debug wccp events
debug wccp packets
sh wccp

[ # ]

!! Traffic still needs to be allowed on the inside ACL. This ACL will still be hit first !!
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https

!! The first ACL is for bypassing the proxy !!
access-list WCCP_Redirect extended deny ip object-group ProxyBypass any
access-list WCCP_Redirect extended permit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list WCCP_Redirect extended permit tcp 192.168.1.0 255.255.255.0 any eq 443

!! Proxy ACL !!
access-list WCCP-Proxy extended permit ip host <Proxy Server> any

!! The service id (web-cache and 70 in the following cases) is configured on the proxy. We need to know this information from the client !!
!! Commonly used service IDs !!
!! web-cache or 0 - HTTP !!
!! 53 - DNS !!
!! 60 - FTP !!
!! 70 - HTTPS !!
!! The following redirects HTTP traffic based on the WCCP_Redirect ACL !!
wccp web-cache redirect-list WCCP_Redirect group-list WCCP-Proxy
wccp interface inside web-cache redirect in

!! The following redirects HTTPS traffic based on the WCCP_Redirect ACL !!
wccp 70 redirect-list WCCP_Redirect group-list WCCP-Proxy
wccp interface inside 70 redirect in

[ # ]

regex BlockedURLs “\.microsoft\.com|\.msn\.com|\.cnbc\.com”

access-list inside-traffic-filter deny <filter-bypass-IPs> any eq www
access-list inside-traffic-filter permit tcp any any eq www

class-map type inspect http match-all BlockedDomainsClass
  match request header host regex BlocedkDomainsList
  exit
class-map httptraffic
  match access-list inside-traffic-filter
  exit
policy-map type inspect http http_inspection_policy
  parameters
    match request method connect
      drop-connection log

policy-map url-packet-filter
  class httptraffic
    inspect http http_inspection_policy
service-policy <interface-to-apply-to>-policy interface <interface-to-apply-to>

Notes:

  • Untested
  • For 8.4(2)+, look into FQDN Network Objects if resources permit

[ # ]

config system global
 set hostname <hostname>
 end

config system dns
 set primary <ip>
 set secondary <ip>
 end

[ # ]

!! Snoop Filter - More basic capture
!! Enable
snoop filter ip src-ip <src IP> dst-ip <dest IP>
snoop
!! Disable
snoop off
snoop filter del

!! Flow Filter - Much more information on the packet flow
!! Enable
set ff src-ip <src IP> dst-ip <dest IP>
debug flow basic
!! Disable
undebug all
unset ff  !! Unset the filter op

Notes:

  • Use 'get db st' to view the output
  • Use 'clear db' to clear the capture but keep it running

[ # ]

show system interface <optional:interface name>  !! View interface configuration (mode will be dhcp client or static)
show dhcp system server  !! View DHCP server information (if empty, it's disabled)
show router static  !! View Static Routes ("device" is the interface, if no "set dst" then it is the default route)
execute ping <ip>
execute traceroute <ip>
get system status  !! View version information

!! Packet Capture (additional commands needed if traffic is hardware accelerated)    
diag sniffer packet <interface> 'src host <src-ip> and dst host <ip> and (port <port> or port <port>)' <verbosity_1-6> <count> a   !! count of 0 means continuous, 'a' means show actual timestamp of packet

Example:

diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1' 4 0 a

Notes:

  • if you wanna see bidirectional traffic, omit src and dst. just like tcpdump

[ # ]

diag hardware sysinfo shm

Notes:

The following are possible results for 'conservemode'

  • 0 - Not in Conserve Mode
  • 1 - Conserve Mode
  • 2 - Kernel Conserve Mode

Documentation

[ # ]

grep ruleorder /var/log/messages | awk -Fruleorder= '{print $2}' | sort | uniq -c | sort -nr | awk 'BEGIN {print "Rule\\tHits";}{print $2,"\\t",$1}'

[ # ]

egrep "iss-(spa|fvmCfg)" /var/log/messages

[ # ]

egrep -o " version='.*' xml" /etc/crm/policies/cml/NetworkProtector/fwm/npfwm1_0.xml        !! Firewall/VPN
egrep -o " version='.*' xml" /etc/crm/policies/cml/NetworkProtector/ssls/npssls1_0.xml      !! SSL VPN
egrep -o " version='.*' xml" /etc/crm/policies/cml/NetworkObjects/networkobjects1_0.xml    !! Network Objects Version

[ # ]