Actually this feature is a feature that I have never seen in Cisco ASA or in Checkpoint Firewall. And after reading the original documentation for that I have realised that it knows much more than I have ever expected! :-)
The post contains useful notes from the original doc and my summary for the FCNSP certification. Hopefully this is enough to pass it…
WAN optimization Feature List
- Protocol optimization – can improve the efficiency of traffic that uses the CIFS, FTP, HTTP or MAPI protocol, as well as general TCP traffic.
- Byte caching – caches files and other data on FortiGate units to reduce the amount of data transmitted across the WAN
- Web caching – stores web pages on FortiGate units to reduce latency and delays between the WAN and web servers
- SSL offloading – offloads SSL decryption and encryption from web servers onto FortiGate SSL acceleration hardware
- Secure tunnelling – Secure tunnelling secures traffic as it crosses the WAN
- Explicit web proxy server – Users on your internal network can browse the Internet through the explicit web proxy server
- Explicit FTP proxy server – Users on your internal network can connect to FTP servers through the explicit FTP proxy server
- Reverse proxy – You can also configure these proxies to protect access to web or FTP servers behind the FortiGate unit using a reverse proxy configuration
- WCCP (client or server) – WCCP provides the ability to offload web caching to one or more redundant web caching servers
Requirements:
– Both WAN optimization and web caching require that the FortiGate unit include a hard disk! WAN Optimization storage device required!
– Firewall Policy used for WAN Optimization cannot contain any UTM feature.
– If the firewall policy includes any UTM features, communication sessions accepted by the policy are processed by the UTM engine and not by WAN optimization!
Disable UTM or create 2 VDOMs (one with UTM policy and one with WAN Opt)
1. Protocol optimization:
Supported protocols:
– CIFS
– FTP
– HTTP
– MAPI
– TCP
TCP protocol optimization – uses techniques such as TCP SACK support, TCP window scaling and window size adjustment, and TCP connection pooling to remove TCP bottlenecks.
2. Byte caching
How it works:
A) breaks large units of application data into small chunks of data
A) labels each chunk of data with a hash of the chunk
B) stores those chunks and their hashes in a database
C) Over the WAN tunnel sends the hashes
D) The FortiGate unit at the other end of the tunnel receives the hashes and compares them with the hashes in its local byte caching database
– If any hashes match, that data does not have to be transmitted over the WAN optimization tunnel.
– In case of no match found, the data is transferred over the tunnel and added to that byte caching database.
E) Then the unit of application data (the file being downloaded) is reassembled and sent to its destination.
The stored byte caches are not application specific.
WAN optimization and HA
– In a cluster, the primary unit stores only web cache and byte cache databases.
– Rebuilding the byte caches can happen relatively quickly because the new primary unit gets byte cache data from the other FortiGate units that it is participating with in WAN optimization tunnels
WAN Optimization logging
– By default disabled
– Configuration:
config wanopt settings
set log-traffic {cifs | ftp | http | mapi | tcp}
end
|
WAN Optimization tunnel port is tcp 7810
WAN Optimization tunnelsharing
It is a kind of feature like protocol spoofing mentioned on wikipedia..Link
Tunnel sharing also uses bandwidth more efficiently by reducing the chances that small packets will be sent down the tunnel.
Processing small packets reduces network throughput, so reducing the number of small packets improves performance.
A shared tunnel can combine all the data from the sessions being processed by the tunnel and send the data together.
Configuration
myfirewall # config wanopt rule myfirewall (rule) # edit 1 myfirewall (1) # set auto-detect off myfirewall (1) # set tunnel-sharing express-shared wan traffic over a shared tunnel for timely interaction private wan traffic over a private tunnel shared wan traffic over a shared tunnel |
WAN Optimization modes
A) peer-to-peer – only require the creation of a WAN optimization rule in the client side FortiGate unit
B) active-passive – require an active rule on the client side FortiGate unit and a passive rule on the server-side FortiGate unit
WCCP
Operation modes:
WCCP router – redirects HTTP traffic to WCCP cache engines (web caches)
WCCP client – you can add firewall policies to a FortiGate unit to filter WCCP sessions. WCCP client communicates with WCCP cache engines. Theses engines setups connection with WCCP routers with broadcast automatically
A FortiGate unit in NAT/Route or transparent mode can operate as a WCCP router. To operate as a WCCP client a FortiGate unit must be in NAT/Route mode.
WCCP communication between routers and clients uses UDP port 2048. This communication can be a GRE tunnel or just use layer 2 forwarding.
WCCP traffic can be inspected with UTM as well.
WAN Optimization example with active-passive mode
1) Storage Check
Should be done on both peers.
