Scribd Logo
Upload

Welcome to Scribd!

  • Configuring WCCP Interception of HTTP Traffic To A Squid Proxy Using GRE Tunneling

    Uploaded by

    Eric Franco
    2K views7 pages
    This article describes with an example how to setup WCCP on The FortiGate to intercept and redirect http traffic (TCP port 80) to a Linux squid transparent proxy. GRE encapsulation is used to tunnel intercepted traffic to the squis.

    Original Description:

    Original Title

    Configuring WCCP Interception of HTTP Traffic to a Squid Proxy Using GRE Tunneling

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This article describes with an example how to setup WCCP on The FortiGate to intercept and redirect http traffic (TCP port 80) to a Linux squid transparent proxy. GRE encapsulation is used to tunnel intercepted traffic to the squis.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2K views7 pages

    Configuring WCCP Interception of HTTP Traffic To A Squid Proxy Using GRE Tunneling

    Uploaded by

    Eric Franco
    This article describes with an example how to setup WCCP on The FortiGate to intercept and redirect http traffic (TCP port 80) to a Linux squid transparent proxy. GRE encapsulation is used to tunnel intercepted traffic to the squis.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    c cc

    
    
       
     
      
     
     
    
     
    
    
      
    This article describes with an example how to setup WCCP on the FortiGate to intercept and redirect HTTP traffic (TCP port 80) to a
    Linux squid transparent proxy.

    GRE encapsulation is used to tunnel intercepted traffic to the squid. This article covers the Linux and squid configuration. Key concepts
    of the architecture are discussed. Verification and troubleshooting information is provided.
     
    All FortiGates or VDOMs in NAT mode.
    !

    Note :

    ` We intentionally use a router between the FortiGate and the squid even if it is not a requirement. This is a key differentiator
    between the 2 WCCP encapsulation methods "GRE" and "L2 Forwarding". Despite "L2 Forwarding", the GRE method allows to
    cross routers between the FortiGate and the caches.
    ` The connection with the cache is using a specific interface in this example as this is the most common practice.

    
    
     "  ! 
    

    
    
     #
    è uraniumèmvm08 requests HTTP traffic on the Internet using TCP port 80 (browser is not configured to use a proxy)
    è FGT3600 intercepts the traffic with a WCCP policy and redirects traffic to uraniumèmvm03 squid transparent proxy through a GRE
    tunnel
    è uraniumèmvm03 squid gets the content from the Internet if not already in the cache via FortiGate port1
    è uraniumèmvm03 squid returns the content towards the FortiGate for uraniumèmvm08 using the GRE tunnel
    è FGT3600 receives the content from GRE and hooks it back to uraniumèmvm08 using the WCCP policy
    cc $$$
    #
    WCCP stands for "Web Cache Coordinator Protocol". The idea is to
      
     redirect user traffic to a cache (that is: no explicit
    web proxy configured on client web browser).

    ` Client traffic going through the FortiGate is 


    
     and  
     to a web proxy.
    ` The web proxy gets the content if required and services the client by sending the content back to the FortiGate.
    ` The FortiGate retransmitted the content from the web proxy to the client.

    è WCCP is defined as an RFC draft


    è It has builtèin loadèbalancing and fault tolerance
    è WCCP protocol uses UDP port 2048 to communicate between FortiGate and Caches
    è WCCP has 2 types of services (wellèknown service id=0 for http and dynamic services (from id 51 to 255)
    è WCCP allows 2 types of tunneling mechanisms ( GRE and L2 Forwarding)
    c 
     

     
    
    
    (only the relevant configuration is shown)

    à 
      à 
       
     
      
      
        àà    
      à  
    set wccp enable (#1) 
     
        
     
      
      
        àà    
      à  
     
         
     
      
      
        àà    
      à  
     
     
    
    à     
       
     
       
       à    à   
     ! " 
     
     à  ! 
       à    à    
     !  
     
     
    à    à 
     "
      à   
           
       à à  ! 
          
      à  àà  
     à     
       à #$$% 
    set wccp enable (#2) 
     à

    #$$%$&'(()*$+),$-&*-%$ 
        ! 
     
     
      à   
          
       à   
          
      à  àà  
     à     
       à .,/%),0 
     à

    *1)-,$,+,#$$%$&'(()*.)&-*$ 
        ! 
     
     
      à  
          
       à   
          
      à  àà  
     à     
       à .,/#$$%%),0 
     à

    %&+23$&'(()* 
        ! 
     
