https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093230#M1005898 <P>Hi Johnny,</P> <P></P> <P>Looks pretty much fine to me. Have fine connectivity to ASA then redirect the traffic towards SFR module as per this article:&nbsp;http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html&nbsp;</P> <P></P> <P>NOTE: Please make sure you configure rules and policies on SFR before you put the traffic redirection from ASA to SFR.</P> <P></P> <P>Best practices: Redirect one or two TEST Machine's traffic towards SFR and verify if traffic is hitting correct rules and everything is working okay. Also, it is good to put the device in SFR fail-open monitor-only mode for a day or two and analyse the traffic &nbsp;and behaviour (Kind of IDS mode, it won't drop&nbsp;actual packets).</P> <P></P> <P>Hope this helps.</P> <P>Regards,</P> <P>Dv</P> Tue, 25 Jul 2017 10:11:55 GMT Dinesh Verma 2017-07-25T10:11:55Z https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093228#M1005896 <P>Hi,</P> <P>my costumer wants to dismiss his old proxy server and use ASA5506 with firepower to achieve the same result.</P> <P>ASA5506 is fully firepower licensed (CTRL, IPS, URL, AMP) and managed by Firepower virtual Center.</P> <P>Which is the best way to do this?</P> <P></P> <P>(I was thinking about deleting proxy address from users' browsers, create a policy on my asa that let everybody access internet in a free way and then configure rules on firepower to filter internet access based on LDAP group) but I don't know if it's the right way.</P> <P></P> <P>Thanks</P> <P>Johnny</P> <P></P> Tue, 12 Mar 2019 13:28:11 GMT https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093228#M1005896 l.buschi 2019-03-12T13:28:11Z https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093229#M1005897 <P>Hello Johnny</P> <P>You can integrate the ASA with Firepower using the following instructions.</P> <P>http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html</P> <P>Once its integrated you can create the User based policies in Firepower and you can use Active or Passive Authentication. You can also. create the rules based on the LDAP groups.</P> <P>If you wish to use Sourcefire User agent then refer to the following link.</P> <P>http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html</P> <P>http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html</P> <P>Rate if this answer helps.</P> <P>Regards</P> <P>Jetsy&nbsp;</P> <P></P> Tue, 25 Jul 2017 09:58:30 GMT https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093229#M1005897 Jetsy Mathew 2017-07-25T09:58:30Z https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093230#M1005898 <P>Hi Johnny,</P> <P></P> <P>Looks pretty much fine to me. Have fine connectivity to ASA then redirect the traffic towards SFR module as per this article:&nbsp;http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html&nbsp;</P> <P></P> <P>NOTE: Please make sure you configure rules and policies on SFR before you put the traffic redirection from ASA to SFR.</P> <P></P> <P>Best practices: Redirect one or two TEST Machine's traffic towards SFR and verify if traffic is hitting correct rules and everything is working okay. Also, it is good to put the device in SFR fail-open monitor-only mode for a day or two and analyse the traffic &nbsp;and behaviour (Kind of IDS mode, it won't drop&nbsp;actual packets).</P> <P></P> <P>Hope this helps.</P> <P>Regards,</P> <P>Dv</P> Tue, 25 Jul 2017 10:11:55 GMT https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093230#M1005898 Dinesh Verma 2017-07-25T10:11:55Z https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093231#M1005900 <P>Many TKS,</P> <P>which do you think is the best solution?</P> <P>Active, passive or rule based on Group on LDAP?</P> <P>The less hard solution.</P> <P>My costumer would like to reach the following goal:</P> <P>admin users can surf free internet</P> <P>normal users can surf filtrated internet</P> <P>banned user cannot surf the internet.</P> <P></P> <P></P> Tue, 25 Jul 2017 10:52:42 GMT https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093231#M1005900 l.buschi 2017-07-25T10:52:42Z https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093232#M1005902 <P>Hello&nbsp;<A href="https://supportforums.cisco.com/users/lbuschi" title="View user profile." class="username" lang="" about="/users/lbuschi" typeof="sioc:UserAccount" property="foaf:name" datatype="">l.buschi</A>,</P> <P></P> <P>Its purely based on what customer requires. You can &nbsp;use &nbsp;Sourcefire User agent and then go ahead with the User based or group based policies and then you achieve the requirement .</P> <P>Please refer the configuration guide that I have mentioned in the previous update.</P> <P>Also try to use the latest software version available in the Firepower as well.</P> <P>Regards</P> <P>Jetsy&nbsp;</P> <P></P> Tue, 25 Jul 2017 10:59:13 GMT https://community.cisco.com/t5/network-security/http-https-ftp-proxy-with-firepower/m-p/3093232#M1005902 Jetsy Mathew 2017-07-25T10:59:13Z