WCCP

WCCP can be used to provide web caching with load balancing and fault tolerance. In a WCCP configuration, a WCCP server receives HTTP requests from user’s web browsers and redirects the requests to one or more WCCP clients. The clients either return cached content, or request new content from the destination web servers, before caching it and returning it to the server. The server then returns the content to the original requestor. If a WCCP configuration includes multiple WCCP clients, the WCCP server load balances traffic among the clients and can detect when a client fails and failover sessions to still operating clients. WCCP is described by the Web Cache Communication Protocol internet draft.

FortiCache units can operate as WCCP clients and supports WCCPv2. FortiCache units use UDP port 2048 for WCCP communication, with user traffic encapsulated in GRE-mode or L2-mode.

This section describes:

l WCCP service groups, numbers, IDs, and well known services l WCCP configuration overview l Caching HTTP sessions l WCCP packet flow l Configuring forward and return methods and adding authentication l WCCP messages l Troubleshooting WCCP

WCCP service groups, numbers, IDs, and well known services

A FortiCache unit configured as a WCCP client can include multiple client configurations. Each of these configurations is called a WCCP service group. A service group consists of one or more FortiGate units configured as WCCP servers (or routers) and one or more FortiCache WCCP clients working together to cache a specific type of traffic. The service group configuration includes information about the type of traffic to be cached, the addresses of the WCCP clients and servers, and other information about the service.

A service group is identified with a numeric WCCP service ID (or service number) in the range 0 to 255. All of the servers and clients in the same WCCP service group must have service group configurations with the same WCCP service ID.

The value of the service ID provides some information about the type of traffic to be cached by the service group. Service IDs in the range 0 to 50 are reserved for well known services. A well known service is any service that is defined by the WCCP standard as being well known. Since the service is well known, just the service ID is required to identify the traffic to be cached.

Even though the well known service ID range is 0 to 50, at this time only one well known service has been defined. Its service ID is 0, which is used for caching HTTP (web) traffic.

To configure WCCP to cache HTTP sessions you can add a service group to the FortiGate WCCP router and FortiCache WCCP clients with a service ID of 0. No other information about the type of traffic to cache needs to be added to the service group.

WCCP configuration overview

Since service IDs 1 to 50 are reserved for well know services and since these services are not defined yet, you should not add service groups with IDs in the range 1 to 50.

FortiCache allows you to add service groups with IDs between 1 and 50. However, since these service groups have not been assigned well known services, they will not cache any sessions. Service groups with IDs 51 to 255 allow you to set the port numbers and protocol number of the traffic to be cached. So you can use service groups with IDs 51 to 255 to cache different kinds of traffic based on port numbers and protocol number of the traffic. Service groups 1 to 50 however, do not allow you to set port or protocol numbers, so they cannot be used to cache any traffic.

To cache traffic other than HTTP traffic you must add service groups with IDs in the range 51 to 255. These service group configurations must include the port numbers and protocol number of the traffic to be cached. It is the port and protocol number configuration in the service group that determines what traffic will be cached by WCCP.

WCCP configuration overview

To configure WCCP you must create a service group that includes FortiGate units configured as WCCP servers and FortiCache units configured as WCCP clients. WCCP servers intercept sessions to be cached (for example, sessions from users browsing the web from a private network). To intercept sessions to be cached, the WCCP server must include a firewall policy that accepts sessions to be cached and WCCP must be enabled in this firewall policy.

The server must have an interface configured for WCCP communication with WCCP clients. That interface sends and receives encapsulated GRE or L2 traffic to and from WCCP clients. The server must also include a WCCP service group that includes a service ID and the addresses of the WCCP clients, as well as other WCCP configuration options.

To use a FortiCache unit as a WCCP client, you must configure an interface on the unit for WCCP communication. The client sends and receives encapsulated GRE traffic to and from the WCCP server using this interface.

The client must also include a WCCP service group with a service ID that matches a service ID on the server. The client service group also includes the IP address of the servers in the service group, and specifies the port numbers and protocol number of the sessions that will be cached on the FortiCache unit.

When the client receives sessions from the server on its WCCP interface, it either returns cached content over the WCCP interface or connects to the destination web servers using the appropriate interface, based on the client routing configuration. Content received from web servers is then cached by the client and returned to the WCCP server over the WCCP link. The server then returns the received content to the initial requesting user’s web browser.

Finally, you may also need to configure routing on the FortiGate server unit and FortiCache client units, and additional firewall policies may have to be added to the server to accept sessions not cached by WCCP.

Caching HTTP sessions

In this configuration, a FortiGate unit is operating as an Internet firewall for a private network and is also configured as a WCCP server. The port39 interface of the FortiGate unit is connected to the Internet, and the port38 interface is connected to the internal network.

All HTTP traffic on port 80 that is received at the port38 interface of the FortiGate unit is accepted by a port39 to port38 firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by adding a general port38 to port39 firewall policy below the HTTP on port 80 firewall policy.

