WAN optimization with Fortigate

Posted on June 20, 2012

2



Actually this feature is a feature that I have never seen in Cisco ASA or in Checkpoint Firewall. And after reading the original documentation for that I have realised that it knows much more than I have ever expected! :-)
The post contains useful notes from the original doc and my summary for the FCNSP certification. Hopefully this is enough to pass it…

WAN optimization Feature List

  1. Protocol optimization – can improve the efficiency of traffic that uses the CIFS, FTP, HTTP or MAPI protocol, as well as general TCP traffic.
  2.  Byte caching – caches files and other data on FortiGate units to reduce the amount of data transmitted across the WAN
  3.  Web caching – stores web pages on FortiGate units to reduce latency and delays between the WAN and web servers
  4.  SSL offloading – offloads SSL decryption and encryption from web servers onto FortiGate SSL acceleration hardware
  5. Secure tunnelling – Secure tunnelling secures traffic as it crosses the WAN
  6. Explicit web proxy server – Users on your internal network can browse the Internet through the explicit web proxy server
  7. Explicit FTP proxy server – Users on your internal network can connect to FTP servers through the explicit FTP proxy server
  8. Reverse proxy – You can also configure these proxies to protect access to web or FTP servers behind the FortiGate unit using a reverse proxy configuration
  9. WCCP (client or server) – WCCP provides the ability to offload web caching to one or more redundant web caching servers

Requirements:
– Both WAN optimization and web caching require that the FortiGate unit include a hard disk! WAN Optimization storage device required!
– Firewall Policy used for WAN Optimization cannot contain any UTM feature.
– If the firewall policy includes any UTM features, communication sessions accepted by the policy are processed by the UTM engine and not by WAN optimization!
Disable UTM or create 2 VDOMs (one with UTM policy and one with WAN Opt)

1. Protocol optimization:

Supported protocols:
– CIFS
– FTP
– HTTP
– MAPI
– TCP

TCP protocol optimization – uses techniques such as TCP SACK support, TCP window scaling and window size adjustment, and TCP connection pooling to remove TCP bottlenecks.

2. Byte caching

How it works:

A) breaks large units of application data into small chunks of data
A) labels each chunk of data with a hash of the chunk
B) stores those chunks and their hashes in a database
C) Over the WAN tunnel sends the hashes
D) The FortiGate unit at the other end of the tunnel receives the hashes and compares them with the hashes in its local byte caching database
– If any hashes match, that data does not have to be transmitted over the WAN optimization tunnel.
– In case of no match found, the data is transferred over the tunnel and added to that byte caching database.
E) Then the unit of application data (the file being downloaded) is reassembled and sent to its destination.

The stored byte caches are not application specific.

WAN optimization and HA

– In a cluster, the primary unit stores only web cache and byte cache databases.
– Rebuilding the byte caches can happen relatively quickly because the new primary unit gets byte cache data from the other FortiGate units that it is participating with in WAN optimization tunnels

WAN Optimization logging

– By default disabled
– Configuration:

config wanopt settings
 set log-traffic {cifs | ftp | http | mapi | tcp}
end

WAN Optimization tunnel port is tcp 7810

WAN Optimization tunnelsharing

It is a kind of feature like protocol spoofing mentioned on wikipedia..Link
Tunnel sharing also uses bandwidth more efficiently by reducing the chances that small packets will be sent down the tunnel.
Processing small packets reduces network throughput, so reducing the number of small packets improves performance.
A shared tunnel can combine all the data from the sessions being processed by the tunnel and send the data together.

Configuration

myfirewall # config wanopt rule
myfirewall (rule) #     edit 1
myfirewall (1) # set auto-detect off
myfirewall (1) # set tunnel-sharing
express-shared    wan traffic over a shared tunnel for timely interaction
private           wan traffic over a private tunnel
shared            wan traffic over a shared tunnel

WAN Optimization modes

A) peer-to-peer – only require the creation of a WAN optimization rule in the client side FortiGate unit
B) active-passive – require an active rule on the client side FortiGate unit and a passive rule on the server-side FortiGate unit

WCCP

Operation modes:
WCCP router – redirects HTTP traffic to WCCP cache engines (web caches)
WCCP client – you can add firewall policies to a FortiGate unit to filter WCCP sessions. WCCP client communicates with WCCP cache engines. Theses engines setups connection with WCCP routers with broadcast automatically

A FortiGate unit in NAT/Route or transparent mode can operate as a WCCP router. To operate as a WCCP client a FortiGate unit must be in NAT/Route mode.
WCCP communication between routers and clients uses UDP port 2048. This communication can be a GRE tunnel or just use layer 2 forwarding.
WCCP traffic can be inspected with UTM as well.

WAN Optimization example with active-passive mode

1) Storage Check

Should be done on both peers.

