07-25-2017 01:09 AM - edited 03-12-2019 06:28 AM
Hi,
my costumer wants to dismiss his old proxy server and use ASA5506 with firepower to achieve the same result.
ASA5506 is fully firepower licensed (CTRL, IPS, URL, AMP) and managed by Firepower virtual Center.
Which is the best way to do this?
(I was thinking about deleting proxy address from users' browsers, create a policy on my asa that let everybody access internet in a free way and then configure rules on firepower to filter internet access based on LDAP group) but I don't know if it's the right way.
Thanks
Johnny
Solved! Go to Solution.
07-25-2017 02:58 AM
Hello Johnny
You can integrate the ASA with Firepower using the following instructions.
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
Once its integrated you can create the User based policies in Firepower and you can use Active or Passive Authentication. You can also. create the rules based on the LDAP groups.
If you wish to use Sourcefire User agent then refer to the following link.
http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html
Rate if this answer helps.
Regards
Jetsy
07-25-2017 02:58 AM
Hello Johnny
You can integrate the ASA with Firepower using the following instructions.
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
Once its integrated you can create the User based policies in Firepower and you can use Active or Passive Authentication. You can also. create the rules based on the LDAP groups.
If you wish to use Sourcefire User agent then refer to the following link.
http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html
Rate if this answer helps.
Regards
Jetsy
07-25-2017 03:11 AM
Hi Johnny,
Looks pretty much fine to me. Have fine connectivity to ASA then redirect the traffic towards SFR module as per this article: http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
NOTE: Please make sure you configure rules and policies on SFR before you put the traffic redirection from ASA to SFR.
Best practices: Redirect one or two TEST Machine's traffic towards SFR and verify if traffic is hitting correct rules and everything is working okay. Also, it is good to put the device in SFR fail-open monitor-only mode for a day or two and analyse the traffic and behaviour (Kind of IDS mode, it won't drop actual packets).
Hope this helps.
Regards,
Dv
07-25-2017 03:52 AM
Many TKS,
which do you think is the best solution?
Active, passive or rule based on Group on LDAP?
The less hard solution.
My costumer would like to reach the following goal:
admin users can surf free internet
normal users can surf filtrated internet
banned user cannot surf the internet.
07-25-2017 03:59 AM
Hello l.buschi,
Its purely based on what customer requires. You can use Sourcefire User agent and then go ahead with the User based or group based policies and then you achieve the requirement .
Please refer the configuration guide that I have mentioned in the previous update.
Also try to use the latest software version available in the Firepower as well.
Regards
Jetsy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: