Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2162
Views
5
Helpful
6
Replies

ASA 5555X with FirePower Module and URL Redirect to WSA

Go to solution
David Parker
Level 1
Level 1

‎10-10-2016 09:02 AM - edited ‎03-12-2019 06:09 AM

My question is pertaining to the flow of traffic with an ASA 5555X with the FirePower services module and a WCCP Redirect to a WSA appliance. 

I would think that the traffic flow should occur such as:

Http traffic --> ASA --> FP IPS --> WCCP to WSA Proxy --> (Internet cloud)

In this manner the IPS could identify all the clients before traffic hits the WSA Proxy.

So, the question is, does the Service Policy on the ASA get processed prior to the WCCP Redirect? Is this configurable? Or does the ASA process the WCCP Redirect prior to the Service Policy directing traffic through the ASA?

Are there any guides that go into the details of this scenario?

Thanks,

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to David Parker

‎10-11-2016 01:27 PM

David,

There are no plans to integrate WSA into ASA/FirePOWER or FTD. Each has strengths and addresses customers with differing requirements.

WSA as you know offers deep customization and rich reporting or web filtering. It is limited to http/80 and https/443 though. FirePOWER is an easy solution if you are using it for NGIPS and/or Malware protection already. It lacks some of the reporting capabilities of WSA (although FMC can be customized quite heavily if you dig deep). 

There's also OpenDNS to consider if it's capabilities are appealing to you.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-10-2016 09:55 PM

The ASA processes the redirect to WSA appliance prior to any other steps in the path through the ASA - including service-policy that redirects through the sfr module.

Prior to FirePOWER 6.1, the module did not correctly parse and display the client address (and thus not identify the name based on the configured identity source) due to the module not handling the X-Forwarded-for (XFF) header properly. 6.1 is supposed to have finally fixed that although I haven't seen it working to that that in person yet.

Go to solution
David Parker
Level 1
Level 1
In response to Marvin Rhoads

‎10-11-2016 06:37 AM

Hey Marvin,

Yes, I was reading the Cisco ASA WCCP Traffic Redirection Guide. It describes the flow well. I'm curious as to Cisco's plans for incorporating their Web Security Appliance into the whole ASA/Firepower configuration. I'm not sure this has been addressed ideally. There appears to be some overlap between WSA and FP, although I the WSA is better suited for filtering web traffic in general.We definitely want the FP to profile all our client machines so we really would prefer to see the traffic up front. This is a sticky situation to be in.

Thanks,
David

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to David Parker

‎10-11-2016 01:27 PM

David,

There are no plans to integrate WSA into ASA/FirePOWER or FTD. Each has strengths and addresses customers with differing requirements.

WSA as you know offers deep customization and rich reporting or web filtering. It is limited to http/80 and https/443 though. FirePOWER is an easy solution if you are using it for NGIPS and/or Malware protection already. It lacks some of the reporting capabilities of WSA (although FMC can be customized quite heavily if you dig deep). 

There's also OpenDNS to consider if it's capabilities are appealing to you.

0 Helpful

Go to solution
David Parker
Level 1
Level 1
In response to Marvin Rhoads

‎10-11-2016 01:27 PM

You know, I just recently attended training for the Firepower product, but we didn't go much into the URL filtering other than creating a custom URL object. It appears that we can accomplish pretty much the same service that WSA offers using an Access Policy involving Realms/Users/Network Objects/URL Categories inside the IPS. Then have a Malware and File policy to protect downloads. Throw in an SSL Decryption policy and all your bases are covered. It appears the Acceptable Use Controls can even be covered using HTTP Responses for a give Access Policy. Very nice...

0 Helpful

Go to solution
Andy Yuan1993
Level 1
Level 1
In response to Marvin Rhoads

‎07-05-2019 12:50 AM

Hi Marvin

According to your description, could you please tell me after firepower 6.1 of the connect event can be seen on the user's real address, rather than the address of the P port?

When I was in view the firepower to locate the user's real address, the source address all WSA p port.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card