A) List the disks available:

myfirewall # execute disk list 
Device I1          29.9 GB      ref: 256        SUPER TALENT (IDE)
  partition 1      29.9 GB      ref: 257        label: 5B649B953CE61667

myfirewall # show system storage
config system storage
    edit "Internal"
        set media-type "ide"
        set partition "5B649B953CE61667"
    next
end

B) Check the storage used for WAN Optimization

myfirewall # sh wanopt storage
config wanopt storage
    edit "Internal"
        set size 18066
    next
end

2) WAN Opt Client

WAN Opt Server is the myfirewall Fortigate -> passive
WAN Opt Client is the myfirewall2 Fortigate -> active

The serverside WAN Optimizer should be on the side where the servers are.

myfirewall (root) # show wanopt
auth-group    wan optimization authentication groups
peer          wan optimization peer configuration
rule          wan optimization rule configuration
settings      wan optimization settings
ssl-server    SSL server configuration
webcache      web cache global settings

myfirewall (root) # show wanopt auth-group
config wanopt auth-group
    edit "WAN_Opt_Group"
        set auth-method psk
        set psk ENC GWY1OLAWiBId/HVvsLjzkEjlcBFsi7LS6+x846OPCfPfZIULzGtZIczstJ9n2uCCR/Wrf8cVw7tFLn09wKYwmC9r8RzxmB/wpFPQeTsAWnhoCOov
    next
end

myfirewall (root) # show wanopt peer

myfirewall (root) # show wanopt rule
config wanopt rule
    edit 1
        set src-ip 2.2.2.0-2.2.2.255
        set dst-ip 3.3.3.0-3.3.3.255
        set port 445
        set auto-detect active
        set proto cifs
        set auth-group "WAN_Opt_Group"
    next
end

myfirewall (root) #
myfirewall (root) # show wanopt settings
config wanopt settings
    set host-id "WAN_Opt_myfirewall"
end

3) WAN Opt Server

myfirewall2 # show wanopt auth-group
config wanopt auth-group
    edit "WAN_Opt_Group"
        set auth-method psk
        set psk ENC M354af5ico0bej+fqvS3HzKxl2tcG81jxs7nTccDEmFAA6UeB+tU9WM5EOZDXHVDvdqsO6DEOP40/sh6fq3Gx4t9hMGCl6z82CA7sBxDUzz6V+Aj
    next
end

myfirewall2 # show wanopt peer 
myfirewall2 # show wanopt rule
config wanopt rule
    edit 1
        set src-ip 2.2.2.0-2.2.2.255
        set dst-ip 3.3.3.0-3.3.3.255
        set port 445
        set auto-detect passive
    next
end

myfirewall2 # show wanopt settings
myfirewall2 #

4) Test

block port for SAMBA in the firewall policy (tcp139)

myfirewall (root) # show firewall policy 8
config firewall policy
    edit 8
        set srcintf "port3"
        set dstintf "VPN"
            set srcaddr "all"
            set dstaddr "all"
        set schedule "always"
            set service "SAMBA"
        set logtraffic enable
    next
end

myfirewall (root) # show firewall policy 4
config firewall policy
    edit 4
        set srcintf "port3"
        set dstintf "VPN"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
        set logtraffic enable
    next
end

After downloading a file from a share it is cached. The second download through a share is much more faster.

myfirewall (root) # diag wad sess list

Session: clt-side auto-detected 2.2.2.10:1944->3.3.3.10:445
    id=8984 vd=0 fw-policy=4 wanopt-rule-id=1
    state=3 app=cifs sub_type=0 dd_method=0
    SSL disabled
    LAN-side: to-client
        TCP Port:
            state=2 r_blocks=0 w_blocks=0 read_blocked=0
            bytes_in=103946 bytes_out=67668447 shutdown=0x0
    WAN-side: to-server
        Tunnel Port:
            state=2 session_id=12 remote_sid=12
            tunnel id=12 SSL-secured=no peer=default-id auth-grp=WAN_Opt_Group
            buf_blocked=0 buf_block_threshold=2097152
            bytes_unconfirm_rcv=925 bytes_unconfirm_snd=32698

Sessions total=1

myfirewall (root) #

Web Caching only

Webcache settings:

myfirewall (root) # show wanopt rule
config wanopt rule
    edit 1
        set src-ip 2.2.2.0-2.2.2.255
        set dst-ip 3.3.3.0-3.3.3.255
        set port 445
        set auto-detect active
        set proto cifs
        set auth-group "WAN_Opt_Group"
    next
    edit 2
        set mode webcache-only
        set src-ip 2.2.2.0-2.2.2.255
        set port 80
        set unknown-http-version best-effort
    next
end

Test:

Before test check if the firewall policy has no UTM enabled!

myfirewall (root) # diag wacs stat
Disk 0 /var/storage/HDD1-34260E5B37A8B470/wa_cs
        Current number of open connections: 2
        Number of terminated connections: 0
        Number of requests -- Adds: 113 (0 repetitive keys), Lookups: 152, Conflict incidents: 0
        Percentage of missed lookups: 98.68
        Communication is blocked for 0 client(s)
        wa_cs disk space: 17008 MB
        Disk usage: 8030 KB (0%)
Advertisements