Hot!fortinet and cisco wsa

Author
nitesh.saxena
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/15 09:20:45
  • Status: offline
2016/04/24 12:22:41 (permalink)
0

fortinet and cisco wsa

Hi,
 
has anyone tried integrating WCCP from fortinet to WSA?
 
we have are trying to integrate fortinet wccp to wsa but its not happening. WCCP service is not sending traffic on the wsa so i wanted to know if anyone has tried and had a successful transparent proxy running with this scenario.
 
Please help..
 
thanks
#1

3 Replies Related Threads

    Prab
    Bronze Member
    • Total Posts : 59
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/12/04 01:30:25
    • Status: offline
    Re: fortinet and cisco wsa 2020/01/09 02:56:39 (permalink)
    0
    Yes, I have tested this on 5.6.11 and 6.2.3 FortiOS version, I tested with FGT-60E, the WSA was running 11.7  and 11.8 AsyncOS.
     
    The setup which worked me is shown in the image below.
     
    Traffic flow:
    User Client -> [internal6]FGT[DMZ] -> WSA -> [DMZ]FGT[WAN]-> Internet -> [WAN]FGT[DMZ] -> WSA -> [DMZ]FGT[internal6] -> User/client
     
    It is worth mentioning that this only worked for me, when the WSA used the FGT (WCCP_Router) as the gateway to reach the internet!
    For eg: The WSA uses 10.10.10.1 as WCCP_Router, then the WSA must be configured to use 10.10.10.1 as default gateway too.
     
    I used the service ID 0, 70 on WSA as well as on the FGT. 0 for HTTP & 70 for HTTPs.
    forward-method was GRE, return-method was GRE, assignment-method was HASH. No authentication was configured.


    Cheers,
    Prab :)
    post edited by Prab - 2020/01/30 04:20:09

    Attached Image(s)

    #2
    chad_lumbee
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/05/21 22:05:00
    • Status: offline
    Re: fortinet and cisco wsa 2021/05/21 22:07:33 (permalink)
    0
    Prab,
    were you able to retain the source ip of the client with your design? it appears that the fortigate performs a NAT of the traffic prior to utilizing the WCCP function, thus losing the source ip of the client and thus prior to hitting the firewall rules for client side ip's.
    #3
    Prab
    Bronze Member
    • Total Posts : 59
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/12/04 01:30:25
    • Status: offline
    Re: fortinet and cisco wsa 2021/05/26 06:48:42 (permalink)
    0
    chad_lumbee
    Prab,
    were you able to retain the source ip of the client with your design? it appears that the fortigate performs a NAT of the traffic prior to utilizing the WCCP function, thus losing the source ip of the client and thus prior to hitting the firewall rules for client side ip's.


    Hi Chad,
     
    Yes, I was able to retain the Client's source IP address. You need to disable the NAT on the firewall policy that is redirecting the traffic using WCCP.
     
    Update: The above mentioned setup is still working with FortiOS 6.4.4 and Cisco WSA is running 14.0 asyncOS version.
     
    Cheers,
    Prab :)
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5