Fortigate and WCCP

Web Cache Communication Protocol – WCCP
Fortigate is compatible with WCCP protocol version 2 and can be configured on the Fortinet Firewall to optimize web traffic.


WCCP architecture

1. Routers (responsible for redirecting to the WCCP Server)

2. Web Cache – cluster of server

3. Service Groups – this is used to identify sensitive traffic and encapsulates methods between endpoints in the config.


WCCP  can be configured from CLI only. The following steps needs to be performed:

1. Configure the service group

2. Enable WCCP on the Fortigate interface

3. Enable WCCP on the firewall policy


You can configure a FortiGate unit to operate as a WCCP router or client.
• A FortiGate unit operating as a WCCP router can intercept HTTP and HTTPS sessions and forward them to a web
caching engine that caches web pages and returns cached content to the web browser.

• A FortiGate unit operating as a WCCP client can accept and forward WCCP sessions and use firewall policies to
apply NAT, UTM, and other FortiGate security features to them. A FortiGate unit operates as a WCCP client only in
NAT/Route mode (and not in Transparent mode)


Configuring WCCP on Fortinet:

Enter the following command to configure a FortiGate unit to operate as a WCCP client:
config system settings
set wccp-cache-engine enable

To configure WCCP in client mode use the following commands:

config system wccp
edit <service-id>
set cache-id <cache_engine_ip4>
set group-address <multicast_ipv4>
set router-list <server_ipv4mask>
set authentication {disable | enable}
set service-type {auto | dynamic | standard}
set assignment-weight <weight_int>
set assignment-bucket-format {cisco-implementation | wccp-v2}
set password <password_str>


Configure WCCP in server mode:

config system wccp
edit <service-id>
set router-id <interface_ipv4>
set group-address <multicast_ipv4>
set server-list <router1_ipv4> [<router2_ipv4> ... <router4_ipv4>]
set authentication {disable | enable}
set forward-method {GRE | L2 | any}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
set password <password_str>

Below is a description of all of the Variables


Valid ID range is from 0 to 255. 0 for HTTP.

Default is 1



 <pre> router-id <interface_ipv4> </pre> 

An IP address known to all cache engines. This IP address identifies a
FortiGate interface IP address to the cache engines. If all cache
engines connect to the same FortiGate interface, then
<interface_ipv4> can be, and the FortiGate unit uses the
IP address of that interface as the router-id.
If the cache engines can connect to different FortiGate interfaces, you
must set router-id to a single IP address, and this IP address must
be added to the configuration of the cache engines that connect to that

Default is



cache-id <cache_engine_ip4>

The IP address of the cache engine if its IP address is not the same as
the IP address of a FortiGate interface. If the IP address of the cache
engine is the same as the IP address of the FortiGate interface on
which you have enabled WCCP, the cache-id should be



group-address <multicast_ipv4>

The IP multicast address used by the cache routers. means
the FortiGate unit ignores multicast WCCP traffic. Otherwise, groupaddress
must be from to



server-list <router1_ipv4>[<router2_ipv4> ...<router4_ipv4>]

The IP address and net mask of up to four WCCP routers.
Default is:


router-list <server_ipv4mask>

IP addresses of one or more WCCP routers that can communicate with
a FortiGate unit operating as a WCCP cache engine. Separate multiple
addresses with a space.



service-type {auto | dynamic | standard}

Set the WCCP service type used by the cache server.

Default: auto



forward-method {GRE| L2 | any}

Specifies how the FortiGate unit forwards traffic to cache servers. If
forward-method is any the cache server determines the forward
Default: GRE



return-method {GRE| L2 | any}

Specifies how a cache server declines a redirected packet and returns
it to the FortiGate unit. If return-method is any the cache server
determines the return method.
Default: GRE



assignment-method {HASH | MASK | any}

Specifies which assignment method the FortiGate unit prefers. If
assignment-method is any the cache server determines the
assignment method.
Default: HASH



assignment-weight <weight_int>

Set the assignment weight for the WCCP cache engine. The range is 0
to 255.
Default: 0



assignment-bucketformat {ciscoimplementation | wccp-v2}

Set the assignment bucket format for the WCCP cache engine.

Default: ciscoimplementation



password <password_str>

The authentication password. Maximum length is 8 characters. No default.

2 Responses to “ “Fortigate and WCCP”

  1. Hello, i feel that i noticed you visited my website so i got here to go back
    the prefer?.I’m trying to find things to improve my website!I guess its good enough to make use of a few of your ideas!!

  2. Benjamin says:

    I’m trying to set this up for days now (Fortigate 100D as Server and Websense v5000 v2 as Client), but when I test the GRE Tunnel, I always reveice this:

    # diagnose test application wccpd 2

    vdom-root: work mode:router working NAT first_phy_id=16
    interface list:
    intf=port15, gid=21 phy_id=21
    service list:
    service: 1, router_id=, group=, auth(no)
    access access: forward=1
    return=1, assign=3.


    # diagnose test application wccpd 3
    service-1 in vdom-root: num=1, usable=0
    cache server ID:
    len=44, addr=, weight=0, status=0
    rcv_id=7, usable=0, fm=0, nq=0, dev=21(k21), to=
    ch_no=0, num_router=0:

    Do you see a problem here? Might be that:
    work mode:router working NAT first_phy_id=16
    differs from interface list:
    intf=port15, gid=21 phy_id=21

Leave a Reply

Your email address will not be published. Required fields are marked *