Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1421
Views
5
Helpful
3
Replies

FirePower Appliance Placement

Go to solution
rsharp001
Level 1
Level 1

‎03-09-2020 08:32 PM

I have a FirePower 8k series appliance that is tied together with ISE pxGrid.  Currently, the FP is setup with 2 ports inline on the outside of the firewall(ASA).  I have a SPAN on the inside of the firewall that sends trafic to another port on the FP acting as an IDS.  Using passive identity with no SGTs

 

I can see the identity info when traffic is seen inside but once it goes out the firewall it is lost.  Is there a way to preserve that data or should I plan to bring the IPS inside the firewall?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-10-2020 07:30 AM

The identity integration associates a given username with the IP address of the endpoint where that user was authenticated. If the outside traffic has been NATted, you lose that association information.

You can only see the end to end flow using something like StealthWatch which can stitch together flows from records originating from an ASA or FTD firewall using the NSEL type of Netflow records which include the NAT translation information.

Otherwise, yes - you would need to have the IPS inside. That is the recommended placement for IPS' (generally speaking) when they are distinct from the firewall.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-10-2020 07:30 AM

The identity integration associates a given username with the IP address of the endpoint where that user was authenticated. If the outside traffic has been NATted, you lose that association information.

You can only see the end to end flow using something like StealthWatch which can stitch together flows from records originating from an ASA or FTD firewall using the NSEL type of Netflow records which include the NAT translation information.

Otherwise, yes - you would need to have the IPS inside. That is the recommended placement for IPS' (generally speaking) when they are distinct from the firewall.

Go to solution
rsharp001
Level 1
Level 1
In response to Marvin Rhoads

‎03-10-2020 09:23 AM

Thank you Marvin. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-10-2020 08:36 AM

Aside from NAT that Marvin mentioned, you would lose the SGT unless you were doing inline tagging between devices (within the network).
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card