06-16-2017 04:31 PM - edited 03-12-2019 06:25 AM
In version 6.x Can we use Firepower as a proxy for clients ?!
Solved! Go to Solution.
06-17-2017 05:15 AM
I see what you're asking.
In this case the answer is "no". A FirePOWER module (or dedicated FirePOWER appliance) cannot act as a proxy in the way you are asking.
In the case of a FirePOWER service module it only inspects traffic redirected to it via the service policy in the parent ASA. It can then intercept that traffic and enforce policy. Otherwise, the end user system has no interaction with it.
If your routing directs the outgoing traffic via your ASA with FirePOWER service module then it can inspect and control user traffic consistent with the configured policy. If the network routing does not steer the traffic via the ASA then the end user cannot override that.
You can implement a proxy the way you are asking using the Cisco Web Security Appliance (WSA). That's one of its primary modes of operation.
06-17-2017 04:49 AM
You can force client authentication via a captive portal.
It's pretty basic but it does work.
Reference:
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html
Is that what you're looking for?
06-17-2017 05:04 AM
Hello Marvin,
If users' gateway is ASA and ASA with Firepower then traffic will redirect to sensor to check URL and applications according to policy configured.
but if the gateway is not ASA can we open browser and write IP address for sensor or ASA ? can this work and which port can we use ? is there is a port sensor listen for it, or it doesn't work like that only traffic reach to ASA redirected to sensor
as I have a branch users cannot reach internet direct but when they put TMG IP address as a proxy it works as they go through TMG, what if we need that users there go through ASA not TMG.
can we add a route that route internet traffic to ASA ?
and why we cannot write ASA or sensor IP in browser as a proxy because it will not listen on that traffic ?!
Please clarify this point what is the difference if I put IP in browser as a proxy or set users gateway to it and the IP is ASA
thanks.
06-17-2017 05:15 AM
I see what you're asking.
In this case the answer is "no". A FirePOWER module (or dedicated FirePOWER appliance) cannot act as a proxy in the way you are asking.
In the case of a FirePOWER service module it only inspects traffic redirected to it via the service policy in the parent ASA. It can then intercept that traffic and enforce policy. Otherwise, the end user system has no interaction with it.
If your routing directs the outgoing traffic via your ASA with FirePOWER service module then it can inspect and control user traffic consistent with the configured policy. If the network routing does not steer the traffic via the ASA then the end user cannot override that.
You can implement a proxy the way you are asking using the Cisco Web Security Appliance (WSA). That's one of its primary modes of operation.
06-17-2017 05:24 AM
Clear answer.
Thanks Marvin.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide