topic Hi again Marius, thanks for in Network Security

FireSight: How to identify source device through a proxy server.

doylepaul — Tue, 12 Mar 2019 07:39:27 GMT

Hi, I was just wondering how you would be able to identify the source IP addresses of devices on your corporate LAN if all http traffic is going through an internal proxy server?

I have been running network discovery for over a week now and would like to start running some policies. But when I look under analysis, all I see is the source address of my proxy server!

Many thanks.

You would need to either move

Marius Gunnerud — Fri, 22 Apr 2016 08:23:52 GMT

You would need to either move the SourceFire appliance / ASA /w FirePower to be between the proxy server and your users or remove the Proxy server all together.

Please remember to select a correct answer and rate helpful posts

Thanks Marius, I appreciate

doylepaul — Fri, 22 Apr 2016 09:04:51 GMT

Thanks Marius, I appreciate your help 🙂

So basically, I need to move the ASA/Firepower to 'intercept' the http requests before they hit the proxy!

Thanks again.

Correct

Marius Gunnerud — Fri, 22 Apr 2016 09:19:02 GMT

Correct

Please remember to select a correct answer and rate helpful posts

Hi again Marius, thanks for

doylepaul — Mon, 25 Apr 2016 13:44:55 GMT

Hi again Marius, thanks for your previous replies I really appreciate it! though I do have one more question 😉

I guess the best solution in this particular scenario would be to put the Proxy in the DMZ, then the service policy on the ASA should match and send these requests through to the FirePower module and onto FireSight for analysis. If FireSight decides to block the traffic or sees an IOC then this would show up as the actual source address of the host PC on the LAN rather than the proxy.

I have just noticed a couple of IOC's since removing the network discovery policy this morning and I have no idea what machine is compromised as they all reference the IP address of the proxy server 🙂

Thanks again!

Yes that would be a good

Marius Gunnerud — Mon, 25 Apr 2016 13:57:02 GMT

Yes that would be a good solution. Just keep in mind that unless you exempt the proxy server from being sent to sourcefire traffic will be inspected twice. Or perhaps that is what you want, though it might be overkill.

Please remember to select a correct answer and rate helpful posts

Oh yeah !!! you mean on the

doylepaul — Mon, 25 Apr 2016 14:39:19 GMT

Oh yeah !!! you mean on the way back! Hadn't thought of that!

The way the network is setup, this is the only way we would be able to resolve this issue.

Thanks again mate, really appreciate your help!

Cheers.