Fortinet white logo
Fortinet white logo

CLI Reference

system wccp

system wccp

Use this command to configure FortiWeb as a Web Cache Communication Protocol (WCCP) client. This configuration allows a FortiGate configured as a WCCP server to redirect HTTP and HTTPS traffic to FortiWeb for inspection.

If your WCCP configuration includes multiple WCCP clients, the WCCP server can balance the traffic load among the clients. In addition, it detects when a client fails and redirects sessions to clients that are still available.

WCCP was originally designed to provide web caching with load balancing and fault tolerance and is described by the Web Cache Communication Protocol Internet draft.

This feature requires the operation mode to be WCCP. For details, see system settings.

For information on connecting and configuring your network devices for WCCP mode, see the FortiWeb Administration Guide:

https://docs.fortinet.com/document/fortiweb

For detailed information on configuring FortiGate and other Fortinet devices to act as a WCCP service group, see the FortiGate WCCP topic in the (Undefined variable: FortinetVariables.ProductName7) Handbook:

https://docs.fortinet.com/fortigate/admin-guides

Syntax

config system wccp

edit service-id <service-id_int>

set cache-id "<cache-id_ipv4>"

set router-list "<router-list_ipv4>"

set group-address "<group-address_ipv4>"

set authentication {enable | disable}

set password "<passwd_str>"

set cache-engine-method {GRE | L2}

set ports <ports_int>

set primary-hash [src-ip | dst-ip | src-port | dst-port}

set priority <priority_int>

set protocol <priority_int>

set assignment-weight <assignment-weight_int>

set assignment-bucket-format {ciso-implementation | wccp-v2}

set return-to-sender {enable | disable}

end

Variable Description Default

service-id <service-id_int>

Enter the service ID of the WCCP service group that this WCCP client belongs to.

For HTTP traffic, the service ID is 0.

For other types of traffic (for example, HTTPS), the valid range is 51–256. Do not use 1–50, which are reserved by the WCCP standard.
51

cache-id "<cache-id_ipv4>"

Enter the IP address of the FortiWeb interface that communicates with the WCCP server.

Ensure that the WCCP protocol is enabled for the specified network interface. For details, see system settings.
No default.

router-list "<router-list_ipv4>"

Enter the IP addresses of the WCCP servers in the WCCP service group.

You can specify up to 8 servers. To configure more than 8 WCCP servers, use Group Address instead.
No default.

group-address "<group-address_ipv4>"

Enter the IP addresses of the clients for multicast WCCP configurations.

The multicast address allows you to configure a WCCP service group with more than 8 WCCP clients.

The valid range of multicast addresses is 224.0.0.0–239.256.256.256.
No default.

authentication {enable | disable}

Specify whether communication between the WCCP server and client is encrypted using the MD5 cryptographic hash function. disable

password "<passwd_str>"

Enter the password used by the WCCP server and clients.

All servers and clients in the group use the same password.

The maximum password length is 8 characters. Available only when authentication {enable | disable} is enabled.
No default.

cache-engine-method {GRE | L2}

Enter how the FortiGate unit transmits traffic to FortiWeb:

  • GRE—The WCCP server encapsulates redirected packets within a generic routing encapsulation (GRE) header. The packets also have a WCCP redirect header.
  • L2—The WCCP server overwrites the original MAC header of the IP packets and replaces it with the MAC header for the WCCP client.
GRE

ports <ports_int>

Enter the port numbers of the sessions that this client inspects. The valid range is 0–65535.

Enter 0 to specify all ports.
80

primary-hash [src-ip | dst-ip | src-port | dst-port}

Enter the hashing scheme that the WCCP server uses in combination with assignment-weight to direct traffic, when the WCCP service group has more than one WCCP client.

Specify one or more of the following values:

  • src-ip—Source IP address
  • dst-ip—Destination IP address
  • src-port—Source port
  • dst-port—Destination port
src-ip dst-ip

priority <priority_int>

Enter a value that specifies the priority that this service group has.

If more than one service group is available to scan the traffic specified by ports and protocol, the WCCP server transmits all the traffic to the service group with the highest priority value.
0

protocol <priority_int>

Enter the protocol of the network traffic the WCCP service group transmits. For TCP sessions, enter 6.

Valid values are 0–256.
6

assignment-weight <assignment-weight_int>

Enter a value that the WCCP server uses in combination with primary-hash to direct traffic, when the WCCP service group has more than one WCCP client. The valid range is 0–256. 0

assignment-bucket-format {ciso-implementation | wccp-v2}

Enter the hash table bucket format for the WCCP cache engine.

  • cisco-implementation—Source IP address
  • wccp-v2—Web Cache Communication Protocol version 2
ciso-implementation

return-to-sender {enable | disable}

Specify whether FortiWeb routes traffic back to the client instead of the WCCP server. disable

Example

This example configures FortiWeb as a WCCP client that belongs to the WCCP service group 52 and specifies the interface used for WCCP client functionality (192.0.2.100) and the WCCP server (192.0.2.1).

config system wccp

edit service-id 52

set cache-id "192.0.2.100"

set router-list "192.0.2.1"

set ports 80 443

set primary-hash src-ip dst-ip

Related topics

system wccp

system wccp

Use this command to configure FortiWeb as a Web Cache Communication Protocol (WCCP) client. This configuration allows a FortiGate configured as a WCCP server to redirect HTTP and HTTPS traffic to FortiWeb for inspection.

