Solved: FIREPOWER and remote users

aaron.catt1 · ‎11-28-2016

Hi guys,

We are currently looking into replacing our ASA 5510 with a 5512 with FIREPOWER services. My question is, how do you guys filter/monitor web traffic from remote users? Do you have to use the AnyConnect client with Always-On VPN?

Many thanks in advance,

Aaron

Karsten Iwen · ‎11-28-2016

It all depends on what you want to achieve. The first question that you have to think about is: Are your clients allowed to surf the web without additional protection.

If you answer this question with no:

Using AnyConnect with Always-on as you mention it is one way.
You could also use CWS (Cisco Cloud Web Security) with AnyConnect on your clients. This could be a good solution if you have other branches or many remote-users and you don't want to send all your Web-traffic through the central internet-connection. In this case you don't need the URL-license on the ASA as also your internal traffic can be sent through CWS.

If you answer the above question with yes:

Configure the VPN-connection to use an internal proxy-server. The proxy-traffic can be protected by FirePOWER.
Configure the VPN without Split-Tunneling so that all client-traffic flows through your ASA.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎11-28-2016

It all depends on what you want to achieve. The first question that you have to think about is: Are your clients allowed to surf the web without additional protection.

If you answer this question with no:

Using AnyConnect with Always-on as you mention it is one way.
You could also use CWS (Cisco Cloud Web Security) with AnyConnect on your clients. This could be a good solution if you have other branches or many remote-users and you don't want to send all your Web-traffic through the central internet-connection. In this case you don't need the URL-license on the ASA as also your internal traffic can be sent through CWS.

If you answer the above question with yes:

Configure the VPN-connection to use an internal proxy-server. The proxy-traffic can be protected by FirePOWER.
Configure the VPN without Split-Tunneling so that all client-traffic flows through your ASA.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.