cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2344
Views
0
Helpful
4
Replies
l.buschi
Explorer

HTTP, HTTPS, FTP Proxy with firepower

Hi,

my costumer wants to dismiss his old proxy server and use ASA5506 with firepower to achieve the same result.

ASA5506 is fully firepower licensed (CTRL, IPS, URL, AMP) and managed by Firepower virtual Center.

Which is the best way to do this?

(I was thinking about deleting proxy address from users' browsers, create a policy on my asa that let everybody access internet in a free way and then configure rules on firepower to filter internet access based on LDAP group) but I don't know if it's the right way.

Thanks

Johnny

1 ACCEPTED SOLUTION

Accepted Solutions
Jetsy Mathew
Cisco Employee

Hello Johnny

You can integrate the ASA with Firepower using the following instructions.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Once its integrated you can create the User based policies in Firepower and you can use Active or Passive Authentication. You can also. create the rules based on the LDAP groups.

If you wish to use Sourcefire User agent then refer to the following link.

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html

Rate if this answer helps.

Regards

Jetsy 

View solution in original post

4 REPLIES 4
Jetsy Mathew
Cisco Employee

Hello Johnny

You can integrate the ASA with Firepower using the following instructions.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Once its integrated you can create the User based policies in Firepower and you can use Active or Passive Authentication. You can also. create the rules based on the LDAP groups.

If you wish to use Sourcefire User agent then refer to the following link.

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html

Rate if this answer helps.

Regards

Jetsy 

View solution in original post

Dinesh Verma
Cisco Employee

Hi Johnny,

Looks pretty much fine to me. Have fine connectivity to ASA then redirect the traffic towards SFR module as per this article: http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html 

NOTE: Please make sure you configure rules and policies on SFR before you put the traffic redirection from ASA to SFR.

Best practices: Redirect one or two TEST Machine's traffic towards SFR and verify if traffic is hitting correct rules and everything is working okay. Also, it is good to put the device in SFR fail-open monitor-only mode for a day or two and analyse the traffic  and behaviour (Kind of IDS mode, it won't drop actual packets).

Hope this helps.

Regards,

Dv

l.buschi
Explorer

Many TKS,

which do you think is the best solution?

Active, passive or rule based on Group on LDAP?

The less hard solution.

My costumer would like to reach the following goal:

admin users can surf free internet

normal users can surf filtrated internet

banned user cannot surf the internet.

Hello l.buschi,

Its purely based on what customer requires. You can  use  Sourcefire User agent and then go ahead with the User based or group based policies and then you achieve the requirement .

Please refer the configuration guide that I have mentioned in the previous update.

Also try to use the latest software version available in the Firepower as well.

Regards

Jetsy 

Content for Community-Ad