If your WCCP configuration includes multiple WCCP clients, the WCCP server can balance the traffic load among the clients. In addition, it detects when a client fails and redirects sessions to clients that are still available.

WCCP was originally designed to provide web caching with load balancing and fault tolerance and is described by the Web Cache Communication Protocol Internet draft.

This feature requires the operation mode to be WCCP. For details, see system settings.

For information on connecting and configuring your network devices for WCCP mode, see the FortiWeb Administration Guide:

https://docs.fortinet.com/document/fortiweb

For detailed information on configuring FortiGate and other Fortinet devices to act as a WCCP service group, see the FortiGate WCCP topic in the (Undefined variable: FortinetVariables.ProductName7) Handbook:

https://docs.fortinet.com/fortigate/admin-guides

Syntax

config system wccp

edit service-id <service-id_int>

set cache-id "<cache-id_ipv4>"

set router-list "<router-list_ipv4>"

set group-address "<group-address_ipv4>"

set authentication {enable | disable}

set password "<passwd_str>"

set cache-engine-method {GRE | L2}

set ports <ports_int>

set primary-hash [src-ip | dst-ip | src-port | dst-port}

set priority <priority_int>

set protocol <priority_int>

set assignment-weight <assignment-weight_int>

set assignment-bucket-format {ciso-implementation | wccp-v2}

set return-to-sender {enable | disable}

end

Variable Description Default

service-id <service-id_int>

Enter the service ID of the WCCP service group that this WCCP client belongs to.

For HTTP traffic, the service ID is 0.

For other types of traffic (for example, HTTPS), the valid range is 51–256. Do not use 1–50, which are reserved by the WCCP standard.
51

cache-id "<cache-id_ipv4>"

Enter the IP address of the FortiWeb interface that communicates with the WCCP server.

Ensure that the WCCP protocol is enabled for the specified network interface. For details, see system settings.
No default.

router-list "<router-list_ipv4>"

Enter the IP addresses of the WCCP servers in the WCCP service group.

You can specify up to 8 servers. To configure more than 8 WCCP servers, use Group Address instead.
No default.

group-address "<group-address_ipv4>"

Enter the IP addresses of the clients for multicast WCCP configurations.

The multicast address allows you to configure a WCCP service group with more than 8 WCCP clients.

The valid range of multicast addresses is 224.0.0.0–239.256.256.256.
No default.

authentication {enable | disable}

Specify whether communication between the WCCP server and client is encrypted using the MD5 cryptographic hash function. disable

password "<passwd_str>"

Enter the password used by the WCCP server and clients.

All servers and clients in the group use the same password.

The maximum password length is 8 characters. Available only when authentication {enable | disable} is enabled.
No default.

cache-engine-method {GRE | L2}

Enter how the FortiGate unit transmits traffic to FortiWeb:

  • GRE—The WCCP server encapsulates redirected packets within a generic routing encapsulation (GRE) header. The packets also have a WCCP redirect header.
  • L2—The WCCP server overwrites the original MAC header of the IP packets and replaces it with the MAC header for the WCCP client.
GRE

ports <ports_int>

Enter the port numbers of the sessions that this client inspects. The valid range is 0–65535.

Enter 0 to specify all ports.
80

primary-hash [src-ip | dst-ip | src-port | dst-port}

Enter the hashing scheme that the WCCP server uses in combination with assignment-weight to direct traffic, when the WCCP service group has more than one WCCP client.

Specify one or more of the following values:

  • src-ip—Source IP address
  • dst-ip—Destination IP address
  • src-port—Source port
  • dst-port—Destination port
src-ip dst-ip

priority <priority_int>

Enter a value that specifies the priority that this service group has.

If more than one service group is available to scan the traffic specified by ports and protocol, the WCCP server transmits all the traffic to the service group with the highest priority value.
0

protocol <priority_int>

Enter the protocol of the network traffic the WCCP service group transmits. For TCP sessions, enter 6.

Valid values are 0–256.
6

assignment-weight <assignment-weight_int>

Enter a value that the WCCP server uses in combination with primary-hash to direct traffic, when the WCCP service group has more than one WCCP client. The valid range is 0–256. 0

assignment-bucket-format {ciso-implementation | wccp-v2}

Enter the hash table bucket format for the WCCP cache engine.

  • cisco-implementation—Source IP address
  • wccp-v2—Web Cache Communication Protocol version 2
ciso-implementation

return-to-sender {enable | disable}

Specify whether FortiWeb routes traffic back to the client instead of the WCCP server. disable

Example

This example configures FortiWeb as a WCCP client that belongs to the WCCP service group 52 and specifies the interface used for WCCP client functionality (192.0.2.100) and the WCCP server (192.0.2.1).

config system wccp

edit service-id 52

set cache-id "192.0.2.100"

set router-list "192.0.2.1"

set ports 80 443

set primary-hash src-ip dst-ip

Related topics