Fortinet white logo
Fortinet white logo

Administration Guide

Example: Caching HTTP sessions

Example: Caching HTTP sessions

In this example configuration, a FortiProxy unit is operating as an Internet firewall for a private network. The port39 interface of the FortiProxy unit is connected to the Internet, and the port38 interface is connected to the internal network.

All HTTP traffic on port80 that is received at the port38 interface of the FortiProxy unit is accepted by a port39-to-port38 firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by adding a general port38-to-port39 firewall policy below the HTTP-on-port-80 firewall policy.

A WCCP service group is added to the FortiProxy unit with a service ID of 0 for caching HTTP traffic on port80. The port1 interface of the FortiProxy unit is configured for WCCP communication.

A FortiProxy unit connects to the Internet through the FortiProxy unit. To allow for this, a port1-to-port39 firewall policy is added to the FortiProxy unit.

NOTE: The WCCP client can operate in L2 mode. The WCCP client firewall policy must specify which ingress interface is receiving the L2-forwarded traffic. This is different from GRE-mode, which uses the w.root interface.

Configure the WCCP client

You can configure the WCCP client in the GUI or CLI.

To configure the FortiProxy unit as a WCCP client using the GUI:
  1. Go to Network > Interfaces.
  2. Select an interface and then click Edit. If there are no interfaces in the list, select Create New.
  3. Move the slider for Enable WCCP Protocol to enable WCCP on this interface and Click OK to save your changes.
  4. Go to Web Cache > WCCP Settings and select Create New.
  5. Configure the following settings:
  6. Server ID

    Enter the WCCP service group identifier.

    Enter 90 for the example network.

    Cache ID

    Enter the IP address that is known by all web cache routers.

    Enter 10.51.101.10 for the example network.

    Router List

    Enter the IP addresses of potential cache servers.

    Enter 10.51.101.100 for the example network.

    Authentication

    Enable or disable MD5 authentication.

    Select Disable for the example network.

    Cache Engine Method

    Select the method for forwarding traffic to the routers and for returning traffic to the cache engine, either GRE or L2.

    Select GRE or L2 for the example network.

    Assignment Method

    Select the preferred assignment method for the hash key, either HASH or MASK.

    Select HASH or MASK for the example network.

  7. Click OK to create the WCCP client.
To configure the FortiProxy unit as a WCCP client using the CLI:

Use the following steps to configure the FortiProxy unit as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.

  1. Enable the L2 mode:
  2. config system wccp

    edit <Service-ID>

    set cache-engine-method L2

    next

    end

  3. Configure the FortiProxy unit to operate as a WCCP client:
  4. config system settings

    set wccp-cache-engine enable

    end

    You cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command, an interface named w.root is added to the FortiProxy configuration. All traffic redirected from a WCCP router is considered to be received at this interface of the FortiProxy unit operating as a WCCP client. A default route to this interface with lowest priority is added.

  5. Enable WCCP on the aggregate interface aggr1:
  6. config system interface

    edit aggr1

    set ip 192.168.1.2 255.255.255.0

    set allowaccess ping https ssh snmp http telnet

    set type aggregate

    set explicit-web-proxy enable

    set member port1 port4

    set wccp enable

    end

  7. Add a WCCP service group with service ID 0:
  8. config system wccp

    edit 0

    set router-list 192.168.1.2

    set cache-id 192.168.1.1

    end

  9. Add a port-w.root-to-aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:
  10. config firewall policy

    edit 1

    set srcintf w.root

    set dstintf aggr1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service HTTP

    set webcache enable

    end

config firewall central-snat-map

edit 1

set masquerade enable

set srcintf w.root

set dstintf aggr1

set orig-addr "all"

set dst-addr "all"

next

end

NOTE: If the FortiProxy is operating in L2 mode, the firewall policy must specify the ingress interface where L2-forwarded traffic is being received:

config firewall policy

edit 1

set srcintf <port x>

set dstintf <port y>

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service HTTP

set webcache enable

end

config firewall central-snat-map

edit 1

set masquerade enable

set srcintf <port x>

set dstintf <port y>

set orig-addr "all"

set dst-addr "all"

next

end

Verify the WCCP status

After setting up the FortiProxy unit as the WCCP client, you should verify to confirm that it is configured correctly.

diagnose test application wccp 2

root: work mode:cache working NAT first_phy_id=8

interface list:

intf=aggr1, gid=8 phy_id=8

service list:

service: 0, cache_id=192.168.1.2, group=0.0.0.0, auth(no)

forward=1, return=1, assign=1.

router list:

192.168.1.1

port list:

ecache_id=192.168.1.2

diagnose test application wccp 6

service-0 in root

erouter_list: 1 routers in total

0. 192.168.1.1

receive_id:23573 change_number:2

cache servers seen by this router:

0. 192.168.1.2 weight:0 (*Designated Web Cache)

Example: Caching HTTP sessions

Example: Caching HTTP sessions

In this example configuration, a FortiProxy unit is operating as an Internet firewall for a private network. The port39 interface of the FortiProxy unit is connected to the Internet, and the port38 interface is connected to the internal network.

