Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
6
Helpful
9
Replies

WSA Transparent WCCP Options (FTD or 4500X Switch WCCP)?

Go to solution
Jim Matuska
Level 1
Level 1

‎03-27-2024 03:59 PM

We are migrating from our Older Cisco ASA Firewalls to Cisco FTD 2140's.  We currently are using WCCP on the ASA's for Transparent Proxy with our WSA Virtual Appliance under VMWare.  I was just going to migrate WCCP Configurations to the FTD 2140's with FMC but from everything I'm seeing you have to use somewhat complicated Flex Config that I am not at all familiar with.  I'm wondering if I should just create a new VLAN on my 4500X Core Switches and just migrate WCCP there from the ASA's.  

Any thoughts?  Migrate WCCP Configuration from ASA's to 4500X Switches or use Flex Config for WCCP configuration on FTD 2140 Firewalls?  Or something else?  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Jim Matuska

‎03-29-2024 01:25 AM

If you using FTD and FMC, then you need to use that configuration to work.

I was testing FTD 7.2.5 and 7.3 ( some of the you can directly configure using FMC) - i was not sure if the WCCP in that area, worth checking in the release notes.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/flexconfig_policies.html?bookSearch=true

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

9 Replies 9

Go to solution
Ken Stieers
VIP
VIP

‎03-27-2024 04:04 PM

Assuming the FTD is plugged directly into the switch, WCCP on the egress on that switch port would be the easiest. What version of FTD are you on? Are you using FMC?

Go to solution
Jim Matuska
Level 1
Level 1
In response to Ken Stieers

‎03-27-2024 04:24 PM

FTD Version 7.3.1.  Yes, we are using FMC.  

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Jim Matuska

‎03-27-2024 04:35 PM

I thought I'd seen it in something about 7.4.1, but I was wrong... the switch is probably the best place for now.

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎03-28-2024 06:20 AM

Hi @Jim Matuska 

It is best to re-review your packet flow, in order to determine which device is best for implementing WCCP,  

[1] Kindly be advised, when you are using WCCP, and having any URL in Bypass Setting, the source IP of the packet, will be Client IP.

[2] you need to consider the return path as well.  

[3] on the other hand, when you have WCCP, in deferent subnets, WCCP client ( router / switch/Firewall ) will create a GRE tunnel to WSA. this will reduce the number of routing decisions as well.

[4] last but not least, you need to check the load on the devices, to avoid overloading them. (resource utilization wise) 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Go to solution
Jim Matuska
Level 1
Level 1

‎03-28-2024 02:37 PM - edited ‎03-28-2024 02:55 PM

I actually just found this article on using Flex Configuration on the FTD.  It doesn't look that difficult to me.  Does this look like something that would work ok on the FTD for WCCP although slightly modified setting it up since this is using the FDM and we are using FMC?

https://integratingit.wordpress.com/2022/02/25/wsa-transparent-proxy-using-wccp

 

It also looks like there is an example Flex Config object in the FMC that I could use but not sure if whether it would be easier/better to just use the basic ASA WCCP configuration or this longer script.  

Any other thoughts?

Example FMC WCCP Flex Config

#set( $service = "web-cache") 
 #if( $isServiceIdentifier == "true") 
 #set( $service = "$serviceIdentifier") 
 #end 
 #set ( $wccpCli = "wccp") 
 #set ( $wccpCli = "$wccpCli $service") 
 ####wccpGroupList is place-holder for extended ACL. 
 ####Replace wccpGroupList with extended ACL defined in FMC by inserting policy-object of type extended ACL. 
 #if( $wccpGroupList ) 
 #set( $wccpCli = "$wccpCli group-list $wccpGroupList") 
 #end 
 ####wccpRedirectList is place-holder for extended ACL. 
 ####Replace wccpRedirectList with extended ACL defined in FMC by inserting policy-object of type extended ACL. 
 #if( $wccpRedirectList ) 
 #set( $wccpCli = "$wccpCli redirect-list $wccpRedirectList") 
 #end 
 
 #set( $wccpCli = "$wccpCli password @wccpPassword ") 
 
 $wccpCli 
 
 #### Assiging wccp onto interface 
 #foreach( $interfaceName in $security-zone) 
 wccp interface $interfaceName $service redirect in 
 #end

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Jim Matuska

‎03-28-2024 03:00 PM

I skimmed it, it looks good at first glance.

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎03-28-2024 03:28 PM

npt, 

This link might be a help as well : Firepower Management Center Configuration Guide, Version 6.2.3 - FlexConfig Policies for FTD [Cisco Secure Firewall Management Center] - Cisco

 

Also you can try with just a single Ip address for test, 

In WSA you can create WCCP logs ( not enabled by default ) : GUI. > System Administration > logs Subscription > WCCP logs 

 also in CLI you can use wccpstat 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Go to solution
Jim Matuska
Level 1
Level 1

‎03-28-2024 03:38 PM

Thanks for all the advice and links everyone.  They were very helpful.  I think I am going to try the WCCP Flex Config and see how that goes.  

One question though.  Do you think migrating the simple configuration from my ASA (only 2 lines plus my ACL) would work ok, or should I use the really long example WCCP Flex Config from the FMC?  

Current ASA WCCP Config

wccp 120 redirect-list WCCP_CLIENTS password *****
wccp interface inside 120 redirect in

Or 

Example FMC WCCP Flex Config

#set( $service = "web-cache") 
 #if( $isServiceIdentifier == "true") 
 #set( $service = "$serviceIdentifier") 
 #end 
 #set ( $wccpCli = "wccp") 
 #set ( $wccpCli = "$wccpCli $service") 
 ####wccpGroupList is place-holder for extended ACL. 
 ####Replace wccpGroupList with extended ACL defined in FMC by inserting policy-object of type extended ACL. 
 #if( $wccpGroupList ) 
 #set( $wccpCli = "$wccpCli group-list $wccpGroupList") 
 #end 
 ####wccpRedirectList is place-holder for extended ACL. 
 ####Replace wccpRedirectList with extended ACL defined in FMC by inserting policy-object of type extended ACL. 
 #if( $wccpRedirectList ) 
 #set( $wccpCli = "$wccpCli redirect-list $wccpRedirectList") 
 #end 
 
 #set( $wccpCli = "$wccpCli password @wccpPassword ") 
 
 $wccpCli 
 
 #### Assiging wccp onto interface 
 #foreach( $interfaceName in $security-zone) 
 wccp interface $interfaceName $service redirect in 
 #end

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Jim Matuska

‎03-29-2024 01:25 AM

If you using FTD and FMC, then you need to use that configuration to work.

I was testing FTD 7.2.5 and 7.3 ( some of the you can directly configure using FMC) - i was not sure if the WCCP in that area, worth checking in the release notes.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/flexconfig_policies.html?bookSearch=true

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents