Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nitesh_saxena
New Contributor

fortinet and cisco wsa

Hi,

 

has anyone tried integrating WCCP from fortinet to WSA?

 

we have are trying to integrate fortinet wccp to wsa but its not happening. WCCP service is not sending traffic on the wsa so i wanted to know if anyone has tried and had a successful transparent proxy running with this scenario.

 

Please help..

 

thanks

3 REPLIES 3
Prab
New Contributor

Yes, I have tested this on 5.6.11 and 6.2.3 FortiOS version, I tested with FGT-60E, the WSA was running 11.7  and 11.8 AsyncOS.

 

The setup which worked me is shown in the image below.

 

Traffic flow:

User Client -> [internal6]FGT[DMZ] -> WSA -> [DMZ]FGT[WAN]-> Internet -> [WAN]FGT[DMZ] -> WSA -> [DMZ]FGT[internal6] -> User/client

 

It is worth mentioning that this only worked for me, when the WSA used the FGT (WCCP_Router) as the gateway to reach the internet!

For eg: The WSA uses 10.10.10.1 as WCCP_Router, then the WSA must be configured to use 10.10.10.1 as default gateway too.

 

I used the service ID 0, 70 on WSA as well as on the FGT. 0 for HTTP & 70 for HTTPs.

forward-method was GRE, return-method was GRE, assignment-method was HASH. No authentication was configured.

Cheers,

Prab :)

chad_lumbee

Prab,

were you able to retain the source ip of the client with your design? it appears that the fortigate performs a NAT of the traffic prior to utilizing the WCCP function, thus losing the source ip of the client and thus prior to hitting the firewall rules for client side ip's.

Prab

chad_lumbee wrote:

Prab,

were you able to retain the source ip of the client with your design? it appears that the fortigate performs a NAT of the traffic prior to utilizing the WCCP function, thus losing the source ip of the client and thus prior to hitting the firewall rules for client side ip's.

Hi Chad,

 

Yes, I was able to retain the Client's source IP address. You need to disable the NAT on the firewall policy that is redirecting the traffic using WCCP.

 

Update: The above mentioned setup is still working with FortiOS 6.4.4 and Cisco WSA is running 14.0 asyncOS version.

 

Cheers,

Prab :)

Labels
Top Kudoed Authors