WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Module 5: Configuring Access for Remote Clients and Networks.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.
Introduction to Fortinet Unified Threat Management
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Layer 7- Application Layer
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Internet Protocol Security (IPSec)
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Course 201 – Administration, Content Inspection and SSL VPN
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 Enabling Secure Internet Access with ISA Server.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Course 201 – Administration, Content Inspection and SSL VPN
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
思科网络技术学院理事会. 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 4: Designing Routing and Switching Requirements.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Wireless Networks and the NetSentron By: Darren Critchley.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
What’s New in Fireware v11.9.5
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications ◦The client requested data.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Module 9: Implementing Caching. Overview Caching Overview Configuring General Cache Properties Configuring Cache Rules Configuring Content Download Jobs.
Integrating and Troubleshooting Citrix Access Gateway.
Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Implementing ISA Server Caching
NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Module 10: Windows Firewall and Caching Fundamentals.
Overview on Web Caching COSC 513 Class Presentation Instructor: Prof. M. Anvari Student name: Wei Wei ID:
Application Control. Module Objectives By the end of this module participants will be able to: Define application control lists Define firewall policies.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Windows 10 Common VPN Error Tech Support Number
Module 3: Enabling Access to Internet Resources
Securing the Network Perimeter with ISA 2004
Implementing TMG Server Publishing
Server-to-Client Remote Access and DirectAccess
Chapter 10: Advanced Cisco Adaptive Security Appliance
Computer Networks Protocols
Presentation transcript:

WAN Optimization

Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications deployed in a WAN environment Describe the FortiGate WAN optimization techniques Define peers participating in a WAN optimization session Configure WAN optimization rules Configure web caching

WAN Optimization Some of the factor driving the need for WAN optimization include: Centralization of mission-critical resources at the Data Center Application access though web-based portals Server consolidation Software-as-a-service Internet for WAN

WAN-Deployed Application Performance Accessing applications across the WAN introduces a bottleneck into the system WANs become congested, slow, and error-prone Increasing application response times for remote office users Performance of applications deployed in a WAN environment can be negatively affected by: Bandwidth Latency Congestion Packet Loss Click here to read more about factors that can impact applications deployed in WAN environments

WAN Optimization and Web Cache The FortiGate unit includes WAN optimization and web caching features : Reduce transfer times across the WAN Accelerate web applications or web servers by reducing bandwidth usage, server load, and perceived latency Reduce WAN bottleneck enabling more data to be sent Provide a more efficient usage of available WAN bandwidth Traffic passing between clients to servers is intercepted by the FortiGate unit and WAN optimization techniques can be applied IPSec and WAN optimization can be combined effectively to provide accelerated throughput over secure connections WAN optimization can also be expanded to remote PCs running FortiClient

FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Protocol Optimization HTTP/HTTPS CIFS FTP MAPI TCP

FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Protocol Optimization HTTP/HTTPS CIFS FTP MAPI TCP Protocol optimization improves performance by reducing the amount of traffic required by communication protocols Uses various techniques to reduce the amount of background transactions that occur over the WAN

FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Byte Caching Byte cache dictionary token Byte cache dictionary token

FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Byte Caching Byte cache dictionary token Byte cache dictionary token Each chunk of data is labeled with a token which is stored in the byte cache dictionary on both ends of the connection When the FortiGate unit spots a data sequence already in the dictionary, it sends the corresponding token instead The remote FortiGate unit looks up the token in the dictionary and restores the data chunk to its original form

FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Web Caching Web cache Web server page.html welcome.html readthis.html page.html

FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Web Caching Web cache Web server Web caching stores web-based objects for later retrieval Objects are cached on the hard disk of the FortiGate unit The FortiGate unit caching the objects does not need to contact the web server, except to check for changes Improves performance in that fewer requests and responses pass over the WAN

Transparent Proxy Click here to read more about FortiGate WAN optimization techniques Transparent proxy disabled Source IP address of clientSource IP address of FortiGate unit interface Transparent proxy enabled Source IP address of client

Transparent Proxy Click here to read more about FortiGate WAN optimization techniques Servers receiving packets after WAN optimization see different source addresses depending on whether the transparent proxy is enabled If enabled, WAN optimization keeps the original source address of the packets If not enabled, source address of the packet is changed to the address of the FortiGate unit interfaces Routing is easier because client addresses are not involved

Supported FortiGate Devices FortiGate WAN optimization and web caching is currently supported on the following devices: FortiGate 51B FortiWiFi 81C FortiGate 111C FortiGate 310B with ASM-S08 FortiGate 311B FortiGate 620B with ASM-S08 FortiGate 3016B with ASM-S08 FortiGate 3600A with ASM-S08 FortiGate 3810A with ASM-S08 FortiGate 5001A-SW with ASM-S08

WAN Optimization Rules Firewall policy WAN optimization rules UTM Identity-based policies Click here to read more about FortiGate WAN optimization rules

WAN Optimization Rules Firewall policy WAN optimization rules UTM Identity-based policies WAN optimization uses rules to determine which traffic is to be optimized Traffic must be accepted by the firewall policy before any WAN optimization operations are performed If the firewall policy includes threat management profiles, the packet is not processed by WAN optimization WAN optimization is compatible with identity- based policies Click here to read more about FortiGate WAN optimization rules

