Configuring WAN optimization with secure tunneling - web‑based manager
Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit web‑based manager. (CLI steps follow.)
To configure the client-side FortiGate unit
1. Go to WAN Opt. & Cache > WAN Opt. Peers > Peers and enter a Local Host ID for the client-side FortiGate unit:
2. Select Apply to save your setting.
3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:
Peer Host ID | Server-Fgt |
IP Address | 192.168.20.1 |
4. Select OK.
5. Go to Wan Opt. & Cache > WAN Opt. Peers > Authentication Groups and select Create New to add the authentication group to be used for secure tunneling:
Name | Auth-Secure-Tunnel |
Authentication Method | Pre-shared key |
Password | 2345678 |
Peer Acceptance | Accept Any Peer |
6. Select OK.
7. Go to Wan Opt. & Cache > WAN Opt. Profiles > Profiles and select Create New to add a WAN optimization profile that enables secure tunneling and includes the authentication group:
Name | Secure-wan-op-pro |
Transparent Mode | Select |
Authentication Group | Auth-Secure-tunnel |
8. Select the HTTP protocol, select Secure Tunneling and Byte Caching and set the Port to 80.
9. Select OK.
10. Go to Policy & Objects > Objects > Addresses and select Create New to add a firewall address for the client network.
Category | Address |
Name | Client-Net |
Type | Subnet |
Subnet / IP Range | 172.20.120.0/24 |
Interface | port1 |
11. Select Create New to add a firewall address for the web server network.
Category | Address |
Address Name | Web-Server-Net |
Type | Subnet |
Subnet / IP Range | 192.168.10.0/24 |
Interface | port2 |
12. Go to Policy & Objects > Policy > IPv4 and select Create New to add an active WAN optimization security policy:
Incoming Interface | port1 |
Source Address | Client-Net |
Outgoing Interface | port2 |
Destination Address | Web-Server-Net |
Schedule | always |
Service | HTTP |
Action | ACCEPT |
13. Turn on WAN Optimization and configure the following settings:
WAN Optimization | active |
Profile | Secure-wan-opt-pro |
14. Select OK.
To configure the server-side FortiGate unit
1. Go to WAN Opt. & Cache > WAN Opt. Peers > Peers and enter a Local Host ID for the server-side FortiGate unit:
2. Select Apply to save your setting.
3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:
Peer Host ID | Client-Fgt |
IP Address | 172.30.120.1 |
4. Select OK.
5. Go to Wan Opt. & Cache > WAN Opt. Peers > Authentication Groups and select Create New and add an authentication group to be used for secure tunneling:
Name | Auth-Secure-Tunnel |
Authentication Method | Pre-shared key |
Password | 2345678 |
Peer Acceptance | Accept Any Peer |
6. Select OK.
7. Go to Policy & Objects > Objects > Addresses and select Create New to add a firewall address for the client network.
Category | Address |
Name | Client-Net |
Type | Subnet |
Subnet / IP Range | 172.20.120.0/24 |
Interface | port1 |
8. Select Create New to add a firewall address for the web server network.
Category | Address |
Address Name | Web-Server-Net |
Type | Subnet |
Subnet / IP Range | 192.168.10.0/24 |
Interface | port2 |
9. Select OK.
10. Select Create New to add a passive WAN optimization policy that applies application control.
Incoming Interface | port2 |
Source Address | Client-Net |
Outgoing Interface | port1 |
Destination Address | Web-Server-Net |
Schedule | always |
Service | ALL |
Action | ACCEPT |
11. Turn on WAN Optimization and configure the following settings:
WAN Optimization | passive |
Passive Option | default |
12. Select OK.
13. From the CLI enter the following command to add a WAN optimization tunnel explicit proxy policy.
configure firewall explicit-proxy-policy
edit 0
set proxy wanopt
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end