- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Web Cache
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web Cache
Has anyone been successful at implementing basic web caching?
I' m looking to implement with 4.2.1 or 4.2.2. Also, of any of the successful web caching deployments, has anyone tried to cache BITS for Windows updates? or whatever protocol Fortinet uses for the FortiClient updates? I know that a manager is capable of serving updates to the clients, but can a FG cache them as well?
Thanks,
22 REPLIES 22
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, so its not just me then! I recall that the very first few minutes when I turned on the caching it seemed to work, but after about 20-30 minutes it eventually stopped producing any useful stats. So I assumed that I' d misconfigured things and that is what set me off on trying dozens of different configuration ideas, none of which worked.
My expection is this: I turn on web caching from source 192.168.0.0/16 (my LAN) to destination 0.0.0.0 (everything) just for port 80 ... and then the Fortigate magically caches all traffic which comes back into the device in response to outgoing port 80 requests.
What do I think it may be doing? Maybe its caching the port 80 requests (the outgoing HTTP requests) and isn' t caching the responses?
I don' t know. It seems like such a simple concept to me ... I really don' t want to have to fiddle with proxies, group policies and .PAC files on clients ... the whole idea of web caching appealed to me because I thought it would enable me to get rid of all that stuff!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with the simple concept. As you can imagine I was extatic to see the results I was getting, now it often appears to have more WAN traffic than LAN traffic for negative caching :-X The other products I' ve used it has been that simple, if not easier!
I even skimmed through the 4.2.3 release notes hoping to find something mentioning a bug confirmation or resolution, but no luck. You would think with the release of the 60Cs, and other models supporting SSDs we would see more progress. Maybe other people have better luck with WAN Opt instead of caching? I haven' t tried that yet...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kaslasma, any chance you could post a screenshot of your web cache rule ... the one which initially worked and produced the obviously good caching results in the screen cap earlier in the thread? I would just like to see what it looked like after entering it, particularly
-- the format of the source and destination addressing
-- the format of the port (e.g. 80) ... mine always formats itself as 80-80
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve got web caching set-up between a head office FGT-60C and a remote office FWF-60C. The head office unit has a 32 GB Class 10 SD Card. The remote office has the 4 GB SD card. I observe no restrictions based on not having the larger card installed in that unit. Both units are connected by IPSec link using static IPs. Following the documentation, I enabled ' tunnel-sharing' to shared for CIFS rules and to private for HTTP and FTP rules. I am not using SSL or Secure Tunnels on any protocols, but I did use the firmware certificate for authenticating the rules, which worked. I later turned that off and the rules still worked.
All my observations have been done via SSL VPN on both endpoints, and using a Terminal Server inside the head office network (I' m on holidays which is where I found the time to work on this!).
- I have HTTP and FTP traffic successfully caching.
- I had to exclude caching the FGT/FWF management interface itself because when i had the whole IP range set to cache, I could not access the interface. I got a proxy error message. The Fortinet documentation does not mention this!
- CIFS caching I cannot make work. If I enable the rules for CIFS, it breaks my file shares. At first it looks like they work, and I got some reductions reported in the Monitor, but then they break. From then on, every connection attempt to a share I see it go up by a 60-80 bytes, which I assume is some attempt at authenticating, but it fails in Windows. I' ve tried to cache using both all ports and isolating to 139 and 445, and the results are the same. I guess I need to open a ticket with Fortinet about this.
- Caching over SSL VPN works when pulling resources across the IPSec link. This is a nice feature.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI,
The wan opt cache rules will not cache if a firewall rule has any of the UTM options enabled. You can use VDOM' s to config your device like the example in the manual. Wan opt devive (root vdom) and the security device (second vdom).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks ejhardin! That' s the key, and that' s exactly the response I got back from Fortinet support when I logged a ticket about it. Sorry for my delay in responding, but I' ve been away on leave for a month and only just got back on deck today.
I will be arranging to get our Fortigate consultant experts in some time in the next few weeks and we' ll have a go at setting up VDOMs to do the caching functions. Will post again once done to report on how it went.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, very pleased to report that we had our Fortigate expert consultant out on site today and he has successfully implemented VDOMs for us (one for our main firewall, one for a transparent proxy) and we now have transparent web caching working really well.
I' m really pleased with the final outcome. So the key seems to me (a) you must be routing traffic from one Fortigate firewall to another (we get around this by using VDOMs); and (b) no UTM on the transparent proxy!
He also solved my LDAP setup problems for me ... we can now authenticate people against Security Groups instead of just OUs for SSL VLN access.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stephen, would you please update your LDAP post if you find the time? Thanks.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done that now ... cheers!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A word of warning: we had been running 4.0 MR2 Patch Level 2 and were advised to update to Patch Level 3 to fix a minor glitch in SSL VPN web access.
Unfortunately it seems that Patch Level 3 wrecks something performance-wise ... since the upgrade we' ve been getting sites not loading (at all), sites partially loading, SSL certificate errors, and so on.
We' ve now downgraded back to v4.0 MR2 Patch Level 2 and the performance issues have gone away...
Related Posts
- After firmware upgrade, GUI doesn't show... 118 Views
- FortiEMS / FortiClient / Azure 138 Views
- FortiGate SSL / Integration with Azure... 286 Views
- FortiClient VPN - Error 6005 11036 Views
- ERR_EMPTY_RESPONSE only using Google Chrome accessing... 4179 Views
Labels
-
FortiGate
6,607 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.