topic Re: Proxy server behind firepower in Network Security

Proxy server behind firepower

Roy Lee — Fri, 29 Oct 2021 08:39:04 GMT

Hi All,

We have implemented a 1 leg proxy appliance inside LAN and NATed by firepower and then a PacketShaper bandwidth controller then to Internet. The internet bandwidth is 50Mbps.

Strange thing is when download files from some specific website like wetransfer / citrix file share, the download speed will be under 100Kbps.

While download from some other website like Microsoft download / Google drive / One drive, the download speed is at least 10Mbps.

Maybe it also affect some web browsing but not noticeable.

I tried to change the proxy applicant internal IP and also the NATed public IP, no luck.

I setup a software proxy (ccproxy, squid) using the same internal IP and NATed public IP of the appliance, working very good.

I changed the proxy appliance to go via another old ASA, it works fine!

So the problem should be related to firepower or the bandwidth controller.

I will try to take out Packetshaper bandwidth controller to test later, but want to know if any hints on firepower.

I didn't apply Qos or File inspection on the ACL of firepower related to the proxy appliance.

Is there steps/area in firepower that I can identify the problem and fix?

Thanks.

Re: Proxy server behind firepower

balaji.bandi — Fri, 29 Oct 2021 08:57:18 GMT

Do you have any Firepower IPS Policies enabled ?

what model of FTD and what code running ?

Re: Proxy server behind firepower

Roy Lee — Fri, 29 Oct 2021 09:13:24 GMT

Hi @balaji.bandi , I do have 1 Intrusion Policy but not applied to the Access Rules related to the proxy appliance.

I am using FirePower 2100 with FTD version 6.2.3.1

Re: Proxy server behind firepower

Roy Lee — Mon, 01 Nov 2021 02:16:54 GMT

Anybody have idea?

Re: Proxy server behind firepower

balaji.bandi — Mon, 01 Nov 2021 07:43:24 GMT

Might have missed it here, what is the status if there is no proxy if you go directly (without proxy). does the Firepower serve the bandwidth as expected? (or with or without proxy same status ?

Re: Proxy server behind firepower

Roy Lee — Mon, 01 Nov 2021 08:16:20 GMT

I use a windows without proxy is okay.

Strange is the proxy server is actual build on linux (no sure which brand), if download inside the linux level (wget), the speed also slow. I have no other linux box on hand, but I think it will be also slow when download from the specific websites.

Re: Proxy server behind firepower

balaji.bandi — Mon, 01 Nov 2021 09:36:37 GMT

So here is our findings :

1. Firepower without proxy works fine

2. Firepower with proxy not working as expected.

Do you have any high-level diagram of how this is connected?

In most cases, Linux based is Squid (mostly used, so you mentioned single interface doing in and out traffic)

Try adding one ACL Top of all ACL allow any for the Proxy IP and test it. ( at the same time capture the logs on Firepower also beneficial, if not it is hard to find the issue)