Fortigate is capable of Traffic Optimization, isn’t that cool ?

The following are the things that can affect the Network and Application Performance

1. Bandwidth

2. Latency

3. Throughput

4. Congestion

5. Packet Loss


The Fortinet Firewall is capable of dealing with all of them by using WAN Optimization Technique:

1. Protocol Optimization

2. Byte Caching

3. Web Caching

4. Transparent proxy


1. Protocol Optimization

It’s an application technique to improve performance of HTTP, CIFS, FTP, MAPI and TCP protocol traffic.

I guess you know all of them except CIFS. This is a common internet file system protocol – provides file access, recoring, change notification etc

2. Byte Caching

The Fortigate Firewall can break large unts of application data into small chunks of data, labeling each with a hash, and  stores the chunks and has in a dictionary file. It assigns token to it and the it sends the dictionary to the other Fortigates.

If  chunks and hash are recognized it sends the token (the dictionary must be the same on both of the sides).


3. Web Caching

This technique is also known as HTTP proxying. It stores the HTLM pages, images and more on the local HDD.

There are 3 modes of Web caching:

a. Non-transparent forward proxy caching

b. Transparent forward proxy caching – if you use this, please keep in mind that the Fortigate must be placed near the network gateways

c. Transparent reverse proxy caching – this is a method to reduce the load on a busy web server by using a web cache server between the server and the Internet.


4. Transparent proxy

The users are not ware of the Fortigate. The clients communicate to the server the same way as without the WAN optimization;  the WAN optimization is compatible with Identify-Based firewall policies also

Keep in mind that all the firewall policies are applied before the WAN optimization policies/rules are applied. So if you block the traffic, it will not get optimized of course 🙂


There 2 types of WAN optimization rules:

1. Active-Passive Mode

2. Peer-to-peer Mode


1. Active Passive Mode

The Fortigat Firewall on both ends of the WAN optimization tunnel operate in a kind of client server configuration. The sessions are originated on the client Fortigate and are terminated on the passive Fortigate firewall.

The remote peer uses auto-detection through TCP option as a discovery mechanism to locate any peers on the path to the server.

2. Peer-to-Peer Mode

In this mode, both peers have peer lists that includes names and IP addresses of the Fortigate devices. Both Fortinet firewalls should have matching rules.



General HINTS about Fortigate Firewall WAN Optimization 

1. Keep in mind that Peer-to-Peer WAN optimization tunnels use port 7810. So if you have another firewall in front, do not forget to OPEN that port.

2. Only one protocol can be selected in a WAN optimization rule. So you have one rule for each protocol. Example: Rule 1 for HTTP traffic.

3. Firewall traffic shaping (Quality of Service)  is compatible only with client/server(active-passive) transparent mode. For rest of the modes, the optimization techniques are ignored.

4. Of the firewall policy includes a thread management profile, the packet is processed by the profile and not by WAN optimization. To apply WAN optimization to traffic that is accepted by a firewall policy containing a thread management profile, multiple firewall units or multiple Fortigate VDOM must be used; to do this you must apply the the thread management profile in the first FG unit or VDOM and apply WAN optimization in the second Fortigate unit or VDOM.

5. SSL is also capable of being optimized by using the Web Caching optimization techniques. The Fortinet firewall caches HTTPs web pages.

6. Fortigate is also capable of WCCP – Web Cache Communication Protocol. You can check this article about Fortigate WCCP.


If you have any questions please let me know.