Solved: Hello Johnny

l.buschi · ‎07-25-2017

Hi,

my costumer wants to dismiss his old proxy server and use ASA5506 with firepower to achieve the same result.

ASA5506 is fully firepower licensed (CTRL, IPS, URL, AMP) and managed by Firepower virtual Center.

Which is the best way to do this?

(I was thinking about deleting proxy address from users' browsers, create a policy on my asa that let everybody access internet in a free way and then configure rules on firepower to filter internet access based on LDAP group) but I don't know if it's the right way.

Thanks

Johnny

Jetsy Mathew · ‎07-25-2017

Hello Johnny

You can integrate the ASA with Firepower using the following instructions.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Once its integrated you can create the User based policies in Firepower and you can use Active or Passive Authentication. You can also. create the rules based on the LDAP groups.

If you wish to use Sourcefire User agent then refer to the following link.

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html

Rate if this answer helps.

Regards

Jetsy

View solution in original post

Jetsy Mathew · ‎07-25-2017

Hello Johnny

You can integrate the ASA with Firepower using the following instructions.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Once its integrated you can create the User based policies in Firepower and you can use Active or Passive Authentication. You can also. create the rules based on the LDAP groups.

If you wish to use Sourcefire User agent then refer to the following link.

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html

Rate if this answer helps.

Regards

Jetsy

Dinesh Verma · ‎07-25-2017

Hi Johnny,

Looks pretty much fine to me. Have fine connectivity to ASA then redirect the traffic towards SFR module as per this article: http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

NOTE: Please make sure you configure rules and policies on SFR before you put the traffic redirection from ASA to SFR.

Best practices: Redirect one or two TEST Machine's traffic towards SFR and verify if traffic is hitting correct rules and everything is working okay. Also, it is good to put the device in SFR fail-open monitor-only mode for a day or two and analyse the traffic and behaviour (Kind of IDS mode, it won't drop actual packets).

Hope this helps.

Regards,

Dv

l.buschi · ‎07-25-2017

Many TKS,

which do you think is the best solution?

Active, passive or rule based on Group on LDAP?

The less hard solution.

My costumer would like to reach the following goal:

admin users can surf free internet

normal users can surf filtrated internet

banned user cannot surf the internet.

Jetsy Mathew · ‎07-25-2017

Hello l.buschi,

Its purely based on what customer requires. You can use Sourcefire User agent and then go ahead with the User based or group based policies and then you achieve the requirement .

Please refer the configuration guide that I have mentioned in the previous update.

Also try to use the latest software version available in the Firepower as well.

Regards

Jetsy

HTTP, HTTPS, FTP Proxy with firepower