Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.0.19 Administration Guide
    7.0.19
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Example: Caching HTTP sessions

    Example: Caching HTTP sessions

    In this example configuration, a FortiProxy unit is operating as an Internet firewall for a private network. The port39 interface of the FortiProxy unit is connected to the Internet, and the port38 interface is connected to the internal network.

    All HTTP traffic on port80 that is received at the port38 interface of the FortiProxy unit is accepted by a port39-to-port38 firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by adding a general port38-to-port39 firewall policy below the HTTP-on-port-80 firewall policy.

    A WCCP service group is added to the FortiProxy unit with a service ID of 0 for caching HTTP traffic on port80. The port1 interface of the FortiProxy unit is configured for WCCP communication.

    A FortiProxy unit connects to the Internet through the FortiProxy unit. To allow for this, a port1-to-port39 firewall policy is added to the FortiProxy unit.

    NOTE: The WCCP client can operate in L2 mode. The WCCP client firewall policy must specify which ingress interface is receiving the L2-forwarded traffic. This is different from GRE-mode, which uses the w.root interface.

    Configure the WCCP client

    You can configure the WCCP client in the GUI or CLI.

    To configure the FortiProxy unit as a WCCP client using the GUI:
    1. Go to Network > Interfaces.
    2. Select an interface and then click Edit. If there are no interfaces in the list, select Create New.
    3. Move the slider for Enable WCCP Protocol to enable WCCP on this interface and Click OK to save your changes.
    4. Go to Web Cache > WCCP Settings and select Create New.
    5. Configure the following settings:

      6. Server ID

      Enter the WCCP service group identifier.

      Enter 90 for the example network.

      Cache ID

      Enter the IP address that is known by all web cache routers.

      Enter 10.51.101.10 for the example network.

      Router List

      Enter the IP addresses of potential cache servers.

      Enter 10.51.101.100 for the example network.

      Authentication

      Enable or disable MD5 authentication.

      Select Disable for the example network.

      Cache Engine Method

      Select the method for forwarding traffic to the routers and for returning traffic to the cache engine, either GRE or L2.

      Select GRE or L2 for the example network.

      Assignment Method

      Select the preferred assignment method for the hash key, either HASH or MASK.

      Select HASH or MASK for the example network.
    6. Click OK to create the WCCP client.
    To configure the FortiProxy unit as a WCCP client using the CLI:

    Use the following steps to configure the FortiProxy unit as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.

    1. Enable the L2 mode:

      2. config system wccp

      edit <Service-ID>

      set cache-engine-method L2

      next

      end

    2. Configure the FortiProxy unit to operate as a WCCP client:

      3. config system settings

      set wccp-cache-engine enable

      end

      You cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command, an interface named w.root is added to the FortiProxy configuration. All traffic redirected from a WCCP router is considered to be received at this interface of the FortiProxy unit operating as a WCCP client. A default route to this interface with lowest priority is added.
    3. Enable WCCP on the aggregate interface aggr1:

      4. config system interface

      edit aggr1

      set ip 192.168.1.2 255.255.255.0

      set allowaccess ping https ssh snmp http telnet

      set type aggregate

      set explicit-web-proxy enable

      set member port1 port4

      set wccp enable

      end

    4. Add a WCCP service group with service ID 0:

      5. config system wccp

      edit 0

      set router-list 192.168.1.2

      set cache-id 192.168.1.1

      end

    5. Add a port-w.root-to-aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:

      6. config firewall policy

      edit 1

      set srcintf w.root

      set dstintf aggr1

      set srcaddr all

      set dstaddr all

      set action accept

      set schedule always

      set service HTTP

      set webcache enable

      end

    config firewall central-snat-map

    edit 1

    set masquerade enable

    set srcintf w.root

    set dstintf aggr1

    set orig-addr "all"

    set dst-addr "all"

    next

    end

    NOTE: If the FortiProxy is operating in L2 mode, the firewall policy must specify the ingress interface where L2-forwarded traffic is being received:

    config firewall policy

    edit 1

    set srcintf <port x>

    set dstintf <port y>

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service HTTP

    set webcache enable

    end

    config firewall central-snat-map

    edit 1

    set masquerade enable

    set srcintf <port x>

    set dstintf <port y>

    set orig-addr "all"

    set dst-addr "all"

    next

    end

    Verify the WCCP status

    After setting up the FortiProxy unit as the WCCP client, you should verify to confirm that it is configured correctly.

    diagnose test application wccp 2

    root: work mode:cache working NAT first_phy_id=8

    interface list:

    intf=aggr1, gid=8 phy_id=8

    service list:

    service: 0, cache_id=192.168.1.2, group=0.0.0.0, auth(no)

    forward=1, return=1, assign=1.

    router list:

    192.168.1.1

    port list:

    ecache_id=192.168.1.2

    diagnose test application wccp 6

    service-0 in root

    erouter_list: 1 routers in total

    0. 192.168.1.1

    receive_id:23573 change_number:2

    cache servers seen by this router:

    0. 192.168.1.2 weight:0 (*Designated Web Cache)

    Previous
    Next

    Example: Caching HTTP sessions

    Example: Caching HTTP sessions

    In this example configuration, a FortiProxy unit is operating as an Internet firewall for a private network. The port39 interface of the FortiProxy unit is connected to the Internet, and the port38 interface is connected to the internal network.

