05-15-2024 04:04 PM
We have 2x FTD 2140 Firewalls Managed by FMC that I am trying to get a flexconfig setup for WCCP to use for our Cisco WSA Web Filter.
This should be a pretty simple configuration as I am just wanting to put the following 2 commands in via Flexconfig
wccp 90 redirect-list WCCP_CLIENTS
wccp interface inside 90 redirect in
The problem is I put my WCCP_CLIENTS Extended access list in as a network object, however since it is only referenced via flexconfig it doesn't deploy the ACL to the FTD devices and gives the following errors:
FMC >> wccp 90 redirect-list WCCP_CLIENTS NGFW-2140-HA >> [error] : ERROR: Specified ACL (WCCP_CLIENTS) either does not exist or its type is not supported in WCCP. Config Error -- wccp 90 redirect-list WCCP_CLIENTS
Am I putting this ACL in the wrong spot or is there some other way to get this working properly? I am migrating from old Cisco ASA's that these were just simple commands to put in but it seems much more difficult with FMC and FTD.
05-16-2024 12:46 AM
05-16-2024 01:50 AM
flex config should be variable - if you have ASA configuration already and want to use same on FTD
check example with variable :
https://packetjourney.wordpress.com/2019/05/26/firepower-wccp-configuration/
05-20-2024 11:48 AM
I followed that link and copied the WCCP Template and modified and added the variables (Extended ACL's) however my preview does not look right as it seems to have bunched my variables all together "WS_GATEWAYWS_REDIRECTInternal#set( $service = "web-cache-90")" which doesn't look right. My FlexConfig and FlexConfig preview is below. Do you see what I have wrong?
FlexConfig Preview
###Flex-config Appended CLI ###
WS_GATEWAYWS_REDIRECTInternal#set( $service = "web-cache-90")
wccp $service group-list WS_GATEWAY redirect-list WS_REDIRECT
FLEXConfig Below:
$wccpGroupList$wccpRedirectList$security-zone#set( $service = "web-cache-90")
#if( $isServiceIdentifier == "true")
#set( $service = "$serviceIdentifier")
#end
#set ( $wccpCli = "wccp")
#set ( $wccpCli = "$wccpCli $service")
####wccpGroupList is place-holder for extended ACL.
####Replace wccpGroupList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $wccpGroupList )
#set( $wccpCli = "$wccpCli group-list $wccpGroupList")
#end
####wccpRedirectList is place-holder for extended ACL.
####Replace wccpRedirectList with extended ACL defined in FMC by inserting policy-object of type extended ACL.
#if( $wccpRedirectList )
#set( $wccpCli = "$wccpCli redirect-list $wccpRedirectList")
#end
$wccpCli
#### Assiging wccp onto interface
#foreach( $interfaceName in $security-zone)
wccp interface $interfaceName $service redirect in
#end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide