Description
Solution
This article describes the steps to configure FortiCache and FortiGate to enable web-caching using WCCP. It includes the network diagram, configuration for both the FortiCache and the FortiGate, and an illustration of the command output to verify caching.
Solution
The following network diagram illustrates this example network:
Configuration CLI (only relevant parts) - FortiGate
Config system interface
edit "port13"
set vdom "FIREWALL"
set ip 10.20.19.10 255.255.255.248
set allowaccess ping https ssh snmp http telnet
set vlanforward enable
set type physical
set alias "INSIDE"
set snmp-index 15
edit "VLAN 313"
set vdom "FIREWALL"
set ip 10.20.20.57 255.255.255.252
set allowaccess ping https ssh
set vlanforward enable
set snmp-index 45
set wccp enable ---------{ Enable WCCP
set interface "port14"
set vlanid 313
edit "315"
set vdom "FIREWALL"
set ip 10.20.20.21 255.255.255.240
set allowaccess ping
set vlanforward enable
set snmp-index 35
set interface "port14"
set vlanid 315
config firewall policy
edit 21 ------{ Firewall policy to intercept http and forward to FortiCache
set srcintf "port13"
set dstintf "315"
set srcaddr "Test_PC"
set dstaddr "all"
set action accept
set schedule "always"
set service "HTTP"
set logtraffic all
set webcache enable
set wccp enable
set global-label "Inside-Outside"
next
edit 5 ------{ Firewall policy to forward all other traffic to internet
set srcintf "port13"
set dstintf "315"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
end
end
config system wccp ------{ Add WCCP client & server settings
edit "0"
set router-id 10.20.20.57
set server-list 10.20.20.56 255.255.255.252
next
end
end
Configuration CLI (only relevant parts) - FortiCache
config system interface
edit "port1"
set ip 10.20.20.58 255.255.255.252
set allowaccess ping https ssh telnet
set type physical
set wccp enable -------{ Enable WCCP
set snmp-index 1
set macaddr 84:8f:69:e1:8b:09
end
end
config system settings
set wccp-cache-engine enable ------{ Enable WCCP cache engine
end
config firewall policy [firewall policy to forward traffic to internet]
edit 1
set srcintf "w.root"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set webcache enable ------{ Enable webcache & NAT
set nat enable
next
end
config log disk setting
set status enable
end
config router static
edit 1
set device "port1"
set gateway 10.20.20.57
next
end
config system wccp
edit "0"
set cache-id 10.20.20.58
set router-list "10.20.20.57"
set assignment-bucket-format wccp-v2
next
end
FortiCache Results
What is really being cached
# diag wad web list 10min
Total = number of HTTP Objects requested
Cachable = number of cachable objects requested (i.e. not dynamic or exempted content)
Hits = number of cachable objects found in the cache object store and served from cache
Bypass = number of object bypassing the cache (dynamic, exempted, of if cache is in a bypass state due to overload)
Video Total = number of video objects (note 1 YouTube video may consist of multiple objects)
Video hits = number of video objects served from cache
LAN and WAN can be confusing but:
In = Towards the cache
Out = Away from cache
LAN (in) = Request from client
LAN (out) = Response from destination or cache
WAN (in) = Response from destination
WAN (out) = Request from FCH (on behalf of client)
Troubleshooting commands
get sys perf stat
diag sys top –n 5
diag test app wad 1
diag test app wad 803
diag test app wad 50
diag test app wad 32
diag debug crashlog read
Configuration CLI (only relevant parts) - FortiGate
Config system interface
edit "port13"
set vdom "FIREWALL"
set ip 10.20.19.10 255.255.255.248
set allowaccess ping https ssh snmp http telnet
set vlanforward enable
set type physical
set alias "INSIDE"
set snmp-index 15
edit "VLAN 313"
set vdom "FIREWALL"
set ip 10.20.20.57 255.255.255.252
set allowaccess ping https ssh
set vlanforward enable
set snmp-index 45
set wccp enable ---------{ Enable WCCP
set interface "port14"
set vlanid 313
edit "315"
set vdom "FIREWALL"
set ip 10.20.20.21 255.255.255.240
set allowaccess ping
set vlanforward enable
set snmp-index 35
set interface "port14"
set vlanid 315
config firewall policy
edit 21 ------{ Firewall policy to intercept http and forward to FortiCache
set srcintf "port13"
set dstintf "315"
set srcaddr "Test_PC"
set dstaddr "all"
set action accept
set schedule "always"
set service "HTTP"
set logtraffic all
set webcache enable
set wccp enable
set global-label "Inside-Outside"
next
edit 5 ------{ Firewall policy to forward all other traffic to internet
set srcintf "port13"
set dstintf "315"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
end
end
config system wccp ------{ Add WCCP client & server settings
edit "0"
set router-id 10.20.20.57
set server-list 10.20.20.56 255.255.255.252
next
end
end
Configuration CLI (only relevant parts) - FortiCache
config system interface
edit "port1"
set ip 10.20.20.58 255.255.255.252
set allowaccess ping https ssh telnet
set type physical
set wccp enable -------{ Enable WCCP
set snmp-index 1
set macaddr 84:8f:69:e1:8b:09
end
end
config system settings
set wccp-cache-engine enable ------{ Enable WCCP cache engine
end
config firewall policy [firewall policy to forward traffic to internet]
edit 1
set srcintf "w.root"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set webcache enable ------{ Enable webcache & NAT
set nat enable
next
end
config log disk setting
set status enable
end
config router static
edit 1
set device "port1"
set gateway 10.20.20.57
next
end
config system wccp
edit "0"
set cache-id 10.20.20.58
set router-list "10.20.20.57"
set assignment-bucket-format wccp-v2
next
end
FortiCache Results
What is really being cached
# diag wad web list 10min
Total = number of HTTP Objects requested
Cachable = number of cachable objects requested (i.e. not dynamic or exempted content)
Hits = number of cachable objects found in the cache object store and served from cache
Bypass = number of object bypassing the cache (dynamic, exempted, of if cache is in a bypass state due to overload)
Video Total = number of video objects (note 1 YouTube video may consist of multiple objects)
Video hits = number of video objects served from cache
LAN and WAN can be confusing but:
In = Towards the cache
Out = Away from cache
LAN (in) = Request from client
LAN (out) = Response from destination or cache
WAN (in) = Response from destination
WAN (out) = Request from FCH (on behalf of client)
Troubleshooting commands
get sys perf stat
diag sys top –n 5
diag test app wad 1
diag test app wad 803
diag test app wad 50
diag test app wad 32
diag debug crashlog read
