topic FMC Web traffic from WSA in Network Security

FMC Web traffic from WSA

michaellperrin — Tue, 12 Mar 2019 08:22:58 GMT

As expected all of my web traffic in FMC is sourced from our WSA ip address.

Is there anyway for FMC to get the actual internal IP of the user?

Yes - if you run FirePOWER 6

Marvin Rhoads — Wed, 12 Oct 2016 17:22:05 GMT

Yes - if you run FirePOWER 6.1 it now correctly extracts the XFF (X-Forwarded-For) field from the WSA to show you the end user address and name.

I enabled the XFF on the WSA

michaellperrin — Wed, 12 Oct 2016 17:22:06 GMT

I enabled the XFF on the WSA under the security services -> Advanced settings - > Generate Headers - X-Forward For- SEND

but I'm still only seeing the proxy IP as source in FMC.

Do I have to enable something on the FMC?

Yes - you check that you have

Marvin Rhoads — Wed, 12 Oct 2016 18:50:20 GMT

Yes - you check that you have it set in the Network Analysis Policy that you are using.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/asa-fp-services/asa-with-firepower-services-local-management-configuration-guide-v610/NAP-Getting-Started.html

Look for the necessary setting as shown below:

Got the NAP all configured

michaellperrin — Fri, 14 Oct 2016 18:27:12 GMT

Got the NAP all configured but still just showing the WSA address as the source.

Have a case opened with TAC to see why.

OK - please let us know how

Marvin Rhoads — Sat, 15 Oct 2016 05:03:27 GMT

OK - please let us know how it turns out. I haven't had one of that use case to try out since they updated that feature.

Got it working.

michaellperrin — Fri, 04 Nov 2016 19:18:26 GMT

Got it working.

I thought it would change the Initiator IP but it populates it into "original client" column.

The downside is on the table view for malware and file events the "original client" column isn't an option.

Also as expected only works for HTTP traffic.

I love using the WSA but this makes firepower useless. The only option I see is to offload SSL to something like F5 or A10 and do URL on the Firepower.

Was able to get a full

michaellperrin — Wed, 23 Nov 2016 17:33:45 GMT

Was able to get a full working solution in my lab.

The answer was to enable IP Spoofing on the WSA.

This did cause some issues for our environment because we do our WCCP on the ASA's. This feature isn't supported on the ASA because you need create a second WCCP for the return traffic to the WSA.

The answer was to move the WCCP to our switch that supports WCCP which also supports the return traffic redirection.

Now all web traffic in FMC shows the Initiator IP as the original client IP for both HTTP and HTTPS.

Re: Was able to get a full

zohair.masood — Mon, 29 Jul 2019 08:54:45 GMT

Hi,

i have read your post and it's amazing and helpful.

What i have understood up till now that i need to enable x-forwarded-for at Cisco WSA and should i also enable IP Spoofing at Cisco WSA or it is okay that i can get Client IP of http and https traffic by only enabling x-forwarded-for at Cisco WSA ??

kindly help me out. please