The Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing technology that intercepts IP packets and redirects those packets to a different destination, generally a content engine that is local to the web client.

With WCCP, a network device (FortiGate) can transparently redirect traffic to a content engine (FortiProxy/FortiGate) for filtering, caching, and proxying, and this can be useful for the clients that are not configured for proxy.

WCCP can redirect the traffic to the content engine in two modes:

• GRE Tunneling: A GRE tunnel is established between the router, and the proxy and packets are encapsulated with GRE
• Layer 2 Redirect: The router and content engine are running in the same LAN, and the router performs MAC forwarding.

In this example, GRE mode is used:

Topology:

FortiGate:

Configure interfaces and enable WCCP on the interface used to create the WCCP tunnel to FortiProxy:

config system interface

    edit "port1"

        set ip 203.0.113.2 255.255.255.0

    next

    edit "port2"

        set ip 192.168.35.1 255.255.255.0

    next

    edit "port3"

        set ip 192.168.101.254 255.255.255.0

        set wccp enable   <-----

    next

Configure WCCP:

config system wccp

    edit "100"

        set router-id 192.168.101.254

        set server-list 192.168.102.1 255.255.255.255

    next

end

Enable WCCP on policy:

config firewall policy

    edit 2

        set name "WCCP"

        set srcintf "port2"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "HTTP" "HTTPS"

        set wccp enable   <-----

    next

end

FortiProxy:

config system interface

    edit "port5"

        set ip 203.0.113.5 255.255.255.0

    next

    edit "port8"

        set ip 192.168.102.1 255.255.255.0

        set wccp enable   <-----

    next

end 

config system settings
    set wccp-cache-engine enable

    set wccp-local-route disable

end

Notes:

• By enabling wccp-cache-engine, an interface will be created with [VDOMNAME].
• wccp-local-route is disabled by default. This option controls the return behavior, and by default, FortiProxy uses the WCCP interface. If wccp-local-route is enabled, FortiProxy will honor the routing table and use the relevant interface for return traffic without encapsulating the traffic into a GRE tunnel.

config system wccp

    edit "100"

        set cache-id 192.168.102.1

        set router-list "192.168.101.254"

    next

end

config firewall policy

    edit 1

        set srcintf "w.WCCP"

        set dstintf "port5"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "HTTP" "HTTPS"

        set utm-status enable     <-----

        set ssl-ssh-profile "certificate-inspection"

        set webfilter-profile "g-default"

        set dnsfilter-profile "default"

    next

end

Note: In the policy, utm-status should be enabled; otherwise, FortiProxy would not use the tunnel interface for return traffic.

Configure policy and central NAT policy on FortiProxy:

config firewall central-snat-map

    edit 1

        set srcintf "w.WCCP"

        set dstintf "port5"

        set src-addr "all"

        set dst-addr "all"

    next

end

After configuring the FortiGate and FortiProxy, the FortiGate will redirect the HTTP and HTTPS traffic from the client using the WCCP tunnel. This can be verified by capturing the traffic or checking traffic logs on FortiGate and FortiProxy.

To verify WCCP status, the following commands can be used on both FortiGate and FortiProxy:

diagnose test application wccpd [Test level]

1. Dump wccp stats
2. Dump wccp config
3. Dump wccp2 cache servers
4. Dump wccp2 services
5. Dump wccp2 assignment
6. Dump wccp2_cache status 

Related article:

Technical Tip: WCCP in L2-Rewrite Mode between FortiGate and FortiProxy