A WCCP service group is added to the FortiGate unit with a service ID of 0 for caching HTTP traffic on port 80. The port1 interface of the FortiGate unit is configured for WCCP communication.

A FortiCache unit connects to the internet through the FortiGate unit. To allow for this, a port1 to port39 firewall policy is added to the FortiGate unit.

FortiGate WCCP server and FortiCache WCCP client configuration

Note that the WCCP server and client can operate in L2-mode. The WCCP client firewall policy must specify which ingress interface is receiving the L2-forwarded traffic. This is different from GRE-mode which uses the w.root interface.

To enable L2-mode on the FortiCache (WCCP client):

config system wccp edit <Service-ID> set cache-engine-method L2

next

end

To enable L2-mode on the FortiGate (WCCP server):

config system wccp edit <Service-ID> set forward-method L2 set return-method L2

next end

Caching HTTP sessions

Configure a WCCP server

Use the following steps to configure the FortiGate unit as the WCCP server for the example network. The example steps only describe the WCCP-related configuration.

To configure the FortiGate unit as a WCCP server:

1. Add a port38 to port39 firewall policy that accepts HTTP traffic on port 80 and is configured for WCCP:

config firewall policy edit 0 set srtintf port38 set dstintf port39 set srcaddr all set dstaddr all set action accept set schedule always set service HTTP set wccp enable set nat enable

end

2. Add another port38 to port39 firewall policy to allow all other traffic to connect to the Internet:

config firewall policy edit 0 set srtintf port38 set dstintf port39 set srcaddr all set dstaddr all set action accept set schedule always set service ANY set nat enable

end

3. Move this policy below the WCCP policy in the port38 to port39 policy list.
4. Enable WCCP on the port1 interface:

config system interface edit port1 set vdom “root”

set ip 192.168.1.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set wccp enable

end

5. Add a WCCP service group with service ID 0:

config system wccp edit 0 set router-id 192.168.1.1

set server-list 192.168.1.0 255.255.255.0

end

6. Add a firewall policy to allow the WCCP clients to connect to the internet:

config firewall policy

edit 3 set srcintf port1 set dstintf port39 set srcaddr all set dstaddr all set action accept set schedule always set service ANY set nat enable

end

Configure a WCCP client

Use the following steps to configure the FortiCache unit as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.

To configure the FortiCache unit as a WCCP client:

1. Configure the FortiCache unit to operate as a WCCP client:

config system settings set wccp-cache-engine enable end

You cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command an interface named w.root is added to the FortiCache configuration. All traffic redirected from a WCCP router is considered to be received at this interface of the FortiCache unit operating as a WCCP client. A default route to this interface with lowest priority is added.

2. Enable WCCP on the aggregate interface aggr1:

config system interface edit agr1 set ip 192.168.1.2 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type aggregate set explicit-web-proxy enable set member port1 port4 set wccp enable

end

3. Add a WCCP service group with service ID 0:

config system wccp edit 0 set cache-id 192.168.1.2 set router-list 192.168.1.1

end

4. Add a port w.root to aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:

config firewall policy edit 1 set srcintf w.root set dstintf aggr1 set srcaddr all set dstaddr all

Caching HTTP sessions

set action accept set schedule always set service HTTP set nat enable set webcache enable set transparent disable

end

Note that if the FortiCache is operating in L2-mode, the firewall policy must specify the ingress interface where L2-forwarded traffic is being received, as shown below:

config firewall policy edit 1 set srcintf <port x> set dstintf <port y> set srcaddr all set dstaddr all set action accept set schedule always set service HTTP set nat enable set webcache enable set transparent disable

end

Verify the WCCP status

After setting up the FortiGate and FortiCache units as WCCP server and clients, you should verify to confirm that they are configured correctly.

Verify the WCCP status on the server

Enter the following CLI commands:

diagnose test application wccp 1 vdoms=1 pkts=0

diagnose test application wccp 2 vdom-root: work mode:router wokring NAT first_ohy_id=39 interface list: intf=port1, gid=5 phy_ide=5 intf=port35, gid=39 phy_id=39

service list:

service: 0, router_id=192.168.1.1, group=0.0.0.0, auth(no) access access:192.168.1.0/255.255.255.0) forward=1

return=1, assign=1.

erouter_id=192.168.1.1

diagnose test application wccp 3 service-0 in vdom-root: num=1, usable=1 cache server ID:

len=44, addr=192.168.1.2, weight=0, status=0 rcv_id=23560, usable=1, fm=1, nq=0, dev=5(k5), to=192.168.1.1 ch_no=0, num_router=1: 192.168.1.1

diagnose test application wccp 4 service-0 in vdom-root: total_servers=1, usable_servers=1, assign_m=1, rtun_m=1, wcid_len=48, rcv_id=23560, ch_ no=2

ID=0, type=0, pri=0, pro=0 f=00000000 Port: num-routers=1: 192.168.1.1

diagnose test application wccp 5 service-0 in vdom-root: installed key: ip=192.168.1.2, change-number=2 cache_list: 1

