Configuring WAN optimization with secure tunneling - web‑based manager
Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit web‑based manager. (CLI steps follow.)
To configure the client-side FortiGate unit
1. Go to WAN Opt. & Cache > WAN Opt. Peer > Peer and enter a Local Host ID for the client-side FortiGate unit:
2. Select Apply to save your setting.
3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:
Peer Host ID | Server-Fgt |
IP Address | 192.168.20.1 |
4. Select OK.
5. Go to Wan Opt. & Cache > WAN Opt. Peer > Authentication Group and select Create New to add the authentication group to be used for secure tunneling:
Name | Auth-Secure-Tunnel |
Authentication Method | Pre-shared key |
Password | 2345678 |
Peer Acceptance | Accept Any Peer |
6. Select OK.
7. Go to Wan Opt. & Cache > WAN Opt. Profile > Profile and select Create New to add a WAN optimization profile that enables secure tunneling and includes the authentication group:
Name | Secure-wan-op-pro |
Transparent Mode | Select |
Authentication Group | Auth-Secure-tunnel |
8. Select the HTTP protocol, select Secure Tunneling and Byte Caching and set the Port to 80.
9. Select OK.
10. Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the client network.
Category | Address |
Name | Client-Net |
Type | Subnet |
Subnet / IP Range | 172.20.120.0/24 |
Interface | port1 |
11. Select Create New to add a firewall address for the web server network.
Category | Address |
Address Name | Web-Server-Net |
Type | Subnet |
Subnet / IP Range | 192.168.10.0/24 |
Interface | port2 |
12. Go to Policy > Policy > Policy and select Create New to add an active WAN optimization security policy:
Policy Type | Firewall |
Policy Subtype | Address |
Incoming Interface | port1 |
Source Address | Client-Net |
Outgoing Interface | port2 |
Destination Address | Web-Server-Net |
Schedule | always |
Service | HTTP |
Action | ACCEPT |
13. Turn on Antivirus and select the default antivirus profile.
14. Select Enable WAN Optimization and configure the following settings:
Enable WAN Optimization | active |
Profile | Secure-wan-opt-pro |
15. Select OK.
To configure the server-side FortiGate unit
1. Go to WAN Opt. & Cache > WAN Opt. Peer > Peer and enter a Local Host ID for the server-side FortiGate unit:
2. Select Apply to save your setting.
3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:
Peer Host ID | Client-Fgt |
IP Address | 172.30.120.1 |
4. Select OK.
5. Go to Wan Opt. & Cache > WAN Opt. Peer > Authentication Group and select Create New and add an authentication group to be used for secure tunneling:
Name | Auth-Secure-Tunnel |
Authentication Method | Pre-shared key |
Password | 2345678 |
Peer Acceptance | Accept Any Peer |
6. Select OK.
7. Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the client network.
Category | Address |
Name | Client-Net |
Type | Subnet |
Subnet / IP Range | 172.20.120.0/24 |
Interface | port1 |
8. Select Create New to add a firewall address for the web server network.
Category | Address |
Address Name | Web-Server-Net |
Type | Subnet |
Subnet / IP Range | 192.168.10.0/24 |
Interface | port2 |
9. Go to Policy > Policy > Policy and select Create New to add a WAN optimization tunnel policy.
Policy Type | Firewall |
Policy Subtype | Address |
Incoming Interface | wanopt |
Source Address | all |
Outgoing Interface | port1 |
Destination Address | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
10. Select OK.
11. Select Create New to add a passive WAN optimization policy that applies application control.
Policy Type | Firewall |
Policy Subtype | Address |
Incoming Interface | port2 |
Source Address | Client-Net |
Outgoing Interface | port1 |
Destination Address | Web-Server-Net |
Schedule | always |
Service | ALL |
Action | ACCEPT |
12. Turn on Application Control and select the default application control sensor.
13. Select Enable WAN Optimization and configure the following settings:
Enable WAN Optimization | passive |
Passive Option | default |
14. Select OK.