Configuring FortiWeb to receive traffic via WCCP
You can configure FortiWeb as a Web Cache Communication Protocol (WCCP) client. This configuration allows a FortiGate configured as a WCCP server to redirect HTTP and HTTPS traffic to FortiWeb for inspection.
If your WCCP configuration includes multiple WCCP clients, the WCCP server can balance the traffic load among the clients. In addition, it detects when a client fails and redirects sessions to clients that are still available.
WCCP was originally designed to provide web caching with load balancing and fault tolerance and is described by the Web Cache Communication Protocol Internet draft (http://tools.ietf.org/id/draft-wilson-wrec-wccp-v2-01.txt).
This feature requires the operation mode to be WCCP. For details, see Setting the operation mode.
For details about connecting and configuring your network devices for WCCP mode, see Topology for WCCP mode.
For detailed information on configuring FortiGate and other Fortinet devices to act as a WCCP service group, see the FortiGate WCCP topic in the FortiOS Handbook:
http://docs.fortinet.com/fortigate
Configuring the FortiWeb WCCP client settings
To configure FortiWeb as a WCCP client
- Ensure the operation mode is WCCP. For details, see Setting the operation mode.
- Configure the network interface that communicates with the FortiGate (the WCCP server) to use the WCCP Protocol. For details, see Configuring the network settings.
- Go to System > Config > WCCP Client.
- Click Create New.
- Configure these settings:
- GRE—The WCCP server encapsulates redirected packets within a generic routing encapsulation (GRE) header. The packets also have a WCCP redirect header.
- L2—The WCCP server overwrites the original MAC header of the IP packets and replaces it with the MAC header for the WCCP client.
- Click OK.
- Optionally, use the following CLI command to route traffic back to the client instead of the WCCP server. You cannot enable this feature using the web UI.
- Create a WCCP server pool. See Creating a server pool.
- Create a server policy in which the Deployment Mode is WCCP Servers and the selected server pool is the WCCP pool you created earlier.
Service ID | Specifies the service ID of the WCCP service group that this WCCP client belongs to. For HTTP traffic, the service ID is 0. For other types of traffic (for example, HTTPS), the valid range is 51 to 256. (Do not use 1 to 50, which are reserved by the WCCP standard.) |
Cache ID | Specifies the IP address of the FortiWeb interface that communicates with the WCCP server. Ensure that the WCCP protocol is enabled for the specified network interface. See Configuring the network settings. |
Group Address | Specifies the IP addresses of the clients for multicast WCCP configurations. The multicast address allows you to configure a WCCP service group with more than 8 WCCP clients. The valid range of multicast addresses is 224.0.0.0 to 239.256.256.256. |
Router List | Specifies the IP addresses of the WCCP servers in the WCCP service group. You can specify up to 8 servers. Click + (plus sign) to add additional addresses. To configure more than 8 WCCP servers, use Group Address instead. |
Port | Specifies the port numbers of the sessions that this client inspects. The valid range is 0 to 65535. Enter 0 to specify all ports. |
Authentication | Specifies whether communication between the WCCP server and client is encrypted using the MD5 cryptographic hash function. |
Password | Specifies the password used by the WCCP server and clients. All servers and clients in the group use the same password. The maximum password length is 8 characters. Available only when Authentication is enabled. |
Service Priority | Specifies the priority that this service group has. If more than one service group is available to scan the traffic specified by Port and Service Protocol, the WCCP server transmits all the traffic to the service group with the highest Service Priority value. |
Service Protocol | Specifies the protocol of the network traffic the WCCP service group transmits. For TCP sessions the protocol is 6. |
Cache Engine Method |
Specify how the WCCP server redirects traffic to FortiWeb. |
Primary Hash | Specifies that hashing scheme that the WCCP server uses in combination with the Weight value to direct traffic, when the WCCP service group has more than one WCCP client. The hashing scheme can be the source IP address, destination IP address, source port, or destination port, or a combination of these values. |
Weight | Specifies a value that the WCCP server uses in combination with the Primary Hash value to direct traffic, when the WCCP service group has more than one WCCP client. The valid range is 0 to 256. |
Bucket Format | Specifies the hash table bucket format for the WCCP cache engine. |
Although you can set different values for settings such as Service Priority and Primary Hash for each WCCP client in a service group, the settings in the WCCP client with the lowest Cache ID value have priority. For example, if a WCCP service group has two WCCP clients with cache IDs 172.22.80.99 and 172.22.80.100, the group uses the WCCP client settings for 172.22.80.99. |
config system wccp
edit <service-id>
set return-to-sender enable
next
end
Viewing WCCP protocol information
You can use a FortiGate CLI command to display WCCP information. For example:
diagnose debug enable
diagnose debug application wccp 2
In this example, the debug level is 2.