WAN Optimization Rule Ordering

WAN optimization and web caching rules are applied from top to bottom Ordering is important Rules are matched on source address, destination address and destination port First matching rule is applied Make rules as specific as possible Avoids matching sessions which do not require optimization and may fail if optimization is applied

WAN Optimization Rule Parameters

WAN Optimization Modes Active-Passive Mode Peer-to-Peer Mode Client FortiGate unit Server FortiGate unit Active rulesPassive rules Peer B: Peer A:

WAN Optimization Modes Active-Passive Mode Peer-to-Peer Mode Client FortiGate unit Server FortiGate unit Active rulesPassive rules Peer B: Peer A: In Active-Passive Mode, the ends of the WAN optimization tunnel operate in a kind of client/server configuration Session originating on the client FortiGate unit use active rules and those terminating on the server FortiGate unit use passive rules Active rules determine WAN optimization techniques Passive rules operate as determined by the active rule In Peer-to-Peer Mode both ends of the tunnel have peer lists Includes the name and IP address of other FortiGate units with which they can form WAN optimization tunnels

Active-Passive Rules Active (Client) configurationPassive (Server) configuration

Peer-to-Peer Rules Initiator Configuration Responder Configuration

Peer-to-Peer Rules Configuring FortiGate1Configuring FortiGate2config wanopt settings set host-id “FortiGate1”set host-id “FortiGate2”endconfig wanopt peer edit “FortiGate2”edit “FortiGate1” set ip set ip nextend

Authentication Groups Accept Any Peer Authentication Method

Authentication Groups Accept Defined Peers Authentication Method

Authentication Groups Specify Peer Authentication Method

Authentication Groups Specify Peer Authentication Method Authentication groups can be added to support authentication and secure tunneling between WAN optimized peers Select the authentication method used between the two peers: Digital certificate Pre-shared key Select which peers are to be accepted: Accept Any Peer Accepted Defined Peers Specify Peer

WAN Optimization with SSL Traffic needs to be unencrypted to apply optimization techniques SSL handshake proceeds between the originating client and the server-side FortiGate unit The server-side FortiGate unit consults the configured SSL server list The server-side FortiGate unit passes the SSL session key and negotiated cipher to the client-side FortiGate unit through a secure tunnel or IPSec VPN The server-side FortiGate unit may use an HTTPS connection with server ‘full-mode’ or HTTP connection ‘half-mode’ with port forwarding (SSL offloading)

FortiGate-to-FortiGate Sample Configuration PC PC FGT FGT IPSec VPN Define peers

FortiGate-to-FortiGate Sample Configuration PC PC FGT FGT IPSec VPN Active Configuration

FortiGate-to-FortiGate Sample Configuration PC PC FGT FGT IPSec VPN Passive Configuration

FortiGate-to-FortiGate Sample Configuration PC PC FGT FGT IPSec VPN 1 st copy No optimization

FortiGate-to-FortiGate Sample Configuration PC PC FGT FGT IPSec VPN 2nd copy Optimized Optimize CIFS from * to * using protocol optimization and byte caching

FortiClient-to-FortiGate Sample Configuration Client DHCP assigned IP address Server FGT Public IP address IPSec VPN No optimization IPSec VPN between client and gateway without WAN optimization

FortiClient-to-FortiGate Sample Configuration Client DHCP assigned IP address Server FGT Public IP address IPSec VPN FortiClient Enable WAN Optimization config wanopt settings set host-id "lab" end config wanopt auth-group edit "auth-fc" set cert "Fortinet_Factory" next end config wanopt rule edit 1 set dst-ip set port 80 set auto-detect passive set webcache enable next end

FortiClient-to-FortiGate Sample Configuration Client DHCP assigned IP address Server FGT Public IP address IPSec VPN FortiClient Enable WAN Optimization Optimized HTTP optimization and byte cache

Storage Data storage must be defined for web caching and byte caching Internal hard drive AMC slot Click here to read more about web caching storage requirements

Web Cache Settings

Web Cache Exempt List

Define the pattern for URLs that will be exempt from web caching

Web Cache Communication Protocol Support Web Cache Communication Protocol (WCCP) is a content-routing protocol that provides a mechanism to redirect traffic flows in real-time WCCP v2 support can be configured on the FortiGate unit to optimize web traffic Transparently redirects selected types of traffic to a group of cache servers If copy cached, cache server returns page If copy not cached, cache server retrieves page and forwards to FortiGate unit Click here to read more about WCCP support on the FortiGate unit

Web Cache Communication Protocol Support Intranet Internet Web Cache Server

WCCP Configuration Configure the Service Group config system wccp edit "0" set router-id set server-list set authentication enable set forward-method GRE set return-method GRE set password fortinet end

WCCP Configuration Configure WCCP on the FortiGate interface edit port2 set wccp enable end

WCCP Configuration Enable WCCP on the firewall policy config firewall policy edit 1 set srcintf "port1" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "HTTP" set wccp enable set nat enable end

WCCP Messages Internet Web Cache Server Here I amI see you Intranet

WCCP Debugging Real Time Debug diag debug en diag debug application wccp Application Debug diag test application wccpd

Monitoring WAN Optimization

Labs Lab - WAN Optimization Configuring WAN optimization rules and policies Testing WAN optimization Click here for step-by-step instructions on completing this lab Lab - Web Cache Defining a new rule for web caching Click here for step-by-step instructions on completing this lab

Student Resources Click hereClick here to view the list of resources used in this module

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.