FortiCache
FortiCache allows a FortiGate with insufficient memory/disk space to run a cache service.
scheehan_FTNT
Article Id 195203

Purpose

This article describes the necessary steps to setup and configure FortiCache and FortiGate with web-caching enable using WCCP.


Scope

Web-caching for HTTP and HTTPS contents over WCCP between FortiGate and FortiCache.


Diagram
scheehan_FD36804_network diagram_v2.jpg

Expectations, Requirements

HTTPS content requires SSL Deep Inspection at FortiCache in order to inspect encrypted content. With SSL Deep Inspection enabled, the browser would prompt with an invalid Certificate alert. Install/import self-sign certificate into the browser to avoid this invalid certificate alert message.


Configuration

Sample FortiGate configuration

config system interface
    edit "WAN"
        set ip 192.168.146.73 255.255.255.0
        set alias "connect to ISP Router"
    next
    edit "LAN"
        set ip 10.137.0.73 255.255.254.0
        set alias "connect to LAN"
    next
    edit "port3"
        set ip 10.128.0.73 255.255.254.0
        set alias "connect to Forticache"
        set wccp enable
    next
end

  config system wccp
    edit "91"
        set router-id 10.128.0.73
        set server-list 10.128.0.0 255.255.254.0
    next
end

 config firewall policy
    edit 1
        set srcintf " LAN "
        set dstintf " WAN "
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set logtraffic all
        set wccp enable
        set nat enable
    next
    edit 2
        set srcintf " LAN "
        set dstintf " WAN "
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ANY"
        set nat enable
    next
end

Sample FortiCache configuration

 config system interface
    edit "port1"
        set ip 192.168.146.175 255.255.255.0
       set alias "Connect to ISP Router"
    next
    edit "port4"
        set ip 10.128.0.175 255.255.254.0
        set wccp enable
        set alias "Connect to FortiGate"
    next

 config system wccp
    edit "91"
        set cache-id 10.128.0.175
        set router-list "10.128.0.73"
        set ports 80 443
        set assignment-bucket-format wccp-v2
    next
end

 config firewall policy
    edit 1
        set srcintf "w.root"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set webcache enable
        set webcache-https any
        set profile-protocol-options "default"
        set deep-inspection-options "default"
        set nat enable
    next


Verification
# diag wad web list 10min
scheehan_FD36804_tn_FD36249-3.jpg


scheehan_FD36804_tn_FD36249-4.jpg

scheehan_FD36804_tn_FD36249-5.jpg

Troubleshooting

Troubleshooting commands

get sys perf stat
diag test app wad 1
diag wad web list 10min
diag test app wad 50

 

WCCP service group info:-

The WCCP routers and web caches form service groups in order to handle the redirection of traffic whose characteristics are part of the service group definition.

Service Group

Type

Description

Service 90-97

user configurable

User-defined WCCP services that support up to eight ports for each WCCP service. When you configure these user-defined services, you must specify whether to redirect the traffic to the HTTP caching application, to the HTTPS application, or to the streaming application on the content engine.

 

Related Articles

Technical Note: How to integrate FortiCache with FortiGate using WCCP

Contributors