CacheGuard-OSUser's Guide - Version UF-2.3.5
WAN Optimisation
A CacheGuard appliance uses several technologies to optimise WAN (and LAN) bandwidth usage to improve availability and Quality of Service (QoS). Technologies such as HTTP compression and Web caching help save network bandwidth during Web browsing, while traffic shaping can reserve bandwidth for critical applications. All these features can be activated simultaneously on the same CacheGuard appliance.Web Caching
Web caching is one of the core and historical features of a CacheGuard appliance. It stores browsed (or served, in reverse mode) Web content on disks before sending it to Web clients. Cached Web content can then be retrieved locally instead of being downloaded again from the Web, significantly saving network bandwidth. You can use the mode cache on command to activate Web caching.Cached Object Size
For performance reasons, a CacheGuard appliance caches only objects within a defined size range. The cache command can be used to modify the upper and lower cache size limits.It is important to adjust these limits with care: caching all objects (even very small ones) may decrease performance, as disk I/O can become slower than network I/O. Similarly, caching overly large objects can quickly saturate the cache with content rarely reused.
To configure Web caching to store only objects between 20 KB and 51200 KB, use the following commands:
- cache object 20 51200
- apply
Caching Big Objects
In some cases, it is useful to cache very large objects that are shared by many users, such as operating system updates for PCs or smartphones. To cache large objects (greater than 256 MB—the default upper limit), you must enable the big-object caching feature and define its limits.Big-object caching reserves a specific area of disk space for large files, preventing them from occupying the entire cache. The size of this area depends on your disk capacity and installation parameters.
To enable caching for objects between 131073 KB (128 MB) and 2097152 KB (2 GB), use:
- cache bigobject on 131073 2097152
- apply
Peer Caches
Two or more CacheGuard appliances can be paired to share their respective Web caches. Use the peer command to configure peering between appliances. A paired CacheGuard appliance is referred to as a peer.Peers can be configured in parallel or chained modes:
- Parallel mode: The appliance checks its own cache first. If the requested content is not found, it queries its peers before fetching it from the internet.
- Chained mode: The appliance checks its own cache first. If the object is not found, it always queries its chained peers (called next peers) instead of the internet directly. Each remote peer must be configured to accept connections from its previous peers.
HTTP Compression
A CacheGuard appliance can compress Web traffic to reduce its size and save bandwidth. HTTP compression is particularly beneficial for low-bandwidth networks prone to packet loss, such as Wi-Fi or satellite-based links.When HTTP compression is enabled, the appliance compresses textual content (HTML, JavaScript, XML, etc.) before sending it to clients. Modern browsers automatically decompress this content.
To enable HTTP compression, use the mode compress on command.
Traffic Shaping
A CacheGuard appliance includes a bandwidth manager that allows you to shape and schedule network traffic. The system distinguishes between:- Traffic exchanged directly with the appliance.
- Traffic routed through the appliance (where the source or destination is external).
Traffic types that can be managed include:
- antivirus: Traffic between the embedded antivirus and external services.
- file: File transfers between the appliance and file servers.
- peer: Traffic between CacheGuard peers.
- rweb: Reverse proxy traffic between the appliance and real Web servers.
- tweb: Transparent Web proxy traffic between the appliance and Web clients.
- web: Forward proxy traffic between the appliance and Web clients.
- vpnipsec: Encrypted IPsec VPN traffic.
- default: Any other traffic not matched by the above categories.
For example, to set the total bandwidth of the external interface to 10,000 kbps (10 Mbps) and other interfaces to 1,000,000 kbps (1 Gbps):
- mode qos on
- qos bandwidth external ingress 10000
- qos bandwidth external egress 10000
- qos bandwidth internal ingress 1000000
- qos bandwidth internal egress 1000000
- qos bandwidth auxiliary ingress 1000000
- qos bandwidth auxiliary egress 1000000
- apply
- qos shape web external ingress 40%
- qos shape web external egress 40%
- qos shape rweb external ingress 60%
- qos shape rweb external egress 60%
- apply
Bandwidth Borrowing
Traffic shaping can be strict or flexible. In flexible mode, unused reserved bandwidth for one traffic type can be temporarily borrowed by others.For example, if 60% of external bandwidth (6 Mbps) is allocated to reverse Web traffic but only 4 Mbps is in use, the remaining 2 Mbps can be borrowed by other traffic types.
To enforce strict allocation (no borrowing), disable it as follows:
- qos borrow external ingress off
- qos borrow external egress off
- apply
QoS Fine-Tuning
Traffic shaping can be fine-tuned to prioritise specific networks. For instance, you can reserve 90% of browsing bandwidth for one network and limit another to 10%.This setting can be defined contextually, such as when using the access web command.
Example:
- qos shape web internal ingress 30%
- qos shape web internal egress 30%
- access web add internal 10.26.0.0 255.255.0.0 90%
- access web add internal 172.18.2.0 255.255.255.0 10%
- apply