Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

system wccp

Use this command to configure various settings for Web Cache Communication Protocol (WCCP). Before you can do this however, you must first configure the FortiGate as either a WCCP router or client: FortiGate as WCCP router: Intercepts HTTP and HTTPS sessions and forwards them to a web caching engine, caches web pages, and returns cached content to the web browser. FortiGate as WCCP client: Accepts and forwards WCCP sessions and uses firewall policies to apply NAT, UTM, and more security features. Note that FortiGates may only operate as clients while in NAT mode (not in Transparent mode). To assign either role to the FortiGate, use the following command:

config system settings
	set wccp-cache-engine {enable | disable}
end

Set this command to disable (by default) for the FortiGate to operate as a WCCP router. Set this command to enable for the FortiGate to operate as a WCCP client. When enabled, an interface named w.root is added to the FortiGate (shown under config system interfaces). All WCCP sessions received by the FortiGate — operating as a WCCP client — are considered to be received at this interface, where you can enter firewall policies for WCCP traffic. Note: All WCCP entries created, whether for router or client, must be numbered within the range of 0-255. The default is set to 1. Use 0 for HTTP.

config system wccp
    edit {service-id}
    # Configure WCCP.
        set service-id {string}   Service ID. size[3]
        set router-id {ipv4 address}   IP address known to all cache engines. If all cache engines connect to the same FortiGate interface, use the default 0.0.0.0.
        set cache-id {ipv4 address}   IP address known to all routers. If the addresses are the same, use the default 0.0.0.0.
        set group-address {multicast ipv4 address}   IP multicast address used by the cache routers. For the FortiGate to ignore multicast WCCP traffic, use the default 0.0.0.0.
        set server-list {string}   IP addresses and netmasks for up to four cache servers.
        set router-list {string}   IP addresses of one or more WCCP routers.
        set ports-defined {source | destination}   Match method.
                source       Source port match.
                destination  Destination port match.
        set server-type {forward | proxy}   Cache server type.
                forward  Forward server.
                proxy    Proxy server.
        set ports {string}   Service ports.
        set authentication {enable | disable}   Enable/disable MD5 authentication.
        set password {password_string}   Password for MD5 authentication. size[128]
        set forward-method {GRE | L2 | any}   Method used to forward traffic to the cache servers.
                GRE  GRE encapsulation.
                L2   L2 rewrite.
                any  GRE or L2.
        set cache-engine-method {GRE | L2}   Method used to forward traffic to the routers or to return to the cache engine.
                GRE  GRE encapsulation.
                L2   L2 rewrite.
        set service-type {auto | standard | dynamic}   WCCP service type used by the cache server for logical interception and redirection of traffic.
                auto      auto
                standard  Standard service.
                dynamic   Dynamic service.
        set primary-hash {src-ip | dst-ip | src-port | dst-port}   Hash method.
                src-ip    Source IP hash.
                dst-ip    Destination IP hash.
                src-port  Source port hash.
                dst-port  Destination port hash.
        set priority {integer}   Service priority. range[0-255]
        set protocol {integer}   Service protocol. range[0-255]
        set assignment-weight {integer}   Assignment of hash weight/ratio for the WCCP cache engine. range[0-255]
        set assignment-bucket-format {wccp-v2 | cisco-implementation}   Assignment bucket format for the WCCP cache engine.
                wccp-v2               WCCP-v2 bucket format.
                cisco-implementation  Cisco bucket format.
        set return-method {GRE | L2 | any}    Method used to decline a redirected packet and return it to the FortiGate.
                GRE  GRE encapsulation.
                L2   L2 rewrite.
                any  GRE or L2.
        set assignment-method {HASH | MASK | any}   Hash key assignment preference.
                HASH  HASH assignment method.
                MASK  MASK assignment method.
                any   HASH or MASK.
    next
end

Additional information

The following section is for those options that require additional explanation.

WCCP router mode

The entries below are available when the FortiGate has been configured as a WCCP router.

router-id <ip-address>

IP address known to all cache engines, and identifies an interface on the FortiGate to the cache engines. If all cache engines connect to the same FortiGate interface, use the default address of 0.0.0.0. However, if the cache engines can connect to different FortiGate interfaces, you must set router-id to a specific IP address, which must then be added to the configuration of the cache engines that connect to that interface.

group-address <multicast-address>

IP multicast address used by the cache routers. The default, 0.0.0.0, means the FortiGate will ignore multicast WCCP traffic. Otherwise, set the address between 244.0.0.0 to 239.255.255.255.

server-list <router-1> [router-2] [router-3] [router-4]

IP address and netmask for up to four cache servers.

authentication {enable | disable}

Enable or disable (by default) use of MD5 authentication for the WCCP configuration.

password <password>

Note: This entry is only available when authentication is set to enable. Password for MD5 authentication (maximum length of eight characters).

forward-method {GRE | L2 | any}

Defines how the FortiGate forwards traffic to cache servers:

  • GRE: Encapsulates the intercepted packet in an IP GRE header with a source IP address of the WCCP server and a destination IP address of the target WCCP client. This allows the WCCP server to be multiple Layer 3 hops away from the WCCP client.
  • L2: Rewrites the destination MAC address of the intercepted packet to equal the MAC address of the target WCCP client. L2 forwarding requires that the WCCP server is Layer 2 adjacent to the WCCP client.
  • any: Cache server determines the method.

return-method {GRE | L2 | any}

Defines how a cache server declines a redirected packet, and returns it to the FortiGate (see forward-method above for option descriptions).

assignment-method {HASH | MASK | any}

Defines which assignment method the FortiGate prefers:

  • HASH: A hash key based on any combination of the source and destination IP and port of the packet.
  • MASK: A mask value specified with a maximum of 7 bits and, like the hash key, can be configured to cover both the source and destination address space.
  • any: Cache server determines the method.

WCCP client mode

The entries below are available when the FortiGate has been configured as a WCCP client.

cache-id <ip-address>

IP address of the cache engine if its IP address is not the same as the IP address of a FortiGate interface. If the addresses are the same, use the default address of 0.0.0.0.

group-address <multicast-address>

IP multicast address used by the cache routers. The default, 0.0.0.0, means the FortiGate will ignore multicast WCCP traffic. Otherwise, set the address between 244.0.0.0 to 239.255.255.255.

router-list <addresses>

IP addresses of one or more WCCP routers that can communicate with a FortiGate operating as a WCCP cache engine. Separate multiple addresses with spaces.

authentication {enable | disable}

Enable or disable (by default) use of MD5 authentication for the WCCP configuration.

cache-engine-method {GRE | L2}

Defines how traffic is forwarded to routers or returned to the cache engine (see forward-method above for option descriptions). The default is set to GRE.

service-type {auto | standard | dynamic}

WCCP service type, or service group, used by the cache server for logical interception and redirection of traffic. The default is set to auto.

  • auto: Transparent redirection of traffic, whereby the target URL is used to request content, and have requests automatically redirected to a web caching engine.
  • standard: Intercepts TCP port 80 (HTTP) traffic to the client.
  • dynamic: Use for when the router is instructed which protocol or ports to intercept, and how to distribute the traffic.

assignment-weight <weight>

Assignment weight/ratio for the WCCP cache engine. Set the value between 0-255. The default is set to 0.

assignment-bucket-format {wccp-v2 | cisco-implementation}

Assignment bucket format for the WCCP cache engine. WCCP version 2 (wccp-v2) allows for support of up to 256 masks. The default is set to cisco-implementation.

system wccp

Use this command to configure various settings for Web Cache Communication Protocol (WCCP). Before you can do this however, you must first configure the FortiGate as either a WCCP router or client: FortiGate as WCCP router: Intercepts HTTP and HTTPS sessions and forwards them to a web caching engine, caches web pages, and returns cached content to the web browser. FortiGate as WCCP client: Accepts and forwards WCCP sessions and uses firewall policies to apply NAT, UTM, and more security features. Note that FortiGates may only operate as clients while in NAT mode (not in Transparent mode). To assign either role to the FortiGate, use the following command:

config system settings
	set wccp-cache-engine {enable | disable}
end

Set this command to disable (by default) for the FortiGate to operate as a WCCP router. Set this command to enable for the FortiGate to operate as a WCCP client. When enabled, an interface named w.root is added to the FortiGate (shown under config system interfaces). All WCCP sessions received by the FortiGate — operating as a WCCP client — are considered to be received at this interface, where you can enter firewall policies for WCCP traffic. Note: All WCCP entries created, whether for router or client, must be numbered within the range of 0-255. The default is set to 1. Use 0 for HTTP.

config system wccp
    edit {service-id}
    # Configure WCCP.
        set service-id {string}   Service ID. size[3]
        set router-id {ipv4 address}   IP address known to all cache engines. If all cache engines connect to the same FortiGate interface, use the default 0.0.0.0.
        set cache-id {ipv4 address}   IP address known to all routers. If the addresses are the same, use the default 0.0.0.0.
        set group-address {multicast ipv4 address}   IP multicast address used by the cache routers. For the FortiGate to ignore multicast WCCP traffic, use the default 0.0.0.0.
        set server-list {string}   IP addresses and netmasks for up to four cache servers.
        set router-list {string}   IP addresses of one or more WCCP routers.
        set ports-defined {source | destination}   Match method.
                source       Source port match.
                destination  Destination port match.
        set server-type {forward | proxy}   Cache server type.
                forward  Forward server.
                proxy    Proxy server.
        set ports {string}   Service ports.
        set authentication {enable | disable}   Enable/disable MD5 authentication.
        set password {password_string}   Password for MD5 authentication. size[128]
        set forward-method {GRE | L2 | any}   Method used to forward traffic to the cache servers.
                GRE  GRE encapsulation.
                L2   L2 rewrite.
                any  GRE or L2.
        set cache-engine-method {GRE | L2}   Method used to forward traffic to the routers or to return to the cache engine.
                GRE  GRE encapsulation.
                L2   L2 rewrite.
        set service-type {auto | standard | dynamic}   WCCP service type used by the cache server for logical interception and redirection of traffic.
                auto      auto
                standard  Standard service.
                dynamic   Dynamic service.
        set primary-hash {src-ip | dst-ip | src-port | dst-port}   Hash method.
                src-ip    Source IP hash.
                dst-ip    Destination IP hash.
                src-port  Source port hash.
                dst-port  Destination port hash.
        set priority {integer}   Service priority. range[0-255]
        set protocol {integer}   Service protocol. range[0-255]
        set assignment-weight {integer}   Assignment of hash weight/ratio for the WCCP cache engine. range[0-255]
        set assignment-bucket-format {wccp-v2 | cisco-implementation}   Assignment bucket format for the WCCP cache engine.
                wccp-v2               WCCP-v2 bucket format.
                cisco-implementation  Cisco bucket format.
        set return-method {GRE | L2 | any}    Method used to decline a redirected packet and return it to the FortiGate.
                GRE  GRE encapsulation.
                L2   L2 rewrite.
                any  GRE or L2.
        set assignment-method {HASH | MASK | any}   Hash key assignment preference.
                HASH  HASH assignment method.
                MASK  MASK assignment method.
                any   HASH or MASK.
    next
end

