Technical Tip: WCCP Setup with FortiGate acting as WCCP Server and FortiProxy as WCCP Client

mmasakayan · ‎11-20-2023

Description

This article describes the WCCP setup where the FortiGate is acting as a 'WCCP Server', while the FortiProxy is acting as a WCCP Client.

FortiGate WCCP Server will catch all HTTP and HTTPS requests from the client's PC and redirect them to FortiProxy WCCP Client.
FortiProxy WCCP Client will receive the request, look up internet content through the WCCP Server firewall policy, return traffic to the WCCP Server, and then forward it to the Client.

GRE Tunnel is used to facilitate communication between the Server and to Client.

Scope

FortiGate and FortiProxy.

Solution

Network Setup: Client PC<====>FGT_WCCPServer<====>FPX_WCCPClient.

FGT_WCCPServer.

Enable WCCP on the FortiGate interface connected to the FortiProxy.

config system interface

edit "port2" <--

set vdom "root"

set ip 192.168.3.1 255.255.255.0

set allowaccess ping https

set type physical

set alias "WCCP_Router_Server"

set device-identification enable

set snmp-index 2

set wccp enable

Disable wccp-cache-engine so FortiGate will act as WCCP Server.

config system settings

set wccp-cache-engine disable <--

Configure WCCP.

config system wccp

edit "100"

set router-id 192.168.3.1 <--- FortiGate Port2 interface IP.

set group-address 0.0.0.0

set server-list 192.168.3.0 255.255.255.0

set server-type forward

set authentication disable

set forward-method GRE <--- The Forwarding method used is GRE.

set return-method GRE

set assignment-method HASH

Configure firewall policy.

config firewall policy

edit 45 <--

set name "Port2_to_Internet" <--- This policy will catch HTTP/HTTPS requests and forward them to the WCCP Client.

set uuid a6e9a23c-2535-51ee-1d46-6462cf70f39e

set srcintf "port2"

set dstintf "port3"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

set wccp enable

config firewall policy

edit 40 <--

set name "WCCPClient_To_Internet" <--- Internet access for the FortiProxy.

set uuid 096d89ce-1fe0-51ee-83e9-b0f046acb0dc

set srcintf "port2"

set dstintf "port3"

set action accept

set srcaddr "FPX_WCCP_Client" <--- FortiProxy IP:192.168.3.2.

set dstaddr "all"

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

config firewall policy

edit 41

set name "WCCP_PING_DNS" <--- For regular ping and DNS resolution.

set uuid e0180cbe-1fe1-51ee-6388-b09170344e89

set srcintf "port2"

set dstintf "port3"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "DNS" "PING"

set logtraffic all

set nat enable

Configure GRE Tunnel.

config system gre-tunnel

edit "1"

set interface "port2"

set ip-version 4

set remote-gw 192.168.3.2

set local-gw 192.168.3.1

set use-sdwan disable

set sequence-number-transmission disable

set sequence-number-reception disable

set checksum-transmission disable

set checksum-reception disable

set key-outbound 0

set key-inbound 0

set dscp-copying disable

set diffservcode 000000

set keepalive-interval 0

FPX_WCCPClient.

Enable WCCP on the interface receiving HTTP/HTTPS requests.

config system interface

edit "port2"

set vdom "root"

set mode dhcp

set allowaccess ping https

set type physical

set alias "WCCP_Interface_Client"

set snmp-index 2

set dns-server-override disable

set mtu-override enable

set wccp enable

Enable wccp-cache-engine and wccp-local-route.

config system settings

set wccp-cache-engine enable

set wccp-local-route enable

end

Configure WCCP.

config system wccp

edit "100"

set cache-id 192.168.3.2

set group-address 0.0.0.0

set router-list "192.168.3.1"

set ports-defined destination

set ports 80 443

set authentication disable

set cache-engine-method GRE

set service-type auto

set primary-hash dst-ip

set priority 0

set protocol 0

set assignment-weight 0

set assignment-bucket-format cisco-implementation

set assignment-method HASH

Create GRE Tunnel.

config system gre-tunnel

edit "toFGT_GRE"

set interface ''

set remote-gw 192.168.3.1

set local-gw 192.168.3.2

set sequence-number-transmission disable

set sequence-number-reception disable

set checksum-transmission disable

set checksum-reception disable

set key-outbound 0

set key-inbound 0

set keepalive-interval 0

Create a firewall policy using the GRE tunnel. The source is from the GRE tunnel and points to the WCCP interface Port2.

config firewall policy

edit 4

set uuid 43e4be84-29f8-51ee-ff28-c53ea6a2a487

set srcintf "toFGT_GRE"

set dstintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set log-http-transaction enable

set webcache enable

set webcache-https enable

set ssl-ssh-profile "custom-deep-inspection"

Configure Central-SNAT. The source comes from GRE Tunnel and the destination is WCCP interface Port2.

config firewall central-snat-map

edit 1

set status enable

set action masquerade

set ipv6 disable

set srcintf "toFGT_GRE"

set dstintf "port2"

set src-addr "all"

set dst-addr "all"