    All HTTP traffic on port80 that is received at the port38 interface of the FortiProxy unit is accepted by a port39-to-port38 firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by adding a general port38-to-port39 firewall policy below the HTTP-on-port-80 firewall policy.

    A WCCP service group is added to the FortiProxy unit with a service ID of 0 for caching HTTP traffic on port80. The port1 interface of the FortiProxy unit is configured for WCCP communication.

    A FortiProxy unit connects to the Internet through the FortiProxy unit. To allow for this, a port1-to-port39 firewall policy is added to the FortiProxy unit.

    NOTE: The WCCP client can operate in L2 mode. The WCCP client firewall policy must specify which ingress interface is receiving the L2-forwarded traffic. This is different from GRE-mode, which uses the w.root interface.

    Configure the WCCP client

    You can configure the WCCP client in the GUI or CLI.

    To configure the FortiProxy unit as a WCCP client using the GUI:
    1. Go to Network > Interfaces.
    2. Select an interface and then click Edit. If there are no interfaces in the list, select Create New.
    3. Move the slider for Enable WCCP Protocol to enable WCCP on this interface and Click OK to save your changes.
    4. Go to Web Cache > WCCP Settings and select Create New.
    5. Configure the following settings:

      6. Server ID

      Enter the WCCP service group identifier.

      Enter 90 for the example network.

      Cache ID

      Enter the IP address that is known by all web cache routers.

      Enter 10.51.101.10 for the example network.

      Router List

      Enter the IP addresses of potential cache servers.

      Enter 10.51.101.100 for the example network.

      Authentication

      Enable or disable MD5 authentication.

      Select Disable for the example network.

      Cache Engine Method

      Select the method for forwarding traffic to the routers and for returning traffic to the cache engine, either GRE or L2.

      Select GRE or L2 for the example network.

      Assignment Method

      Select the preferred assignment method for the hash key, either HASH or MASK.

      Select HASH or MASK for the example network.
    6. Click OK to create the WCCP client.
    To configure the FortiProxy unit as a WCCP client using the CLI:

    Use the following steps to configure the FortiProxy unit as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.

    1. Enable the L2 mode:

      2. config system wccp

      edit <Service-ID>

      set cache-engine-method L2

      next

      end

    2. Configure the FortiProxy unit to operate as a WCCP client:

      3. config system settings

      set wccp-cache-engine enable

      end

      You cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command, an interface named w.root is added to the FortiProxy configuration. All traffic redirected from a WCCP router is considered to be received at this interface of the FortiProxy unit operating as a WCCP client. A default route to this interface with lowest priority is added.
    3. Enable WCCP on the aggregate interface aggr1:

      4. config system interface

      edit aggr1

      set ip 192.168.1.2 255.255.255.0

      set allowaccess ping https ssh snmp http telnet

      set type aggregate

      set explicit-web-proxy enable

      set member port1 port4

      set wccp enable

      end

    4. Add a WCCP service group with service ID 0:

      5. config system wccp

      edit 0

      set router-list 192.168.1.2

      set cache-id 192.168.1.1

      end

    5. Add a port-w.root-to-aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:

      6. config firewall policy

      edit 1

      set srcintf w.root

      set dstintf aggr1

      set srcaddr all

      set dstaddr all

      set action accept

      set schedule always

      set service HTTP

      set webcache enable

      end

    config firewall central-snat-map

    edit 1

    set masquerade enable

    set srcintf w.root

    set dstintf aggr1

    set orig-addr "all"

    set dst-addr "all"

    next

    end

    NOTE: If the FortiProxy is operating in L2 mode, the firewall policy must specify the ingress interface where L2-forwarded traffic is being received:

    config firewall policy

    edit 1

    set srcintf <port x>

    set dstintf <port y>

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service HTTP

    set webcache enable

    end

    config firewall central-snat-map

    edit 1

    set masquerade enable

    set srcintf <port x>

    set dstintf <port y>

    set orig-addr "all"

    set dst-addr "all"

    next

    end

    Verify the WCCP status

    After setting up the FortiProxy unit as the WCCP client, you should verify to confirm that it is configured correctly.

    diagnose test application wccp 2

    root: work mode:cache working NAT first_phy_id=8

    interface list:

    intf=aggr1, gid=8 phy_id=8

    service list:

    service: 0, cache_id=192.168.1.2, group=0.0.0.0, auth(no)

    forward=1, return=1, assign=1.

    router list:

    192.168.1.1

    port list:

    ecache_id=192.168.1.2

    diagnose test application wccp 6

    service-0 in root

    erouter_list: 1 routers in total

    0. 192.168.1.1

    receive_id:23573 change_number:2

    cache servers seen by this router:

    0. 192.168.1.2 weight:0 (*Designated Web Cache)

    Previous
    Next