Fortinet black logo

Handbook

Caching HTTP sessions on port 80

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:49214
Download PDF

Caching HTTP sessions on port 80

In this example configuration (shown below), a FortiGate unit with host name WCCP_srv is operating as an Internet firewall for a private network is also configured as a WCCP server. The port1 interface of WCCP_srv is connected to the Internet and the port2 interface is connected to the internal network.

All HTTP traffic on port 80 that is received at the port2 interface of WCCP_srv is accepted by a port2 to port1 security policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by adding a general port2 to port1 security policy below the HTTP on port 80 security policy.

A WCCP service group is added to WCCP_srv with a service ID of 0 for caching HTTP traffic on port 80. The port5 interface of WCCP_srv is configured for WCCP communication.

A second FortiGate unit with host name WCCP_client is operating as a WCCP client. The port1 interface of WCCP_client is connected to port5 of WCCP_srv and is configured for WCCP communication.

WCCP_client is configured to cache HTTP traffic because it also has a WCCP service group with a service ID of 0.

WCCP_client connects to the Internet through WCCP_srv. To allow this, a port5 to port1 security policy is added to WCCP_srv.

FortiGate WCCP server and client configuration

Configuring the WCCP server (WCCP_srv)

Use the following steps to configure WCCP_srv as the WCCP server for the example network. The example steps only describe the WCCP-related configuration.

To configure WCCP_srv as a WCCP server
  1. Add a port2 to port1 security policy that accepts HTTP traffic on port 80 and is configured for WCCP:

    config firewall policy

    edit 0

    set srtintf port2

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service HTTP

    set wccp enable

    set nat enable

    end

  2. Add another port2 to port1 security policy to allow all other traffic to connect to the Internet.

    config firewall policy

    edit 0

    set srtintf port2

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    set nat enable

    end

  3. Move this policy below the WCCP policy in the port2 to port1 policy list.
  4. Enable WCCP on the port5 interface.

    config system interface

    edit port5

    set wccp enable

    end

  5. Add a WCCP service group with service ID 0.

    config system wccp

    edit 0

    set router-id 10.51.101.100

    set server-list 10.51.101.0 255.255.255.0

    end

  6. Add a firewall address and security policy to allow the WCCP_client to connect to the internet.

    config firewall address

    edit WCCP_client_addr

    set subnet 10.51.101.10

    end

    config firewall policy

    edit 0

    set srtintf port5

    set dstintf port1

    set srcaddr WCCP_client_addr

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    set nat enable

    end

Configuring the WCCP client (WCCP_client)

Use the following steps to configure WCCP_client as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.

To configure WCCP_client as a WCCP client
  1. Configure WCCP_client to operate as a WCCP client.

    config system settings

    set wccp-cache-engine enable

    end

    note iconYou cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command an interface named w.<vdom_name> is added to the FortiGate configuration (for example w.root). All traffic redirected from a WCCP router is considered to be received at this interface of the FortiGate unit operating as a WCCP client. A default route to this interface with lowest priority is added.
  2. Enable WCCP on the port1 interface.

    config system interface

    edit port1

    set wccp enable

    end

  3. Add a WCCP service group with service ID 0.

    config system wccp

    edit 0

    set cache-id 10.51.101.10

    set router-list 10.51.101.100

    end

Caching HTTP sessions on port 80

In this example configuration (shown below), a FortiGate unit with host name WCCP_srv is operating as an Internet firewall for a private network is also configured as a WCCP server. The port1 interface of WCCP_srv is connected to the Internet and the port2 interface is connected to the internal network.

All HTTP traffic on port 80 that is received at the port2 interface of WCCP_srv is accepted by a port2 to port1 security policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by adding a general port2 to port1 security policy below the HTTP on port 80 security policy.

A WCCP service group is added to WCCP_srv with a service ID of 0 for caching HTTP traffic on port 80. The port5 interface of WCCP_srv is configured for WCCP communication.

A second FortiGate unit with host name WCCP_client is operating as a WCCP client. The port1 interface of WCCP_client is connected to port5 of WCCP_srv and is configured for WCCP communication.

WCCP_client is configured to cache HTTP traffic because it also has a WCCP service group with a service ID of 0.

WCCP_client connects to the Internet through WCCP_srv. To allow this, a port5 to port1 security policy is added to WCCP_srv.

FortiGate WCCP server and client configuration

Configuring the WCCP server (WCCP_srv)

Use the following steps to configure WCCP_srv as the WCCP server for the example network. The example steps only describe the WCCP-related configuration.

To configure WCCP_srv as a WCCP server
  1. Add a port2 to port1 security policy that accepts HTTP traffic on port 80 and is configured for WCCP:

    config firewall policy

    edit 0

    set srtintf port2

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service HTTP

    set wccp enable

    set nat enable

    end

  2. Add another port2 to port1 security policy to allow all other traffic to connect to the Internet.

    config firewall policy

    edit 0

    set srtintf port2

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    set nat enable

    end

  3. Move this policy below the WCCP policy in the port2 to port1 policy list.
  4. Enable WCCP on the port5 interface.

    config system interface

    edit port5

    set wccp enable

    end

  5. Add a WCCP service group with service ID 0.

    config system wccp

    edit 0

    set router-id 10.51.101.100

    set server-list 10.51.101.0 255.255.255.0

    end

  6. Add a firewall address and security policy to allow the WCCP_client to connect to the internet.

    config firewall address

    edit WCCP_client_addr

    set subnet 10.51.101.10

    end

    config firewall policy

    edit 0

    set srtintf port5

    set dstintf port1

    set srcaddr WCCP_client_addr

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    set nat enable

    end

Configuring the WCCP client (WCCP_client)

Use the following steps to configure WCCP_client as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.

To configure WCCP_client as a WCCP client
  1. Configure WCCP_client to operate as a WCCP client.

    config system settings

    set wccp-cache-engine enable

    end

    note iconYou cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command an interface named w.<vdom_name> is added to the FortiGate configuration (for example w.root). All traffic redirected from a WCCP router is considered to be received at this interface of the FortiGate unit operating as a WCCP client. A default route to this interface with lowest priority is added.
  2. Enable WCCP on the port1 interface.

    config system interface

    edit port1

    set wccp enable

    end

  3. Add a WCCP service group with service ID 0.

    config system wccp

    edit 0

    set cache-id 10.51.101.10

    set router-list 10.51.101.100

    end