To Debug FortiGate WCCP:

diag test app wccpd1

FGVM04TM23000978 # diagnose test application wccpd 1

vdoms=1

pkts=0

diag test app wccpd2

vdom-root: work mode:router working NAT first_phy_id=6

interface list:

intf=port7, gid=10 phy_id=10

intf=port2, gid=6 phy_id=6

service list:

service: 100, router_id=192.168.3.1, group=0.0.0.0, auth(no)

access 192.168.3.0/255.255.255.0

server_type=1 forward=1 return=1 assign=1

erouter_id=192.168.3.1

diag test app wccpd3

service-100 in vdom-root: num=1, usable=1

cache server ID:

len=44, addr=192.168.3.2, weight=0, status=0

rcv_id=2596, usable=1, fm=1, nq=0, dev=6(k6), to=192.168.3.1

ch_no=0, num_router=1:

192.168.3.1

diag test app wccpd4

service-100 in vdom-root:

total_servers=1, type=1, usable_servers=1, assign_m=1, rtun_m=1, wcid_len=48, rcv_id=2602, ch_no=2

ID=100, type=1, pri=0, pro=0 f=00000012

Port: 80 443 num-routers=1:

192.168.3.1

diag test app wccpd5

service-100 in vdom-root: installed

key: ip=192.168.3.2, change-number=2

cache_list: 1
0. 192.168.3.2

primary assignment:

key=192.168.3.2 change-number=2

num_routers=1

router element[0]: router_id=192.168.3.1, receive_id=4, ch_no=2

cache-server-num=1, format=not standard:

192.168.3.2

buckets:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

To Debug FPX_Client:

FPXVM2TM23000684 # diagnose test application wccpd 1

2023-07-19 17:47:20 vdoms=1

2023-07-19 17:47:20 pkts=0

FPXVM2TM23000684 # diagnose test application wccpd 2

2023-07-19 17:47:22

vdom-root: work mode:cache working NAT first_phy_id=6

2023-07-19 17:47:22 interface list:

2023-07-19 17:47:22 intf=port2, gid=6 phy_id=6

2023-07-19 17:47:22 service list:

2023-07-19 17:47:22 service: 100, cache_id=192.168.3.2, group=0.0.0.0, auth(no)

forward=1, return=1, cache_engine=1 assign=1.

2023-07-19 17:47:22 router list:

2023-07-19 17:47:22 192.168.3.1

2023-07-19 17:47:22 port list:

2023-07-19 17:47:22 80 2023-07-19 17:47:22 443 2023-07-19 17:47:22

2023-07-19 17:47:22 ecache_id=192.168.3.2

FPXVM2TM23000684 # diagnose test application wccpd 6

2023-07-19 17:47:26

service-100 in vdom-root

2023-07-19 17:47:26 erouter_list: 1 routers in total

2023-07-19 17:47:26 0. 192.168.3.1

2023-07-19 17:47:26 receive_id:2609 change_number:2

2023-07-19 17:47:26 cache servers seen by this router:

2023-07-19 17:47:26 0. 192.168.3.2 weight:0 (*Designated Web Cache)

To check GRE Tunnel Status FGT_Server:

FGVM04TM23000978 # diagnose netlink interface list name 1

if=1 family=00 type=778 index=27 mtu=1476 link=0 master=0

ref=12 state=start present fw_flags=0 flags=up p2p run noarp multicast

Qdisc=noqueue local=192.168.3.1 remote=192.168.3.2

stat: rxp=0 txp=1 rxb=0 txb=100 rxe=0 txe=1 rxd=0 txd=0 mc=0 collision=0 @ time=1689760231

re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0

te: txa=0 txc=1 txfi=0 txh=0 txw=0

misc rxc=0 txc=0

input_type=0 state=3 arp_entry=0 refcnt=12

To check GRE Tunnel Status FPX_Client:

FPXVM2TM23000684 # diagnose netlink interface list name toFGT_GRE

if=toFGT_GRE family=00 type=778 index=36 mtu=1476 link=6 master=0

flags=p2p noarp

Qdisc=noop local=192.168.3.2 remote=192.168.3.1

stat: rxp=0 txp=0 rxb=0 txb=0 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1689760280

re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0

te: txa=0 txc=0 txfi=0 txh=0 txw=0

misc rxc=0 txc=0

To Sniff GRE Tunnel traffic on FGT_Server:

Use the same command on FortiProxy to sniff GRE traffic.

FGVM04TM23000978 # diag sniffer packet port2 "proto 47" 4 0 1

Using Original Sniffing Mode

interfaces=[port2]

filters=[proto 47]

9.549253 port2 -- 192.168.3.1 -> 192.168.3.2: gre: length 243 proto-883e

14.199940 port2 -- 192.168.3.1 -> 192.168.3.2: gre: length 60 proto-883e

15.070056 port2 -- 192.168.3.1 -> 192.168.3.2: gre: length 60 proto-883e

15.070121 port2 -- 192.168.3.1 -> 192.168.3.2: gre: length 60 proto-883e

15.079040 port2 -- 192.168.3.1 -> 192.168.3.2: gre: length 60 proto-883e

15.940404 port2 -- 192.168.3.1 -> 192.168.3.2: gre: length 60 proto-883e

WCCP protocol uses UDP port 2048 for communication between the WCCP server and the client.

FGVM04TM23000978 # diagnose sniffer packet any 'port 2048' 4 0 1
Using Original Sniffing Mode
interfaces=[any]
filters=[port 2048]
9.960888 port2 in 192.168.3.2.2048 -> 192.168.3.1.2048: udp 144
9.963887 port2 out 192.168.3.1.2048 -> 192.168.3.2.2048: udp 168
20.370212 port2 in 192.168.3.2.2048 -> 192.168.3.1.2048: udp 144
20.429219 port2 out 192.168.3.1.2048 -> 192.168.3.2.2048: udp 168