Example output:
--------------------WCCP Service ID 52------------------------- WCCP_server_list: 1 WCCP server in total 0. 172.22.80.1 receive_id:13290 change_number:7 WCCP client seen by this WCCP Server: 0. 172.22.80.99 weight:0 (*Designated WCCP Client) 1. 172.22.80.100 weight:0 WCCP service options: priority: 0 protocol: 6 port: 80, 443 primary-hash: src-ip, dst-ip
Example: Using WCCP with FortiOS 5.2.x
This configuration uses WCCP in a one-arm topology and WCCP to route HTTP and HTTP traffic to a FortiWeb for scanning before forwarding permitted traffic to the back-end servers.
The following command sets the IP address and enables WCCP for port3 on the firewall running FortiOS 5.2.x:
config system interface
edit "port3"
set ip 172.22.80.1 256.256.256.0
set wccp enable
next
end
On the firewall, the following command specifies a WCCP service group using a service group ID (52
), the firewall interface that supports WCCP (172.22.80.1
), and the interface the FortiWeb uses for WCCP communication (172.22.80.100
).
config system wccp
edit "52"
set router-id 172.22.80.1
set server-list 172.22.80.100 256.256.256.0
next
end
The following firewall policies specify the traffic that FortiGate routes to the FortiWeb for scanning:
- A port1 to port2 policy that accepts HTTP and HTTPS traffic and for which WCCP is enabled.
- A port1 to port2 policy that accepts HTTP and HTTPS traffic and for which WCCP is not enabled. This policy maintains traffic flow when the WCCP client is not available (for example, if FortiWeb is rebooting).
- A port3 to port2 policy that accepts scanned HTTP and HTTPS traffic from the FortiWeb.
config firewall policy
edit 1
set srcintf "Port1"
set dstintf "Port2"
set srcaddr "all"
set dstaddr "192.168.1.4" "192.168.1.5"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set wccp enable
next
edit 2
set srcintf "Port1"
set dstintf "Port2"
set srcaddr "all"
set dstaddr "192.168.1.4" "192.168.1.5"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
next
edit 3
set srcintf "Port3"
set dstintf "Port2"
set srcaddr "all"
set dstaddr "192.168.1.4" "192.168.1.5"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
next
end
WCCP is enabled for the interface that connects FortiWeb to the firewall.
The WCCP client configuration on FortiWeb adds it to the WCCP service group 52, specifies the interface used for WCCP client functionality (172.22.80.100
) and the WCCP server (172.22.80.1
).
The destination servers are members of a WCCP server pool. This pool is selected in the WCCP Servers server policy that FortiWeb applies to the traffic it receives from the firewall via WCCP.
Example: Using WCCP with FortiOS 5.4
You can use the commands and settings described in Example: Using WCCP with FortiOS 5.2.x to create that same configuration with a firewall running FortiOS 5.4.
However, FortiOS 5.4 also allows you to configure WCCP communication with FortiWeb using its External Security Devices settings. This example creates the same environment as Example: Using WCCP with FortiOS 5.2.x.
FortiGate configuration:
- WCCP is enabled for port3 on the firewall running FortiOS 5.4 (172.22.80.1).
- In System > External Security Devices, HTTP Service is enabled. For FortiWeb IPs, the FortiWeb acting as a WCCP client is specified.
- The service ID is 51. This is the only service ID that the firewall can use for WCCP clients configured using the web UI.
- In the Security Profiles > Web Application Firewall settings, for Inspection Device, select External.
- In the Policy & Objects > IPv4 Policy settings, configure a policy for which Web Application Firewall is enabled.
- A second policy for which Web Application Firewall is not enabled to maintain traffic flow when the WCCP client is not available
- A third policy accepts scanned HTTP and HTTPS traffic from the FortiWeb.
FortiWeb configuration:
Configuration is the same as Example: Using WCCP with FortiOS 5.2.x, except the service ID value is 51. This is the only service ID value you can use when you configure WCCP communication using the FortiOS 5.4 External Security Devices settings.
