Solved: Thanks Marius, I appreciate

doylepaul · ‎04-21-2016

Hi, I was just wondering how you would be able to identify the source IP addresses of devices on your corporate LAN if all http traffic is going through an internal proxy server?

I have been running network discovery for over a week now and would like to start running some policies. But when I look under analysis, all I see is the source address of my proxy server!

Many thanks.

Marius Gunnerud · ‎04-22-2016

You would need to either move the SourceFire appliance / ASA /w FirePower to be between the proxy server and your users or remove the Proxy server all together.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-22-2016

Correct

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-22-2016

You would need to either move the SourceFire appliance / ASA /w FirePower to be between the proxy server and your users or remove the Proxy server all together.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

doylepaul · ‎04-22-2016

Thanks Marius, I appreciate your help :-)

So basically, I need to move the ASA/Firepower to 'intercept' the http requests before they hit the proxy!

Thanks again.

Marius Gunnerud · ‎04-22-2016

Correct

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

doylepaul · ‎04-25-2016

Hi again Marius, thanks for your previous replies I really appreciate it! though I do have one more question ;-)

I guess the best solution in this particular scenario would be to put the Proxy in the DMZ, then the service policy on the ASA should match and send these requests through to the FirePower module and onto FireSight for analysis. If FireSight decides to block the traffic or sees an IOC then this would show up as the actual source address of the host PC on the LAN rather than the proxy.

I have just noticed a couple of IOC's since removing the network discovery policy this morning and I have no idea what machine is compromised as they all reference the IP address of the proxy server :-)

Thanks again!

Marius Gunnerud · ‎04-25-2016

Yes that would be a good solution. Just keep in mind that unless you exempt the proxy server from being sent to sourcefire traffic will be inspected twice. Or perhaps that is what you want, though it might be overkill.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

doylepaul · ‎04-25-2016

Oh yeah !!! you mean on the way back! Hadn't thought of that!

The way the network is setup, this is the only way we would be able to resolve this issue.

Thanks again mate, really appreciate your help!

Cheers.

FireSight: How to identify source device through a proxy server.