There are two ways that WCCP can redirect traffic to the Content Engine:

• GRE Tunneling: A GRE tunnel is created between the router and the proxy, and GRE encapsulates the packets.
• Layer 2 rewrite: The router performs MAC forwarding while the content engine and router are operating on the same broadcast domain.

In this sample, L2 rewrite mode is used. See Technical Tip: WCCP in GRE Mode between FortiProxy and FortiGate for GRE tunneling method and more information about WCCP.

Topology:

FortiGate:

Configure interfaces and enable WCCP on the interface used to access FortiProxy

config system interface

    edit "port1"

        set ip 203.0.113.2 255.255.255.0

    next

    edit "port2"

        set ip 192.168.35.1 255.255.255.0

    next

    edit "port4"

        set ip 192.168.1.5 255.255.255.0

        set wccp enable   <-----

    next

end

Configure WCCP:

config system wccp

    edit "100"

        set router-id 192.168.1.5

        set server-list 192.168.1.1 255.255.255.255

        set forward-method L2   <-----

        set return-method L2    <-----

    next

end

Create the policies. In this example, there are 2 policies needed since FortiProxy is connected with one-armed form. WCCP should be enabled on the policy to redirect the traffic to the content engine:

config firewall policy

    edit 2

        set name "WCCP"

        set srcintf "port2"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "HTTP" "HTTPS"

        set wccp enable   <---

    next

    edit 4

        set name "FPX_Internet_Access"

        set srcintf "port4"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

end

FortiProxy:

config system interface

    edit "port9"

        set ip 192.168.1.1 255.255.255.0

        set wccp enable   <-----

    next

end 

config system settings
    set wccp-cache-engine enable

end

config system wccp

    edit "100"

        set cache-id 192.168.1.1

        set router-list "192.168.1.5"

        set cache-engine-method L2   <-----

    next

end

config firewall policy

    edit 7

        set name "WCCP L2"

        set srcintf "port9"

        set dstintf "port9"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set logtraffic all

        set ssl-ssh-profile "certificate-inspection"

        set webfilter-profile "default"

        set dnsfilter-profile "default"

    next

end

Configure policy and central NAT policy on FortiProxy:

config firewall central-snat-map

    edit 1

        set srcintf "port9"

        set dstintf "port9"

        set src-addr "all"

        set dst-addr "all"

    next

end

After configuring the FortiGate and FortiProxy, FortiGate will redirect the HTTP and HTTPS traffic from the client by changing the L2 information (MAC address) of the original packet. This can be verified by capturing the traffic or checking traffic logs on FortiGate and FortiProxy.

Packet capture from FortiProxy: