10-10-2016 09:02 AM - edited 03-12-2019 06:09 AM
My question is pertaining to the flow of traffic with an ASA 5555X with the FirePower services module and a WCCP Redirect to a WSA appliance.
I would think that the traffic flow should occur such as:
Http traffic --> ASA --> FP IPS --> WCCP to WSA Proxy --> (Internet cloud)
In this manner the IPS could identify all the clients before traffic hits the WSA Proxy.
So, the question is, does the Service Policy on the ASA get processed prior to the WCCP Redirect? Is this configurable? Or does the ASA process the WCCP Redirect prior to the Service Policy directing traffic through the ASA?
Are there any guides that go into the details of this scenario?
Thanks,
David
Solved! Go to Solution.
10-11-2016 01:27 PM
David,
There are no plans to integrate WSA into ASA/FirePOWER or FTD. Each has strengths and addresses customers with differing requirements.
WSA as you know offers deep customization and rich reporting or web filtering. It is limited to http/80 and https/443 though. FirePOWER is an easy solution if you are using it for NGIPS and/or Malware protection already. It lacks some of the reporting capabilities of WSA (although FMC can be customized quite heavily if you dig deep).
There's also OpenDNS to consider if it's capabilities are appealing to you.
10-10-2016 09:55 PM
The ASA processes the redirect to WSA appliance prior to any other steps in the path through the ASA - including service-policy that redirects through the sfr module.
Prior to FirePOWER 6.1, the module did not correctly parse and display the client address (and thus not identify the name based on the configured identity source) due to the module not handling the X-Forwarded-for (XFF) header properly. 6.1 is supposed to have finally fixed that although I haven't seen it working to that that in person yet.
10-11-2016 06:37 AM
Hey Marvin,
Yes, I was reading the Cisco ASA WCCP Traffic Redirection Guide. It describes the flow well. I'm curious as to Cisco's plans for incorporating their Web Security Appliance into the whole ASA/Firepower configuration. I'm not sure this has been addressed ideally. There appears to be some overlap between WSA and FP, although I the WSA is better suited for filtering web traffic in general.We definitely want the FP to profile all our client machines so we really would prefer to see the traffic up front. This is a sticky situation to be in.
Thanks,
David
10-11-2016 01:27 PM
David,
There are no plans to integrate WSA into ASA/FirePOWER or FTD. Each has strengths and addresses customers with differing requirements.
WSA as you know offers deep customization and rich reporting or web filtering. It is limited to http/80 and https/443 though. FirePOWER is an easy solution if you are using it for NGIPS and/or Malware protection already. It lacks some of the reporting capabilities of WSA (although FMC can be customized quite heavily if you dig deep).
There's also OpenDNS to consider if it's capabilities are appealing to you.
10-11-2016 01:27 PM
You know, I just recently attended training for the Firepower product, but we didn't go much into the URL filtering other than creating a custom URL object. It appears that we can accomplish pretty much the same service that WSA offers using an Access Policy involving Realms/Users/Network Objects/URL Categories inside the IPS. Then have a Malware and File policy to protect downloads. Throw in an SSL Decryption policy and all your bases are covered. It appears the Acceptable Use Controls can even be covered using HTTP Responses for a give Access Policy. Very nice...
07-05-2019 12:50 AM
07-05-2019 04:52 AM
@Andy Yuan1993 - let's address the question in your new thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide