Configuring WAN optimization with secure tunneling - CLI
Use the following steps to configure the example WAN optimization configuration from the client-side and server-side FortiGate unit CLI.
To the client-side FortiGate unit
1. Add the Local Host ID to the client-side FortiGate configuration:
config wanopt settings
set host-id Client-Fgt
end
2. Add the server-side Local Host ID to the client-side peer list:
config wanopt peer
edit Server-Fgt
set ip 192.168.20.1
end
3. Add a new authentication group to be used for secure tunneling:
config wanopt auth-group
edit Auth-Secure-Tunnel
set auth-method psk
set psk 2345678
end
Leave peer-accept at its default value.
4. Add a WAN optimization profile that enables secure tunneling and includes the authentication group, enables HTTP protocol optimization, and enables secure tunneling and byte caching for HTTP traffic:
config wanopt profile
edit Secure-wan-op-pro
set auth-group Auth-Secure-Tunnel
config http
set status enable
set secure-tunnel enable
set byte-caching enable
set port 80
end
end
5. Add a firewall address for the client network.
config firewall address
edit Client-Net
set type ipmask
set subnet 172.20.120.0 255.255.255.0
set associated-interface port1
end
6. Add a firewall address for the web server network.
config firewall address
edit Web-Server-Net
set type ipmask
set subnet 192.168.10.0 255.255.255.0
set associated-interface port2
end
7. Add an active WAN optimization security policy that includes the WAN optimization profile that enables secure tunneling and that applies virus scanning:
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr Client-Net
set dstaddr Web-Server-Net
set action accept
set service HTTP
set schedule always
set wanopt enable
set wanopt-detection active
set wanopt-profile Secure-wan-opt-pro
end
To configure the server-side FortiGate unit
1. Add the Local Host ID to the server-side FortiGate configuration:
config wanopt settings
set host-id Server-Fgt
end
2. Add the client-side Local Host ID to the server-side peer list:
config wanopt peer
edit Client-Fgt
set ip 172.20.120.1
end
3. Add an authentication group to be used for secure tunneling:
config wanopt auth-group
edit Auth-Secure-Tunnel
set auth-method psk
set psk 2345678
end
Leave peer-accept at its default value.
4. Add a firewall address for the client network.
config firewall address
edit Client-Net
set type ipmask
set subnet 172.20.120.0 255.255.255.0
set associated-interface port1
end
5. Add a firewall address for the web server network.
config firewall address
edit Web-Server-Net
set type ipmask
set subnet 192.168.10.0 255.255.255.0
set associated-interface port2
end
6. Add a passive WAN optimization policy.
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr Client-Net
set dstaddr Web-Server-Net
set action accept
set service ALL
set schedule always
set wanopt enable
set wanopt-detection passive
set wanopt-passive-opt default
end
7. Add a WAN optimization tunnel explicit proxy policy.
configure firewall explicit-proxy-policy
edit 0
set proxy wanopt
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end