Authentication Groups; Wan Optimization Rules And Firewall Policies - Fortinet Gate 60D Administration Manual

WAN optimization and web caching

Authentication Groups

WAN optimization rules and firewall policies

FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
http://docs.fortinet.com/ • Feedback
• All peers must have a unique host ID that identifies each peer. You can add the host ID
to a peer from the web-based manager by going to WAN Opt. & Cache > Peer,
entering a host ID in the Local Host ID field and selecting Apply. The host ID can be up
to 25 characters long and can include spaces.
• All peers must know the host IDs and IP addresses of all of the other peers that they
can start WAN optimization tunnels with. You can add these host IDs and IP addresses
from the web-based manager by going to WAN Opt. & Cache > Peer and selecting
Create New. Enter the other peer's host ID in the Peer Host ID field, enter the other
peer's IP address in the IP Address field and select OK. The IP address will be the
source IP address of tunnel requests sent by the peer. Usually this would be the IP
address of the peer's interface that is connected to the WAN, that is the IP address of
the interface from which tunnel requests are sent.
Some WAN optimization rules require you to include a peer and others do not. Even if you
are not required to add a peer to a WAN optimization rule, WAN optimization requires
local and peer IDs to be added as described above.
Adding peers is not strictly a requirement. Instead you can configure authentication
groups that accept any peer. However, for this to work both peers must have the same
authentication group (with the same name) and both peers must have the same certificate
or pre-shared key. This configuration is useful if you have many peers or if peer IP
addresses change. For example, you could have many travelling users running FortiClient
and participating in WAN optimization using PCs with IP addresses that are always
changing as the users travel to different customer sites. This configuration is also useful if
you have FortiGate units that get external IP addresses using DHCP or PPPoE. For more
information, see "Configuring authentication groups" on page
To configure WAN optimization you add WAN optimization rules. Similar to firewall
policies when a FortiGate unit receives a connection packet, it analyzes the packet's
source address, destination address, and service (by destination port number), and
attempts to locate a matching WAN optimization rule that decides how to optimize the
traffic over the WAN. See
The FortiGate unit applies firewall policies to communication sessions before WAN
optimization rules. A WAN optimization rule can be applied to a packet only after the
packet is accepted by a firewall policy.
If the firewall policy includes a protection profile communication sessions accepted by the
policy are processed by the protection profile and not by WAN optimization. To apply
WAN optimization to traffic that is accepted by a firewall policy containing a protection
profile you can use multiple FortiGate units or multiple VDOMs. Apply the protection
profile in the first FortiGate unit or VDOM and apply WAN optimization in the second
FortiGate unit or VDOM.
WAN optimization does not apply source and destination NAT settings included in firewall
policies. This means that selecting NAT or adding virtual IPs in a firewall policy does not
affect WAN optimized traffic. WAN optimization is also not compatible with firewall load
balancing. However, traffic accepted by these policies that is not WAN optimized is
processed as expected.
WAN optimization is compatible with identity-based firewall policies. If a session is allowed
after authentication and if the identity-based policy that allows the session does not
include a protection profile the session can be processed by matching WAN optimization
rules.
"How list order affects rule matching" on page
Overview of FortiGate WAN optimization
635.
606.
603