1. 192.168.1.2 primary assignment: key=192.168.1.2 change-number=2 num_routers=1 router element[0]: router_id=192.168.1.1, receive_id=4, ch_no=2 cache-server-num=1, format=not standard:

192.168.1.2 buckets:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Verify the WCCP status on the FortiCache

diagnose test application wccp 2 vdom-root: work mode:cache working NAT first_phy_id=8 interface list: intf=aggr1, gid=8 phy_id=8

service list: service: 0, cache_id=192.168.1.2, group=0.0.0.0, auth(no) forward=1, return=1, assign=1. router list:

192.168.1.1 port list: ecache_id=192.168.1.2

diagnose test application wccp 6 service-0 in vdom-root erouter_list: 1 routers in total

1. 192.168.1.1 receive_id:23573 change_number:2 cache servers seen by this router:

WCCP packet flow 0. 192.168.1.2 weight:0 (*Designated Web Cache)

WCCP packet flow

The following packet flow sequence assumes you have configured a FortiGate unit to be a WCCP server and one or more FortiCache units to be WCCP clients.

1. A user’s web browser sends a request for web content.
2. The FortiGate unit configured as a WCCP server includes a firewall policy that intercepts the request and forwards it to a FortiCache WCCP client.
3. The firewall policy can apply UTM features to traffic accepted by the policy.
4. The FortiCache WCCP client receives the WCCP session.
5. The client either returns requested content to the WCCP server if it is already cached, or connects to the destination web server, receives and caches the content, and then returns it to the WCCP server.
6. The WCCP server returns the requested content to the user’s web browser.
7. The WCCP router returns the request to the client web browser.

The client web browser is not aware that all this is taking place and does not have to be configured to use a web proxy.

Configuring forward and return methods and adding authentication

The WCCP forwarding method determines how intercepted traffic is transmitted from the WCCP router to the WCCP cache engine. FortiCache units use GRE forwarding.

GRE forwarding encapsulates the intercepted packet in an IP GRE header with a source IP address of the WCCP router and a destination IP address of the target WCCP cache engine. The results is a tunnel that allows the WCCP router to be multiple hops away from the WCCP cache server.

By default the WCCP communication between the router and cache servers is unencrypted. If you are concerned about attackers sniffing the information in the WCCP stream you can use the following command to enable hashbased authentication of the WCCP traffic. You must enable authentication on the router and the cache engines and all must have the same password.

config system wccp edit 1 set authentication enable set password <password>

end

WCCP messages

When the WCCP service is active on a web cache server it periodically sends a WCCP HERE I AM broadcast or unicast message to the FortiGate unit operating as a WCCP router. This message contains the following information:

 

Troubleshooting WCCP

• Web cache identity (the IP address of the web cache server). l Service info (the service group to join).

If the information received in the previous message matches what is expected, the FortiGate unit replies with a WCCP I SEE YOU message that contains the following details:

• Router identity (the FortiGate unit’s IP address). l Sent to IP (the web cache IP addresses to which the packets are addressed).

When both ends receive these two messages the connection is established, the service group is formed and the designated web cache is elected.

Troubleshooting WCCP

Two types of debug commands are available for debugging or troubleshooting a WCCP connection between a FortiCache unit operating as a WCCP router and its FortiCache WCCP cache engines.

Real time debugging

The following commands can capture live WCCP messages:

diag debug en diag debug application wccpd <debug level>

Application debugging

The following commands display information about WCCP operations:

get test wccpd <integer> diag test application wccpd <integer>

Where <integer> is a value between 1 and 5:

1. Display WCCP stats
2. Display WCCP config
3. Display WCCP cache servers
4. Display WCCP services
5. Display WCCP assignment

Enter the following command to view debugging output: diag test application wccpd 3

Sample output from a successful WCCP connection:

service-0 in vdom-root: num=1, usable=1 cache server ID: len=44, addr=172.16.78.8, weight=4135, status=0 rcv_id=6547, usable=1, fm=1, nq=0, dev=3(k3),

to=192.168.11.55 ch_no=0, num_router=1: 192.168.11.55

Troubleshooting WCCP

Sample output from the same command from an unsuccessful WCCP connection (because of a service group password mismatch):

service-0 in vdom-root: num=0, usable=0 diag debug application wccpd -1 Sample output: wccp_on_recv()-98: vdom-root recv: num=160, dev=3(3),

172.16.78.8->192.168.11.55

wccp2_receive_pkt()-1124: len=160, type=10, ver=0200, length=152 wccp2_receive_pkt()-1150: found component:t=0, len=20 wccp2_receive_pkt()-1150: found component:t=1, len=24 wccp2_receive_pkt()-1150: found component:t=3, len=44 wccp2_receive_pkt()-1150: found component:t=5, len=20 wccp2_receive_pkt()-1150: found component:t=8, len=24 wccp2_check_security_info()-326: MD5 check failed

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!