Example: Using WCCP with multiple FortiWeb appliances
You can use WCCP to create a high availability cluster in which both appliances are active (active-active). You synchronize the cluster members using FortiWeb's configuration synchronization feature so that each cluster member is ready to act as backup if the other appliance is not available. The WCCP server provides load balancing between the HA pair and redirects all traffic to one cluster member if the other member is unavailable.
To create this configuration, you first configure FortiWeb A and use the configuration synchronization feature to "push" the configuration to FortiWeb B. (See Replicating the configuration without FortiWeb HA (external HA).) You then complete the configuration for FortiWeb B. The Config-Synchronization feature does not synchronize the following configuration when the operating mode is WCCP:
- System > Network > Interface
- System > Network > Static Route
- System > Network > Policy Route
- System > Config > WCCP Client
- Administrator accounts
- Access profiles
- HA settings
For detailed configuration settings for each FortiWeb, see Example: Using WCCP with FortiOS 5.2.x.
You can link the FortiGate and FortiWeb appliances in this topology without using a switch. Instead, you can link the FortiWeb appliances to FortiGate directly and use the following commands to create a switch on the firewall:
config system interface
edit "port3"
set vdom "root"
set vlanforward enable
set type physical
set alias "FWB-A"
next
edit "port4"
set vdom "root"
set vlanforward enable
set type physical
set alias "FWB-B"
next
edit "WCCP_Server"
set vdom "root"
set ip 172.22.80.1 256.256.256.0
set allowaccess ping
set type switch
set wccp enable
next
end
Example: Using WCCP with a Cisco router
You can use FortiWeb's WCCP feature to integrate it with third-party devices that support the WCCP protocol.
In this example, a router running Cisco IOS routes HTTP and HTTPS traffic destined for the back-end servers to a FortiWeb for scanning.
You create the WCCP server configuration using a series of Cisco IOS commands.
Because the WCCP configuration is standardized, FortiWeb can work interchangeably with different WCCP servers s long as they have the same WCCP configuration. Thus, theFortiWeb WCCP client configuration mostly the same as the one described in Example: Using WCCP with FortiOS 5.2.x.
Ciso IOS command examples
Specify WCCP version 2:
Router# config terminal
Router(config)# ip wccp version 2
Add the FortiWeb to the list of WCCP clients:
Router(config)# ip access-list extended wccp_client
Router (config-ext-nacl) # permit ip host 172.22.80.100 any
Router (config-ext-nacl) # exit
Configure a WCCP access list that routes HTTP and HTTPS requests for the subnet used by the back-end servers to FortiWeb:
Router(config)# ip access-list extended wccp_acl
Router (config-ext-nacl) # permit tcp any 192.168.1.0 0.0.0.256 eq www 443
Router (config-ext-nacl) # exit
Configure a service group that registers the router to the FortiWeb:
Router(config)# ip wccp source-interface GigabitEthernet3
Router(config)# ip wccp 52 redirect-list wccp_acl group-list wccp_client password 0 fortinet
Alternatively, you can register the router to a multicast address:
Router(config)# ip wccp source-interface GigabitEthernet3
Router(config)# ip wccp 52 group-address 239.0.0.0 redirect-list wccp_acl password 0 123456
Enable packet redirection on the inbound interface using WCCP:
Router(config)# interface GigabitEthernet1
Router(config)# ip wccp 52 redirect in
Enable packet redirection on the outbound interface using WCCP:
Router(config)# interface GigabitEthernet2
Router(config)# ip wccp 52 redirect out
If the service group uses a multicast address, register the router to the multicast address you specified earlier (239.0.0.0):
Router(config)# ip multicast-routing distributed
Router(config)# interface GigabitEthernet3
Router(config)# ip wccp 52 group-listen
Router(config)# ip pim sparse-dense-mode
When the configuration is complete, check WCCP status:
Router#show ip wccp <service_id> detail
Router#debug ip wccp events
Router#debug ip wccp packets
FortiWeb WCCP configuration
The System > Config > WCCP Clientconfiguration for this example is different from the one described in Example: Using WCCP with FortiOS 5.2.x in the following two ways:
- If the service group uses a multicast address, you specify a value for Group Address instead of for Router List.
- You enable Authentication and specify a password.
Otherwise, network interface, WCCP client and server pool and policy configuration is the same as the one found in Example: Using WCCP with FortiOS 5.2.x.