03-09-2020 08:32 PM
I have a FirePower 8k series appliance that is tied together with ISE pxGrid. Currently, the FP is setup with 2 ports inline on the outside of the firewall(ASA). I have a SPAN on the inside of the firewall that sends trafic to another port on the FP acting as an IDS. Using passive identity with no SGTs
I can see the identity info when traffic is seen inside but once it goes out the firewall it is lost. Is there a way to preserve that data or should I plan to bring the IPS inside the firewall?
Solved! Go to Solution.
03-10-2020 07:30 AM
The identity integration associates a given username with the IP address of the endpoint where that user was authenticated. If the outside traffic has been NATted, you lose that association information.
You can only see the end to end flow using something like StealthWatch which can stitch together flows from records originating from an ASA or FTD firewall using the NSEL type of Netflow records which include the NAT translation information.
Otherwise, yes - you would need to have the IPS inside. That is the recommended placement for IPS' (generally speaking) when they are distinct from the firewall.
03-10-2020 07:30 AM
The identity integration associates a given username with the IP address of the endpoint where that user was authenticated. If the outside traffic has been NATted, you lose that association information.
You can only see the end to end flow using something like StealthWatch which can stitch together flows from records originating from an ASA or FTD firewall using the NSEL type of Netflow records which include the NAT translation information.
Otherwise, yes - you would need to have the IPS inside. That is the recommended placement for IPS' (generally speaking) when they are distinct from the firewall.
03-10-2020 09:23 AM
Thank you Marvin.
03-10-2020 08:36 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide