topic Re: WSA and ASA with firepower,This is a problem about firepower event! in Network Security

WSA and ASA with firepower,This is a problem about firepower event!

Andy Yuan1993 — Fri, 05 Jul 2019 08:01:41 GMT

Hi everyone

My company using WSA and ASA with firepower, flow under the action of WCCP, be ASA redirect to the WSA, when the user's endpoint access to the Internet, I view the event on firepower, found that the source address is the address of the P port in the WSA, is this why?

Re: WSA and ASA with firepower,This is a problem about firepower event!

Marvin Rhoads — Fri, 05 Jul 2019 12:02:45 GMT

There is a column you can optionally display in connection events as follows:

Original Client IP
The original IP address of the client that initiated an HTTP connection. This address is derived from the
X-Forwarded-For (XFF) or True-Client-IP HTTP header fields or their equivalent.

To see it, go into Analysis > Connection Events > Table view of Connection Events. Click on the X of any column header and select that new field (non-default) from the "disabled columns" section of the list and then apply.

I'm not positive when the field was added - I know it is there in 6.3+ but not sure about older releases.

Re: WSA and ASA with firepower,This is a problem about firepower event!

Andy Yuan1993 — Mon, 08 Jul 2019 01:54:05 GMT

Hi Marvin

I am glad to receive your reply.

My firepower version is v5.4.0.

I can not find the "Original Client IP" Option in the Table view of Connection Events. Will this be an option in version 6.3?

Do I need any configuration on ASA to implement XFF?

Re: WSA and ASA with firepower,This is a problem about firepower event!

Marvin Rhoads — Mon, 08 Jul 2019 09:08:29 GMT

Your Firepower service module release 5.4.0 is quite old. In fact, it's the initial release on that platform. Think of it as more like 1.0. You should keep up to date on releases (current 6.4 is the latest major release).

The XFF feature was introduced later - 6.0 if I recall correctly. See the following thread for some more details:

https://community.cisco.com/t5/firepower/asa-firepower-and-proxy/td-p/2611587

Re: WSA and ASA with firepower,This is a problem about firepower event!

shgrover — Mon, 08 Jul 2019 14:44:34 GMT

This is expected behaviour as the WSA makes a new connection to the origin server on behalf of the client and hence you would see wsa's p interface on the upstream( p1 /P2 depending on your deployment). IP spoofing is by default disabled on the wsa.

XFF headers need to be enabled as well on the wsa if you want to see the client IP. Please dont make any changes without understanding the effect of these changes . If you decide to go for IP spoofing , you would need to make changes to other devices on the upstream. You can always open a case with us and we can analyse your network design and guide you accordingly before you make any changes and you can take a call on how you would like to route your traffic.

Regards
Shikha Grover