Example caching HTTP sessions on port 80 and HTTPS sessions on port 443 using WCCP
This example configuration is the same as thatdescribed in Example caching HTTP sessions on port 80 using WCCP on page 2948 except that WCCP now also cached HTTPS traffic on port 443. To cache HTTP and HTTPS traffic the WCCP service group must have a service ID in the range 51 to 255 and you must specify port 80 and 443 and protocol 6 in the service group configuration of the WCCP client.
Also the security policy on the WCCP_srv that accepts sessions from the internal network to be cached must accept HTTP and HTTPS sessions.
Configuring the WCCP server (WCCP_srv)
Use the following steps to configure WCCP_srv as the WCCP server for the example network. The example steps only describe the WCCP-related configuration.
To configure WCCP_srv as a WCCP server
1. Add a port2 to port1 security policy that accepts HTTP traffic on port 80 and HTTPS traffic on port 443 and is configured for WCCP:
config firewall policy edit 0
set srtintf port2 set dstintf port1 set srcaddr all set dstaddr all set action accept
set schedule always
set service HTTP HTTPS
set wccp enable set nat enable
end
2. Add another port2 to port1 security policy to allow all other traffic to connect to the Internet.
config firewall policy edit 0
set srtintf port2 set dstintf port1 set srcaddr all set dstaddr all set action accept
set schedule always set service ANY
set nat enable end
3. Move this policy below the WCCP policy in the port2 to port1 policy list.
4. Enable WCCP on the port5 interface.
config system interface edit port5
set wccp enable end
5. Add a WCCP service group with service ID 90 (can be any number between 51 and 255).
config system wccp edit 90
set router-id 10.51.101.100
set server-list 10.51.101.0 255.255.255.0 end
6. Add a firewall address and security policy to allow the WCCP_client to connect to the internet.
config firewall address edit WCCP_client_addr
set subnet 10.51.101.10 end
config firewall policy edit 0
set srtintf port5 set dstintf port1
set srcaddr WCCP_client_addr set dstaddr all
set action accept set schedule always set service ANY
set nat enable end
Configuring the WCCP client (WCCP_client)
Use the following steps to configure WCCP_client as the WCCP client for the example network. The example steps only describe the WCCP-related configuration.
To configure WCCP_client as a WCCP client
1. Configure WCCP_client to operate as a WCCP client.
config system settings
set wccp-cache-engine enable end
You cannot enter the wccp-cache-engine enable command if you have already added a WCCP service group. When you enter this command an interface named w.<vdom_name> is added to the FortiGate configuration (for example w.root). All traffic redirected from a WCCP router is considered to be received at this interface of the FortiGate unit operating as a WCCP client. A default route to this interface with lowest priority is added.
2. Enable WCCP on the port1 interface.
config system interface edit port1
set wccp enable
end
3. Add a WCCP service group with service ID 90. This service group also specifies to cache sessions on ports 80 and
443 (for HTTP and HTTPS) and protocol number 6.
config system wccp edit 90
set cache-id 10.51.101.10
set router-list 10.51.101.100 ports 80 443
set protocol 6 end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!