Presentation is loading. Please wait.

Presentation is loading. Please wait.

WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications.

Published byJohn Black Modified over 9 years ago

Similar presentations

Presentation on theme: "WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications."— Presentation transcript:

1 WAN Optimization

2 Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications deployed in a WAN environment Describe the FortiGate WAN optimization techniques Define peers participating in a WAN optimization session Configure WAN optimization rules Configure web caching

3 WAN Optimization Some of the factor driving the need for WAN optimization include: Centralization of mission-critical resources at the Data Center Application access though web-based portals Server consolidation Software-as-a-service Internet for WAN

4 WAN-Deployed Application Performance Accessing applications across the WAN introduces a bottleneck into the system WANs become congested, slow, and error-prone Increasing application response times for remote office users Performance of applications deployed in a WAN environment can be negatively affected by: Bandwidth Latency Congestion Packet Loss Click here to read more about factors that can impact applications deployed in WAN environments

5 WAN Optimization and Web Cache The FortiGate unit includes WAN optimization and web caching features : Reduce transfer times across the WAN Accelerate web applications or web servers by reducing bandwidth usage, server load, and perceived latency Reduce WAN bottleneck enabling more data to be sent Provide a more efficient usage of available WAN bandwidth Traffic passing between clients to servers is intercepted by the FortiGate unit and WAN optimization techniques can be applied IPSec and WAN optimization can be combined effectively to provide accelerated throughput over secure connections WAN optimization can also be expanded to remote PCs running FortiClient

6 FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Protocol Optimization HTTP/HTTPS CIFS FTP MAPI TCP

7 FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Protocol Optimization HTTP/HTTPS CIFS FTP MAPI TCP Protocol optimization improves performance by reducing the amount of traffic required by communication protocols Uses various techniques to reduce the amount of background transactions that occur over the WAN

8 FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Byte Caching Byte cache dictionary token Byte cache dictionary token

9 FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Byte Caching Byte cache dictionary token Byte cache dictionary token Each chunk of data is labeled with a token which is stored in the byte cache dictionary on both ends of the connection When the FortiGate unit spots a data sequence already in the dictionary, it sends the corresponding token instead The remote FortiGate unit looks up the token in the dictionary and restores the data chunk to its original form

10 FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Web Caching Web cache Web server page.html welcome.html readthis.html page.html

11 FortiGate WAN Optimization Techniques Click here to read more about FortiGate WAN optimization techniques Web Caching Web cache Web server Web caching stores web-based objects for later retrieval Objects are cached on the hard disk of the FortiGate unit The FortiGate unit caching the objects does not need to contact the web server, except to check for changes Improves performance in that fewer requests and responses pass over the WAN

12 Transparent Proxy Click here to read more about FortiGate WAN optimization techniques Transparent proxy disabled Source IP address of clientSource IP address of FortiGate unit interface Transparent proxy enabled Source IP address of client

13 Transparent Proxy Click here to read more about FortiGate WAN optimization techniques Servers receiving packets after WAN optimization see different source addresses depending on whether the transparent proxy is enabled If enabled, WAN optimization keeps the original source address of the packets If not enabled, source address of the packet is changed to the address of the FortiGate unit interfaces Routing is easier because client addresses are not involved

14 Supported FortiGate Devices FortiGate WAN optimization and web caching is currently supported on the following devices: FortiGate 51B FortiWiFi 81C FortiGate 111C FortiGate 310B with ASM-S08 FortiGate 311B FortiGate 620B with ASM-S08 FortiGate 3016B with ASM-S08 FortiGate 3600A with ASM-S08 FortiGate 3810A with ASM-S08 FortiGate 5001A-SW with ASM-S08

15 WAN Optimization Rules Firewall policy WAN optimization rules UTM Identity-based policies Click here to read more about FortiGate WAN optimization rules

16 WAN Optimization Rules Firewall policy WAN optimization rules UTM Identity-based policies WAN optimization uses rules to determine which traffic is to be optimized Traffic must be accepted by the firewall policy before any WAN optimization operations are performed If the firewall policy includes threat management profiles, the packet is not processed by WAN optimization WAN optimization is compatible with identity- based policies Click here to read more about FortiGate WAN optimization rules

17 WAN Optimization Rule Ordering

18 WAN optimization and web caching rules are applied from top to bottom Ordering is important Rules are matched on source address, destination address and destination port First matching rule is applied Make rules as specific as possible Avoids matching sessions which do not require optimization and may fail if optimization is applied

19 WAN Optimization Rule Parameters

20 WAN Optimization Modes Active-Passive Mode Peer-to-Peer Mode Client FortiGate unit Server FortiGate unit Active rulesPassive rules Peer B: 192.168.3.1 Peer A: 172.16.3.1

21 WAN Optimization Modes Active-Passive Mode Peer-to-Peer Mode Client FortiGate unit Server FortiGate unit Active rulesPassive rules Peer B: 192.168.3.1 Peer A: 172.16.3.1 In Active-Passive Mode, the ends of the WAN optimization tunnel operate in a kind of client/server configuration Session originating on the client FortiGate unit use active rules and those terminating on the server FortiGate unit use passive rules Active rules determine WAN optimization techniques Passive rules operate as determined by the active rule In Peer-to-Peer Mode both ends of the tunnel have peer lists Includes the name and IP address of other FortiGate units with which they can form WAN optimization tunnels

