cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3276
Views
5
Helpful
8
Replies

FMC Web traffic from WSA

michaellperrin
Level 1
Level 1

As expected all of my web traffic in FMC is sourced from our WSA ip address.

Is there anyway for FMC to get the actual internal IP of the user? 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - if you run FirePOWER 6.1 it now correctly extracts the XFF (X-Forwarded-For) field from the WSA to show you the end user address and name.

View solution in original post

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - if you run FirePOWER 6.1 it now correctly extracts the XFF (X-Forwarded-For) field from the WSA to show you the end user address and name.

I enabled the XFF on the WSA under the security services -> Advanced settings - > Generate Headers - X-Forward For- SEND

but I'm still only seeing the proxy IP as source in FMC.

Do I have to enable something on the FMC? 

Yes - you check that you have it set in the Network Analysis Policy that you are using.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/asa-fp-services/asa-with-firepower-services-local-management-configuration-guide-v610/NAP-Getting-Started.html

Look for the necessary setting as shown below:

Got the NAP all configured but still just showing the WSA address as the source.

Have a case opened with TAC to see why.

OK - please let us know how it turns out. I haven't had one of that use case to try out since they updated that feature.

Got it working.

I thought it would change the Initiator IP but it populates it into "original client"  column. 

The downside is on the table view for malware and file events the "original client" column isn't an option.

Also as expected only works for HTTP traffic.

I love using the WSA but this makes firepower useless. The only option I see is to offload SSL to something like F5 or A10 and do URL on the Firepower.

Was able to get a full working solution in my lab.

The answer was to enable IP Spoofing on the WSA.

This did cause some issues for our environment because we do our WCCP on the ASA's.  This feature isn't supported on the ASA because you need create a second WCCP for the return traffic to the WSA.

The answer was to move the WCCP to our switch that supports WCCP which also supports the return traffic redirection.

Now all web traffic in FMC shows the Initiator IP as the original client IP for both HTTP and HTTPS.

Hi, 

 

i have read your post and it's amazing and helpful.

 

What i have understood up till now that i need to enable x-forwarded-for at Cisco WSA and should i also enable IP Spoofing at Cisco WSA or it is okay that i can get Client IP of http and https traffic by only enabling x-forwarded-for at Cisco WSA ??

 

kindly help me out.  please

Review Cisco Networking for a $25 gift card