Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
3
Replies

Can ISE and FirePower work as an intelligent cut-through proxy

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎08-24-2018 06:29 AM

Hi

We need to grant internet access to our jump stations, but only to limited sites.

The ideal way would be if the user could open a browser session, get redirected to ISE, enters the URL, ISE added this URL or IP address to FirePower or the ASA, and then the site can be accessed?

 

Today we are using the cut-through proxy on the ASA, users access a site, gets prompted for username and password, and then has access to everything. We would like to have the user add ACE's, to the "Jumpstation_internet_access" ACL. Then with a fixed frequency, our security team could audit the ACL.

 

If someone has a different solution, I'll be glad to hear it. Perhaps there are a more suitable way to deliver a reasonable experience for the users, without compromising security.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-24-2018 09:10 AM - edited ‎08-24-2018 01:33 PM

It sounds like you want workflow to add URL/IP to ACE. I can't say for Firepower, but certainly not native function of ISE. Have you looked at WSA? ISE could move users to VLAN where users are forced to go through WSA, and WSA can lookup users that ISE can share. But, since WSA deals with URLs they may have feature for such workflow.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎08-24-2018 09:06 AM

The only way I could see this working is by using active or passive authentication and then sharing the identity over pxGrid to FMC. If you don't have ISE deployed to perform active authentication (RADIUS) to learn the user identity then you might consider using Passive ID especially if you are using a Windows based jump box. ISE can learn the user ID and IP address passively from the AD logon and then share that information over pxGrid to FMC where policy can be applied.

Regards,
-Tim
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-24-2018 09:10 AM - edited ‎08-24-2018 01:33 PM

It sounds like you want workflow to add URL/IP to ACE. I can't say for Firepower, but certainly not native function of ISE. Have you looked at WSA? ISE could move users to VLAN where users are forced to go through WSA, and WSA can lookup users that ISE can share. But, since WSA deals with URLs they may have feature for such workflow.

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to howon

‎08-26-2018 11:02 PM

It might be that I'm shooting over the edge with a ISE/FP solution, trying to solve a relatively easy problem with alot of moving parts. I'll try with the ASA cut-through proxy again, and see if I'm able to optimize it somehow.

Thanks for your suggestions!

0 Helpful
Customers Also Viewed These Support Documents