WCCP with FTD
Often, during a firewall migration part of the configuration requires integration to a dedicated external web content filtering solution, for example, Cisco's Web Security Appliance (WSA). There are multiple methods of implementing a web filtering solution, and one of those methods is to use Web Cache Communications Protocol (WCCP). While the required configuration-set is a reasonably simple task on a Cisco ASA or a Cisco router, it's a *little* bit more complicated when migrating over to a Cisco Firepower Threat Defense (FTD) firewall appliance. Something we often hear about Firepower Management Center (FMC) is that not all features are baked into the GUI and various configurations require the use of what's called FlexConfig. One of those FlexConfig-required configurations happens to be WCCP. Moreover, since FTD requires management via FMC, we need to use FlexConfig to get FTD to talk to the web filtering solution via a FlexConfig configuration-set.
While reviewing the configuration template that Cisco provides within FMC, it looks a bit complex. However, in the end, after looking at what's really needed, it's not that complex at all. Let's take a look at their sample config.
#set( $service = "web-cache")
#if( $isServiceIdentifier == "true")
#set( $service = "$serviceIdentifier")
#set ( $wccpCli = "wccp")
#set ( $wccpCli = "$wccpCli $service")
####wccpGroupList is place-holder for extended ACL.
####Replace wccpGroupList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $wccpGroupList )
#set( $wccpCli = "$wccpCli group-list $wccpGroupList")
####wccpRedirectList is place-holder for extended ACL.
####Replace wccpRedirectList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $wccpRedirectList )
#set( $wccpCli = "$wccpCli redirect-list $wccpRedirectList")
#set( $wccpCli = "$wccpCli password @wccpPassword ")
#### Assiging wccp onto interface
#foreach( $interfaceName in $security-zone)
wccp interface $interfaceName $service redirect in
Whoa, there's quite a bit of "stuff" in there.
We are going to run through the configurations and use a much simpler FlexConfig set on our FTD appliance than what this sample template shows.
In this lab, I'm going to be using a virtual FTD appliance and a virtual WSA appliance built using the topology shown below.
The first step we'll do is create the access-lists that will define the interesting traffic that we will set to be redirected to WSA as well as an ACL for the gateways.
Objects > Object Management > Access Lists > Extended > Add Extended Access List
In this example, I'm going to use a name of "wccp-90" as my redirect list and "wccp-gateway" as my gateway list.
Under the Extended Access List section, select "Add Extended Access List" and choose "Add" to create a new entry. The action, as well as the source and destination for this entry, will remain the defaults. Under the "Port" tab, move "HTTP" into the destination field and click "Add" then "Save". Note that we are only going to work with HTTP in this lab, but HTTPS can be added here as well, it just requires additional certificate work which we'll keep out for simplicity of this environment.
The second ACL we will create is for the gateways-list. Following the same process as above, under the Extended Access List section, select "Add Extended Access List". For a name, I'm going to use "wccp-gateways". Click "Add" to create a new entry again keeping the action as the default of "Allow". This time, we're going to have to create an object for our WSA server. Next to the "Available Networks", select the "+" sign to create a new object. Enter your object name (“wsa” in this environment) and the IP address of the WSA server (172.16.10.20) and click "Save". Once that object is created, it can now be selected from the Available Networks list. Locate that new "wsa" object and move it into the "Source Networks" section. When complete, click "Add" then "Save".
With our access-lists created, we can go and create our FlexConfig object. Rather than using the wccp template config that is built into FMC, we're going to create a new object. Under Objects > Object Management > FlexConfig > FlexConfig Object, select "Add FlexConfig Object" at the top right. For the name of this new object, I'm going to simply use "wccp-flexconfig". Here's where the template that Cisco provides and the config that we're going to use will differ but provide the same result.
Under the configuration section, this is going to take a mix of manual configuration as well as using the “Insert” button to add variables with the end result appearing as the config snippet below:
wccp 90 redirect-list $wccp-90 group-list $wccp_gateways
wccp interface inside 90 redirect in
Start by manually typing "wccp 90 redirect-list ". *Note the space entered after redirect-list.
After "redirect-list", select the "Insert" drop-down menu. Under Insert > Insert Policy Object > choose Extended ACL Object. Provide a variable name within this environment, I entered "wccp-90". From the Available Object list, move your "wccp-90" access-list created in a previous step and select "Save". At this point, your configuration statement should be "wccp 90 redirect-list $wccp-90 ". Next, we will need to add the group-list. After "$wccp-90 ", manually enter "group-list" and using the same steps as with the redirect-list, select the "Insert" drop-down > Insert > Insert Policy Object > and once again choose Extended ACL Object. Under the Available Objects section, move your wccp-gateways ACL to the Selected Objects column and click "Save".
On the next line, we're going to enable the redirect process using the statement below:
wccp interface inside 90 redirect in
At this point, our FlexConfig object has been configured and we can now save that object.
With our FlexConfig object successfully created, we will now go and assign that object to a policy which will then be assigned to our FTD appliance.
Under Devices > FlexConfig > Create a "New Policy". Give your new policy a name which in this case I just used "FlexConfig". Under the "User Defined" objects, highlight and move the "wccp-flexconfig" object over to the "Selected Append FlexConfigs" section. The last piece to this puzzle is to assign this new FlexConfig policy to the FTD appliance. On this same window, select "Policy Assignment" at the top right under where the "Preview Config" and "Save" buttons are and move your FTD appliance into the "Selected Devices" column. When done, click "OK", then "Save".
voilà...just like that, you have WCCP configured on your FTD. Easy, right?
To verify, you can SSH into your FTD appliance and run all of the normal "show" commands that you could on a Cisco ASA.
> show running-config wccp
wccp 90 redirect-list wccp-90 group-list wccp-gateways
wccp interface inside 90 redirect in
> show access-list wccp-90
access-list wccp-90; 1 elements; name hash: 0x1a10f12
access-list wccp-90 line 1 extended permit object-group ProxySG_ExtendedACL_8589934661 any any log informational interval 300 (hitcnt=0) 0x1063ff01
access-list wccp-90 line 1 extended permit tcp any any eq www log informational interval 300 (hitcnt=0) 0xedff4076
> show access-list wccp-gateways
access-list wccp-gateways; 1 elements; name hash: 0xdd6d9d02
access-list wccp-gateways line 1 extended permit object-group ProxySG_ExtendedACL_8589934683 object wsa any log informational interval 300 (hitcnt=11) 0xcaa7d25c
access-list wccp-gateways line 1 extended permit ip host 172.16.10.20 any log informational interval 300 (hitcnt=11) 0x3c22ac49
> show wccp
Global WCCP information:
Router Identifier: 172.16.10.254
Protocol Version: 2.0
Service Identifier: 90
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 866
Redirect access-list: wccp-90
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: wccp-gateways
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
From this output, we can see that we now have a GRE connection from the FTD appliance to the WSA server and traffic is being redirected. We can also see that from the client workstation, when a policy is written to block Auction sites, the content is successfully blocked.