22 Active-Passive Rules Active (Client) configurationPassive (Server) configuration

23 Peer-to-Peer Rules Initiator Configuration Responder Configuration

24 Peer-to-Peer Rules Configuring FortiGate1Configuring FortiGate2config wanopt settings set host-id “FortiGate1”set host-id “FortiGate2”endconfig wanopt peer edit “FortiGate2”edit “FortiGate1” set ip 192.168.202.1set ip 192.168.201.1nextend

25 Authentication Groups Accept Any Peer Authentication Method

26 Authentication Groups Accept Defined Peers Authentication Method

27 Authentication Groups Specify Peer Authentication Method

28 Authentication Groups Specify Peer Authentication Method Authentication groups can be added to support authentication and secure tunneling between WAN optimized peers Select the authentication method used between the two peers: Digital certificate Pre-shared key Select which peers are to be accepted: Accept Any Peer Accepted Defined Peers Specify Peer

29 WAN Optimization with SSL Traffic needs to be unencrypted to apply optimization techniques SSL handshake proceeds between the originating client and the server-side FortiGate unit The server-side FortiGate unit consults the configured SSL server list The server-side FortiGate unit passes the SSL session key and negotiated cipher to the client-side FortiGate unit through a secure tunnel or IPSec VPN The server-side FortiGate unit may use an HTTPS connection with server ‘full-mode’ or HTTP connection ‘half-mode’ with port forwarding (SSL offloading)

30 FortiGate-to-FortiGate Sample Configuration PC 8 10.0.8.1 PC 7 10.0.7.1 FGT8 192.168.208.1 FGT7 192.168.207.1 IPSec VPN Define peers

31 FortiGate-to-FortiGate Sample Configuration PC 8 10.0.8.1 PC 7 10.0.7.1 FGT8 192.168.208.1 FGT7 192.168.207.1 IPSec VPN Active Configuration

32 FortiGate-to-FortiGate Sample Configuration PC 8 10.0.8.1 PC 7 10.0.7.1 FGT8 192.168.208.1 FGT7 192.168.207.1 IPSec VPN Passive Configuration

33 FortiGate-to-FortiGate Sample Configuration PC 8 10.0.8.1 PC 7 10.0.7.1 FGT8 192.168.208.1 FGT7 192.168.207.1 IPSec VPN 1 st copy No optimization

34 FortiGate-to-FortiGate Sample Configuration PC 8 10.0.8.1 PC 7 10.0.7.1 FGT8 192.168.208.1 FGT7 192.168.207.1 IPSec VPN 2nd copy Optimized Optimize CIFS from 10.0.7.* to 10.0.8.* using protocol optimization and byte caching

35 FortiClient-to-FortiGate Sample Configuration Client DHCP assigned IP address Server 172.16.100.26 FGT Public IP address IPSec VPN No optimization IPSec VPN between client and gateway without WAN optimization

36 FortiClient-to-FortiGate Sample Configuration Client DHCP assigned IP address Server 172.16.100.26 FGT Public IP address IPSec VPN FortiClient Enable WAN Optimization config wanopt settings set host-id "lab" end config wanopt auth-group edit "auth-fc" set cert "Fortinet_Factory" next end config wanopt rule edit 1 set dst-ip 172.16.100.0-172.16.100.255 set port 80 set auto-detect passive set webcache enable next end

37 FortiClient-to-FortiGate Sample Configuration Client DHCP assigned IP address Server 172.16.100.26 FGT Public IP address IPSec VPN FortiClient Enable WAN Optimization Optimized HTTP optimization and byte cache

38 Storage Data storage must be defined for web caching and byte caching Internal hard drive AMC slot Click here to read more about web caching storage requirements

39 Web Cache Settings

40 Web Cache Exempt List

41 Define the pattern for URLs that will be exempt from web caching

42 Web Cache Communication Protocol Support Web Cache Communication Protocol (WCCP) is a content-routing protocol that provides a mechanism to redirect traffic flows in real-time WCCP v2 support can be configured on the FortiGate unit to optimize web traffic Transparently redirects selected types of traffic to a group of cache servers If copy cached, cache server returns page If copy not cached, cache server retrieves page and forwards to FortiGate unit Click here to read more about WCCP support on the FortiGate unit

43 Web Cache Communication Protocol Support Intranet Internet Web Cache Server

44 WCCP Configuration Configure the Service Group config system wccp edit "0" set router-id 192.168.11.55 set server-list 172.16.78.8 255.255.255.255 set authentication enable set forward-method GRE set return-method GRE set password fortinet end

45 WCCP Configuration Configure WCCP on the FortiGate interface edit port2 set wccp enable end

46 WCCP Configuration Enable WCCP on the firewall policy config firewall policy edit 1 set srcintf "port1" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "HTTP" set wccp enable set nat enable end

47 WCCP Messages Internet Web Cache Server Here I amI see you Intranet

48 WCCP Debugging Real Time Debug diag debug en diag debug application wccp Application Debug diag test application wccpd

49 Monitoring WAN Optimization

50 Labs Lab - WAN Optimization Configuring WAN optimization rules and policies Testing WAN optimization Click here for step-by-step instructions on completing this lab Lab - Web Cache Defining a new rule for web caching Click here for step-by-step instructions on completing this lab

51 Student Resources Click hereClick here to view the list of resources used in this module

Download ppt "WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.

Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.
Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat Management
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Layer 7- Application Layer

Layer 7- Application Layer
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Similar presentations

Ads by Google