     
    à    à 
     
      à     
        " 
     
     
      à   
       
        4 
     
     
    
    config system wccp 
    edit "0" (#3)
    set router -id 10.120.0.225 (#4)
    set server -list 10.102.0.83 255.255.255.255 (#5) 
    set authentication enable (#6)
    set password ENC
    /pSXIHLNBkcXgQD5XOAhnq0dfgOcHsFwIAp3yDVWa6zWMZTM+y1dolT5yxO3GZgKAQsOluZ21HNzi+qxxOJ0hUfrwD
    hEJwFFbuVzAXEP9XtZPdBh (#7)
    next
    end

    Keys of the configuration:

    ` #1 : the interface toward the proxy must be 'set wccp enable' to designate on which interface the GRE tunnel should be starting
    ` #2 : the policy intercepting the traffic must be marked 'set wccp enable'
    ` #3 : in WCCP '0' refers to the standard service (tcp port 80) so it is required to have edit "0" in this case
    ` #4 : routerèid used in WCCP (generally the interface ip address towards the cache)
    ` #5 : defines the authorized cache IP addresses (it could be also 10.102.0.0 255.255.255.0 in this example)
    ` #6 : use a shared WCCP secret between the FortiGate and the cache for authentication (this is optional)
    ` #7 : the shared secret key if authentication is enabled (step #6) . We use 'fortinet' in this example.
     %   
    (only the relevant configuration is shown)

    In the first place we focus on the networking settings for the Linux server, then we highlight the relevant parts of the squid configuration.

    # ip addresses and default route : 


    à  " 
    5 
        4 
    
    # GRE Tunnel : 

     ! 6 
      àà
     
      à "   
      "7" àà 
    5 àà 
    
    # Route to send the content back to the GRE tunnel 
        7" àà
    
    8. !         !   5   
    à 97 à77 77à 7àà7 6 
    à 97 à77 776  
    
    # Setup the redirection of traffic from the GRE tunnel to squid port 3128 
     !    (
     !    '%&-&+:$),0 àà
    à à ;&-.)&-*$   "

    /etc/squid/squid.conf

    # setup transparent squid on port 3128 


    6 "   
    
    # Allow clients to request contents 
    6 àà     

    # FortiGate interface of wccp


    àà6   

    # wccp version 2 configuration for standard service HTTP on tcp port 80 (service 0) with
    authentication password 'fortinet'
    àà6 à     <   
    
    # tunneling method GRE for forward traffic 
    àà6  6
      
    
    # tunneling method GRE for return traffic 
    àà6  6
      
    
    # Assignemment method (default), only relevant if multiple caches used 
    àà6 
    6
      
    
    # wccp weight (default) ,only relevant if multiple caches used 
    àà6  
    
    # which interface to use for WCCP (0.0.0.0 determines the interface from routing) 
    àà6 

    ¢  
     

    cc  &
    `   
    
      
     ' ( (statistics)

    (0" 8      à  àà  


    
    <1
    5<
    1 vdom using wccp

    `   
    
      
     ' ) (wccp configuration)

    (0" 8      à  àà  


    
    = 5,'$ 66 < 
      à = 
    intf=port1 > <6 < 
     à = 
    service: 0, router_id =10.120.0.225 > <> auth(fortinet) 
    access:10.102.0.83/255.255.255.255 forward=1
    return=1, assign=1.
    erouter_id=10.120.0.225

    wccp configuration showing the wccp interface, the service id and routerèid, authentication active with password 'fortinet'
    cache ip in GRE forward method

    `   
    
      
     ' * (servers)

    (0" 8      à  àà " 


    service-0 in vdom -root: num=1, usable=1 
    à à   ).= 
     <>addr=10.102.0.83 > <"> < 
    à6 <>usable=1>
    <><> <?5@> < 
    à6 <>
    6  <= 
    

    Server (caches) available and usable

    `   
    
      
     '  (services)

    (0" 8      à  àà  


     à 
    =
    total_servers=1, usable_servers=1 > 6
    <> 6
    <>à 6 <> à6 <>à6 < 
    ID=0> <> <> << 
    % =
     <= 
    

    Active services details (id=0 for http on port tcp 80) with servers that can handle the service

    `   
    
      
     ' + (assignement)

    (0" 8      à  àà  


     à 
    =
    
    5 =<">à  
    ! <
    à à 6= 
    " 
     
     
    = 
    5 <"à  
    ! <
    
    6  < 
      
    AB=  6 <> à  6 <>à6 < 
    à à   
    <=
    " 
    !à5 =
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    Assignment : defines a cache id (here only 0 as we have only 1 cache) for each WCCP bucket.
    This is only relevant if multiple caches are used.
    This assignment is determinate by the proxies and sent to the FortiGate via WCCP protocol

    `  '   


     ' 
    
     

    You can identify from the session list (in CLI only using 'diag sys session list') a firewall session which is intercepted by wccp and
    determinate which cache is used as target. It also confirms that the WCCP peering between the FortiGate and the cache is active.

       =  <  6  <  <"


     <" <
     à5 < à5 < 6 < < 
       <
       <
     6 < 5 <" 
     à6  < <7 
      <àà
    6  !
    