All HTTP traffic on port80 that is received at the port38 interface of the FortiProxy unit is accepted by a port39-to-port38 firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by adding a general port38-to-port39 firewall policy below the HTTP-on-port-80 firewall policy.

A WCCP service group is added to the FortiProxy unit with a service ID of 0 for caching HTTP traffic on port80. The port1 interface of the FortiProxy unit is configured for WCCP communication.

A FortiProxy unit connects to the Internet through the FortiProxy unit. To allow for this, a port1-to-port39 firewall policy is added to the FortiProxy unit.

NOTE: The WCCP client can operate in L2 mode. The WCCP client firewall policy must specify which ingress interface is receiving the L2-forwarded traffic. This is different from GRE-mode, which uses the w.root interface.

Configure the WCCP client

You can configure the WCCP client in the GUI or CLI.

To configure the FortiProxy unit as a WCCP client using the GUI:
  1. Go to Network > Interfaces.
  2. Select an interface and then click Edit. If there are no interfaces in the list, select Create New.
  3. Move the slider for Enable WCCP Protocol to enable WCCP on this interface and Click OK to save your changes.
  4. Go to Web Cache > WCCP Settings and select Create New.
  5. Configure the following settings:
  6. Server ID

    Enter the WCCP service group identifier.

    Enter 90 for the example network.

    Cache ID

    Enter the IP address that is known by all web cache routers.

    Enter 10.51.101.10 for the example network.

    Router List

    Enter the IP addresses of potential cache servers.

    Enter 10.51.101.100 for the example network.

    Authentication

    Enable or disable MD5 authentication.

    Select Disable for the example network.

    Cache Engine Method

    Select the method for forwarding traffic to the routers and for returning traffic to the cache engine, either GRE or L2.

    Select GRE or L2 for the example network.

    Assignment Method

    Select the preferred assignment method for the hash key, either HASH or MASK.

    Select HASH or MASK for the example network.

  7. Click OK to create the WCCP client.
To configure the FortiProxy unit as a WCCP client using the CLI:

Use the following steps to configure the FortiProxy unit as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.

  1. Enable the L2 mode:
  2. config system wccp

    edit <Service-ID>

    set cache-engine-method L2

    next

    end

  3. Configure the FortiProxy unit to operate as a WCCP client:
  4. config system settings

    set wccp-cache-engine enable

    end

    You cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command, an interface named w.root is added to the FortiProxy configuration. All traffic redirected from a WCCP router is considered to be received at this interface of the FortiProxy unit operating as a WCCP client. A default route to this interface with lowest priority is added.

  5. Enable WCCP on the aggregate interface aggr1:
  6. config system interface

    edit aggr1

    set ip 192.168.1.2 255.255.255.0

    set allowaccess ping https ssh snmp http telnet

    set type aggregate

    set explicit-web-proxy enable

    set member port1 port4

    set wccp enable

    end

  7. Add a WCCP service group with service ID 0:
  8. config system wccp

    edit 0

    set router-list 192.168.1.2

    set cache-id 192.168.1.1

    end

  9. Add a port-w.root-to-aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:
  10. config firewall policy

    edit 1

    set srcintf w.root

    set dstintf aggr1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service HTTP

    set webcache enable

    end

config firewall central-snat-map

edit 1

set masquerade enable

set srcintf w.root

set dstintf aggr1

set orig-addr "all"

set dst-addr "all"

next

end

NOTE: If the FortiProxy is operating in L2 mode, the firewall policy must specify the ingress interface where L2-forwarded traffic is being received:

config firewall policy

edit 1

set srcintf <port x>

set dstintf <port y>

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service HTTP

set webcache enable

end

config firewall central-snat-map

edit 1

set masquerade enable

set srcintf <port x>

set dstintf <port y>

set orig-addr "all"

set dst-addr "all"

next

end

Verify the WCCP status

After setting up the FortiProxy unit as the WCCP client, you should verify to confirm that it is configured correctly.

diagnose test application wccp 2

root: work mode:cache working NAT first_phy_id=8

interface list:

intf=aggr1, gid=8 phy_id=8

service list:

service: 0, cache_id=192.168.1.2, group=0.0.0.0, auth(no)

forward=1, return=1, assign=1.

router list:

192.168.1.1

port list:

ecache_id=192.168.1.2

diagnose test application wccp 6

service-0 in root

erouter_list: 1 routers in total

0. 192.168.1.1

receive_id:23573 change_number:2

cache servers seen by this router:

0. 192.168.1.2 weight:0 (*Designated Web Cache)