that it made latency higher, which I did not like. That' s why I' d like to isolate it to tasks that are bandwidth heavy and latency does not matter. However, I can' t identify all the IPs that Windows Update, Symantec, etc use to update from because they use multiple servers. Also, more and more services are using SSL to do this which also won' t work easily, as far as I understand. Please post any results you' ve managed to get with this feature. I will soon do CIFS optimizing between offices, but I' m not yet ready to try it.

ede_pfau · ‎12-15-2010

Stephen, do you have an FSM module for your FG200B to store the cached data on? It doesn' t come with internal storage. Still, some WAN optimization is available but not web proxying.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Frosty · ‎12-19-2010

Yes, I have the 64GB SSD module (FSM) installed in my 200B. Last week I opened a support ticket with Fortinet and after a couple of back and forward exchanges they made this response: " After further checking in the lab here, it looks like you can' t achieve " transparent web cache for all outbound traffic from our internal network segments" by using transparent web caching. This is because the the WAN optimization is used when data is transmitted across the WAN, i.e. between the WAN and web servers. For doing transparent web cache for all outbound traffic, I think you can only achieve with with web proxy." Now I' m not sure I understand what that means! I had been assuming that I could simply activate transparent web caching without needing to have explicit proxy settings and/or proxy settings in the user' s browser ... am I missing something here?

veechee · ‎12-19-2010

Stephen, Fortnet' s response fits with my own testing. I have not been able to reproduce what ' kaslasma' shows above for Web Caching. If I set a destination of 0.0.0.0 I can leave it for 3 or 4 days and only have reduced my web traffic by 2 KB. I' ve been working on rules today to use WAN Optimization for HTTP, FTP and CIFS over a IPSec link between two FortiGate' s and I am having better success. However, the documentation for WAN Optimization is not easy to follow and it' s therefore been a lot of trial and error.

kaslasma · ‎12-20-2010

My optimization worked for about 12 hours, then randomly stopped. I have had a support ticket open since I made my post. I have restored config files, reproduced my steps and too no longer see any optimization benefits. Working with support they even placed me on a special build that is supposed to use the new wan opt engine from 4.3, and no luck. I know that my configuration was very basic. No wan opt just transparent web-cache. I have learned a lot in regard to the debugging for wan opt but have not had any success. I know my ticket has been escalated to a L2 engineer, but it has been a few weeks since I have heard from him. If they are ever able to figure out what the deal is I' ll let you guys know. My best guess is another bug issue in their code :(.