     à?! 7 à5 7  6 @= <77 <477 < 
     95=  9 >  9  <" 97 9"<"7 
     5<   <  à< =4 94=?=4@ 
     5<   <  à<  4= 9=4?=4@ 
     7?!  >  @7?>@>7?>@ 

    à< à6 <" 6 <à56à 6 < <  < <7 < 
    6 < 6  6 < 
    wccp: server=10.102.0.83, rid=10.120.0.225, dev=2, pri=180, alt=0 GRE-F L2-R std
    Cache 10.102.0.83 is used to deliver the content via wccp via FortiGate interface 10.120.0.225 using GRE encapsulation
    Note : L2èR is irrelevant in this output

    Note : In this example, if the WCCP peering goes down (for instance if the cache is not reachable), user traffic would be sent directly to
    the Internet with no interception. If the preferred behavior is not to deliver the traffic to user if the cache is not reachable, a simple trick is
    to disable natting on policy 3. Without nat and wccp active traffic can only be served to client via the cache only.

    ,   


    Activity of the proxy is traceable from the squid logs
    7 7 7 7 àà   
    4"" $*%6C-C6#)$7"0-$=77 àà  7  7
    ,+,-7  7
    
    4"" " $*%6C-C6#)$70-$
    =77
     7à7 à ,+,-7  7à
    4" $*%6C-C6#)$740-$
    =77
     7à7 à ,+,-7  7à
    4" $*%6C-C6#)$7"0-$=77 
     7à7
    7.*
    1+0+ / ,+,-7 
     7 
    4" "$*%6C-C6#)$70-$
    =77
     7à7
    7à 6!   ,+,-7 
     7
    4"4 $*%6#)$740-$=77 
     à à
    7 ; ,+,-7  7;  à  
    4"4 "$*%6C-C6#)$7440-$
    =77 àà  7 à à  ,+,-7 
     7 à 
    44 $*%6C)//740-$
    =77 àà  7 àD <E
    <   .)&-*$7" 7
    
     & $
    

     & '
    Output example of 'diag debug flow' showing in this example how client traffic is processed by the FortiGate

    id=20085 trace_id=100222 func=resolve_ip_tuple_fast line=3196 msg="vdèroot received a packet(proto=6, 10.100.0.88:1658 è 84.45.68.23:80) from internal."
    id=20085 trace_id=100222 func=resolve_ip_tuple line=3308 msg="allocate a new sessionè00001c3b"
    id=20085 trace_id=100222 func=vf_ip4_route_input line=1607 msg="find a route: gw è192.168.183.254 via external"
    id=20085 trace_id=100222 func=get_new_addr line=1481 msg="find SNAT: IPè192.168.182.225, port è34558"
    id=20085 trace_id=100222 func=fw_forward_handler line=366 msg="Allowed by Policyè3: SNAT"
    id=20085 trace_id=100222 func=__ip_session_run_tuple line=1663 msg="SNAT 10.100.0.88è 192.168.182.225:34558"
    id=20085 trace_id=100222 func=wccp_output line=222 msg=" - '"
    id=20085 trace_id=100222 func=wccp_output line=264 msg="   .
     / 
    ("
    id=20085 trace_id=100223 func=resolve_ip_tuple_fast line=3196 msg="/
        .
    0 
    12"(()3*# /4(()))+#5 ! 
    ( "
    id=20085 trace_id=100223 func=wccp_gre_decap line=380 msg=" 
     1 
    "
    id=20085 trace_id=100223 func=__ip_session_run_tuple line=1677 msg="DNAT 192.168.182.225:34558è 10.100.0.88:1658"
    id=20085 trace_id=100223 func=vf_ip4_route_input line=1607 msg="find a route: gw è10.100.0.88 via internal"
    id=20085 trace_id=100224 func=resolve_ip_tuple_fast line=3196 msg="vdèroot received a packet(proto=6, 10.10 0.0.88:1658è 84.45.68.23:80) from internal."
    id=20085 trace_id=100224 func=resolve_ip_tuple_fast line=3224 msg="Find an existing session, idè00001c3b, original direction"
    id=20085 trace_id=100224 func=__ip_session_run_tuple line=1663 msg="SNAT 10.100.0.88è 192.168.182.225:34558"
    id=20085 trace_id=100224 func=wccp_output line=222 msg="gre_forward"
    id=20085 trace_id=100224 func=wccp_output line=264 msg="send packet via devèport1"
    id=20085 trace_id=100225 func=resolve_ip_tuple_fast line=3196 msg="vdèroot received a packet(proto=6, 10.100.0.88:1658 è 84.45.68.23:80) from internal."
    id=20085 trace_id=100225 func=resolve_ip_tuple_fast line=3224 msg="Find an existing session, idè00001c3b, original direction"
    id=20085 trace_id=100225 func=__ip_session_run_tuple line=1663 msg="SNAT 10.100.0.88è 192.168.182.225:34558"
    id=20085 trace_id=100225 func=wccp_output line=222 msg="gre_forward"
    id=20085 trace_id=100225 func=wccp_output line=264 msg="send packet via devèport1"
    id=20085 trace_id=100226 func=resolve_ip_tuple_fast line=3196 msg="vdèroot received a packet(proto=47, 10.102.0.83:0 è 10.120.0.225:0) from port1."
    id=20085 trace_id=100226 func=wccp_gre_decap line=380 msg="feed to dev=external"

    You might also like