A) List the disks available:
myfirewall # execute disk list
Device I1 29.9 GB ref: 256 SUPER TALENT (IDE)
partition 1 29.9 GB ref: 257 label: 5B649B953CE61667
myfirewall # show system storage
config system storage
edit "Internal"
set media-type "ide"
set partition "5B649B953CE61667"
next
end
|
B) Check the storage used for WAN Optimization
myfirewall # sh wanopt storage
config wanopt storage
edit "Internal"
set size 18066
next
end
|
2) WAN Opt Client
WAN Opt Server is the myfirewall Fortigate -> passive
WAN Opt Client is the myfirewall2 Fortigate -> active
The serverside WAN Optimizer should be on the side where the servers are.
myfirewall (root) # show wanopt
auth-group wan optimization authentication groups
peer wan optimization peer configuration
rule wan optimization rule configuration
settings wan optimization settings
ssl-server SSL server configuration
webcache web cache global settings
myfirewall (root) # show wanopt auth-group
config wanopt auth-group
edit "WAN_Opt_Group"
set auth-method psk
set psk ENC GWY1OLAWiBId/HVvsLjzkEjlcBFsi7LS6+x846OPCfPfZIULzGtZIczstJ9n2uCCR/Wrf8cVw7tFLn09wKYwmC9r8RzxmB/wpFPQeTsAWnhoCOov
next
end
myfirewall (root) # show wanopt peer
myfirewall (root) # show wanopt rule
config wanopt rule
edit 1
set src-ip 2.2.2.0-2.2.2.255
set dst-ip 3.3.3.0-3.3.3.255
set port 445
set auto-detect active
set proto cifs
set auth-group "WAN_Opt_Group"
next
end
myfirewall (root) #
myfirewall (root) # show wanopt settings
config wanopt settings
set host-id "WAN_Opt_myfirewall"
end
|
3) WAN Opt Server
myfirewall2 # show wanopt auth-group
config wanopt auth-group
edit "WAN_Opt_Group"
set auth-method psk
set psk ENC M354af5ico0bej+fqvS3HzKxl2tcG81jxs7nTccDEmFAA6UeB+tU9WM5EOZDXHVDvdqsO6DEOP40/sh6fq3Gx4t9hMGCl6z82CA7sBxDUzz6V+Aj
next
end
myfirewall2 # show wanopt peer
myfirewall2 # show wanopt rule
config wanopt rule
edit 1
set src-ip 2.2.2.0-2.2.2.255
set dst-ip 3.3.3.0-3.3.3.255
set port 445
set auto-detect passive
next
end
myfirewall2 # show wanopt settings
myfirewall2 #
|
4) Test
block port for SAMBA in the firewall policy (tcp139)
myfirewall (root) # show firewall policy 8
config firewall policy
edit 8
set srcintf "port3"
set dstintf "VPN"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "SAMBA"
set logtraffic enable
next
end
myfirewall (root) # show firewall policy 4
config firewall policy
edit 4
set srcintf "port3"
set dstintf "VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next
end
|
After downloading a file from a share it is cached. The second download through a share is much more faster.
myfirewall (root) # diag wad sess list
Session: clt-side auto-detected 2.2.2.10:1944->3.3.3.10:445
id=8984 vd=0 fw-policy=4 wanopt-rule-id=1
state=3 app=cifs sub_type=0 dd_method=0
SSL disabled
LAN-side: to-client
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=103946 bytes_out=67668447 shutdown=0x0
WAN-side: to-server
Tunnel Port:
state=2 session_id=12 remote_sid=12
tunnel id=12 SSL-secured=no peer=default-id auth-grp=WAN_Opt_Group
buf_blocked=0 buf_block_threshold=2097152
bytes_unconfirm_rcv=925 bytes_unconfirm_snd=32698
Sessions total=1
myfirewall (root) #
|
Web Caching only
Webcache settings:
myfirewall (root) # show wanopt rule
config wanopt rule
edit 1
set src-ip 2.2.2.0-2.2.2.255
set dst-ip 3.3.3.0-3.3.3.255
set port 445
set auto-detect active
set proto cifs
set auth-group "WAN_Opt_Group"
next
edit 2
set mode webcache-only
set src-ip 2.2.2.0-2.2.2.255
set port 80
set unknown-http-version best-effort
next
end
|
Test:
Before test check if the firewall policy has no UTM enabled!
myfirewall (root) # diag wacs stat
Disk 0 /var/storage/HDD1-34260E5B37A8B470/wa_cs
Current number of open connections: 2
Number of terminated connections: 0
Number of requests -- Adds: 113 (0 repetitive keys), Lookups: 152, Conflict incidents: 0
Percentage of missed lookups: 98.68
Communication is blocked for 0 client(s)
wa_cs disk space: 17008 MB
Disk usage: 8030 KB (0%)
|
itsecworks 
Alex
September 30, 2014
Hi everybody,
Are there any figures, which can help me to compare FortiGate WAN optimization with Riverbed’s one?
I’m choosing the solution for WAN optimization for big bank right now.
Best regards
itsecworks
October 1, 2014
If you only looks for WAN Optimization then Riverbed. In Fortigate it is a feature in mainly a firewall product.