Thanks Marius, I appreciate your help :-)

So basically, I need to move the ASA/Firepower to 'intercept' the http requests before they hit the proxy!

Thanks again.

Hi again Marius, thanks for your previous replies I really appreciate it! though I do have one more question ;-)

I guess the best solution in this particular scenario would be to put the Proxy in the DMZ, then the service policy on the ASA should match and send these requests through to the FirePower module and onto FireSight for analysis. If FireSight decides to block the traffic or sees an IOC then this would show up as the actual source address of the host PC on the LAN rather than the proxy.

I have just noticed a couple of IOC's since removing the network discovery policy this morning and I have no idea what machine is compromised as they all reference the IP address of the proxy server :-)

Thanks again!

Yes that would be a good solution.  Just keep in mind that unless you exempt the proxy server from being sent to sourcefire traffic will be inspected twice. Or perhaps that is what you want, though it might be overkill.

--

Please remember to select a correct answer and rate helpful posts

Oh yeah !!! you mean on the way back! Hadn't thought of that!

The way the network is setup, this is the only way we would be able to resolve this issue.

Thanks again mate, really appreciate your help!

Cheers.