Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3294
Views
5
Helpful
8
Replies

FMC Web traffic from WSA

Go to solution
michaellperrin
Level 1
Level 1

‎10-11-2016 09:57 PM - edited ‎03-12-2019 01:22 AM

As expected all of my web traffic in FMC is sourced from our WSA ip address.

Is there anyway for FMC to get the actual internal IP of the user? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-12-2016 10:22 AM

Yes - if you run FirePOWER 6.1 it now correctly extracts the XFF (X-Forwarded-For) field from the WSA to show you the end user address and name.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-12-2016 10:22 AM

Yes - if you run FirePOWER 6.1 it now correctly extracts the XFF (X-Forwarded-For) field from the WSA to show you the end user address and name.

0 Helpful

Go to solution
michaellperrin
Level 1
Level 1
In response to Marvin Rhoads

‎10-12-2016 10:22 AM

I enabled the XFF on the WSA under the security services -> Advanced settings - > Generate Headers - X-Forward For- SEND

but I'm still only seeing the proxy IP as source in FMC.

Do I have to enable something on the FMC? 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to michaellperrin

‎10-12-2016 11:50 AM

Yes - you check that you have it set in the Network Analysis Policy that you are using.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/asa-fp-services/asa-with-firepower-services-local-management-configuration-guide-v610/NAP-Getting-Started.html

Look for the necessary setting as shown below:

0 Helpful

Go to solution
michaellperrin
Level 1
Level 1
In response to Marvin Rhoads

‎10-14-2016 11:27 AM

Got the NAP all configured but still just showing the WSA address as the source.

Have a case opened with TAC to see why.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to michaellperrin

‎10-14-2016 10:03 PM

OK - please let us know how it turns out. I haven't had one of that use case to try out since they updated that feature.

0 Helpful

Go to solution
michaellperrin
Level 1
Level 1
In response to Marvin Rhoads

‎11-04-2016 12:18 PM

Got it working.

I thought it would change the Initiator IP but it populates it into "original client"  column. 

The downside is on the table view for malware and file events the "original client" column isn't an option.

Also as expected only works for HTTP traffic.

I love using the WSA but this makes firepower useless. The only option I see is to offload SSL to something like F5 or A10 and do URL on the Firepower.

0 Helpful

Go to solution
michaellperrin
Level 1
Level 1
In response to michaellperrin

‎11-23-2016 09:33 AM

Was able to get a full working solution in my lab.

The answer was to enable IP Spoofing on the WSA.

This did cause some issues for our environment because we do our WCCP on the ASA's.  This feature isn't supported on the ASA because you need create a second WCCP for the return traffic to the WSA.

The answer was to move the WCCP to our switch that supports WCCP which also supports the return traffic redirection.

Now all web traffic in FMC shows the Initiator IP as the original client IP for both HTTP and HTTPS.

Go to solution
zohair.masood
Level 1
Level 1
In response to michaellperrin

‎07-29-2019 01:54 AM

Hi, 

 

i have read your post and it's amazing and helpful.

 

What i have understood up till now that i need to enable x-forwarded-for at Cisco WSA and should i also enable IP Spoofing at Cisco WSA or it is okay that i can get Client IP of http and https traffic by only enabling x-forwarded-for at Cisco WSA ??

 

kindly help me out.  please

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card