Additional information

The following section is for those options that require additional explanation.

WCCP router mode

The entries below are available when the FortiGate has been configured as a WCCP router.

router-id <ip-address>

IP address known to all cache engines, and identifies an interface on the FortiGate to the cache engines. If all cache engines connect to the same FortiGate interface, use the default address of 0.0.0.0. However, if the cache engines can connect to different FortiGate interfaces, you must set router-id to a specific IP address, which must then be added to the configuration of the cache engines that connect to that interface.

group-address <multicast-address>

IP multicast address used by the cache routers. The default, 0.0.0.0, means the FortiGate will ignore multicast WCCP traffic. Otherwise, set the address between 244.0.0.0 to 239.255.255.255.

server-list <router-1> [router-2] [router-3] [router-4]

IP address and netmask for up to four cache servers.

authentication {enable | disable}

Enable or disable (by default) use of MD5 authentication for the WCCP configuration.

password <password>

Note: This entry is only available when authentication is set to enable. Password for MD5 authentication (maximum length of eight characters).

forward-method {GRE | L2 | any}

Defines how the FortiGate forwards traffic to cache servers:

  • GRE: Encapsulates the intercepted packet in an IP GRE header with a source IP address of the WCCP server and a destination IP address of the target WCCP client. This allows the WCCP server to be multiple Layer 3 hops away from the WCCP client.
  • L2: Rewrites the destination MAC address of the intercepted packet to equal the MAC address of the target WCCP client. L2 forwarding requires that the WCCP server is Layer 2 adjacent to the WCCP client.
  • any: Cache server determines the method.

return-method {GRE | L2 | any}

Defines how a cache server declines a redirected packet, and returns it to the FortiGate (see forward-method above for option descriptions).

assignment-method {HASH | MASK | any}

Defines which assignment method the FortiGate prefers:

  • HASH: A hash key based on any combination of the source and destination IP and port of the packet.
  • MASK: A mask value specified with a maximum of 7 bits and, like the hash key, can be configured to cover both the source and destination address space.
  • any: Cache server determines the method.

WCCP client mode

The entries below are available when the FortiGate has been configured as a WCCP client.

cache-id <ip-address>

IP address of the cache engine if its IP address is not the same as the IP address of a FortiGate interface. If the addresses are the same, use the default address of 0.0.0.0.

group-address <multicast-address>

IP multicast address used by the cache routers. The default, 0.0.0.0, means the FortiGate will ignore multicast WCCP traffic. Otherwise, set the address between 244.0.0.0 to 239.255.255.255.

router-list <addresses>

IP addresses of one or more WCCP routers that can communicate with a FortiGate operating as a WCCP cache engine. Separate multiple addresses with spaces.

authentication {enable | disable}

Enable or disable (by default) use of MD5 authentication for the WCCP configuration.

cache-engine-method {GRE | L2}

Defines how traffic is forwarded to routers or returned to the cache engine (see forward-method above for option descriptions). The default is set to GRE.

service-type {auto | standard | dynamic}

WCCP service type, or service group, used by the cache server for logical interception and redirection of traffic. The default is set to auto.

  • auto: Transparent redirection of traffic, whereby the target URL is used to request content, and have requests automatically redirected to a web caching engine.
  • standard: Intercepts TCP port 80 (HTTP) traffic to the client.
  • dynamic: Use for when the router is instructed which protocol or ports to intercept, and how to distribute the traffic.

assignment-weight <weight>

Assignment weight/ratio for the WCCP cache engine. Set the value between 0-255. The default is set to 0.

assignment-bucket-format {wccp-v2 | cisco-implementation}

Assignment bucket format for the WCCP cache engine. WCCP version 2 (wccp-v2) allows for support of up to 256 masks. The default is set to cisco-implementation.