We currently use a piece of proxy software centrally in our datacentre and are looking to replace this by deploying a 5506 with firepower services utilising IPS,AMP and URL licensing.
We have multiple sites all linked up using Site to Site VPN's from remote site firewall to central datacentre firewall. Currently via remote site DHCP we push out a WPAD file to all endpoint PC's that says go to "this central IP" to go the internet. This is the IP address of our proxy server. So all users web traffic goes out over the site to site VPN, out to the internet centrally at the DC.
I'm wondering how this would work if we were to deploy firepower url filtering as our proxy. Could we use this same model of using a wpad file with a ip address of where the proxy is, does firepower have its own ip address that it would accept and filter traffic in this way.
I know that we could edit the wpad file and the remote firewall would route the web traffic but does firepower have its own IP address that would accept the traffic from a remote site in this way.
As in theory the traffic would be coming into the ASA's outside interface, being passed to firepower and then being sent back out the outside interface over the vpn.
Thanks in advance
Firepower in essence is a transparent solution that is in-line with the traffic flows through the ASA FW. It doesn't behave like a forward proxy. A forward proxy needs to be explicitly configured on the client, either through manual configuration or automatic configuration using dhcp or wpad. Whilst firepower is completely transparent to the users. The IP address on the firepower module is exclusively used for management of the firepower module. Management can be done standalone from ASDM or centrally through FireSIGHT or CSM.
So as long as you're able to route the user traffic through the ASA firewall, firepower will be able to inspect it and block anything you don't want to allow through...
Hopefully that answers your question.