Showing results for 
Search instead for 
Did you mean: 

Proxy server behind firepower

Roy Lee

Hi All,

We have implemented a 1 leg proxy appliance inside LAN and NATed by firepower and then a PacketShaper bandwidth controller then to Internet. The internet bandwidth is 50Mbps.

Strange thing is when download files from some specific website like wetransfer / citrix file share, the download speed will be under 100Kbps.

While download from some other website like Microsoft download / Google drive / One drive, the download speed is at least 10Mbps.

Maybe it also affect some web browsing but not noticeable.

I tried to change the proxy applicant internal IP and also the NATed public IP, no luck.

I setup a software proxy (ccproxy, squid) using the same internal IP and NATed public IP of the appliance, working very good.

I changed the proxy appliance to go via another old ASA, it works fine!

So the problem should be related to firepower or the bandwidth controller.

I will try to take out Packetshaper bandwidth controller to test later, but want to know if any hints on firepower.

I didn't apply Qos or File inspection on the ACL of firepower related to the proxy appliance.

Is there steps/area in firepower that I can identify the problem and fix?


6 Replies 6

VIP Guru VIP Guru
VIP Guru

Do you have any Firepower IPS Policies enabled ?


what model of FTD and what code running ?



***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi @balaji.bandi , I do have 1 Intrusion Policy but not applied to the Access Rules related to the proxy appliance.

I am using FirePower 2100 with FTD version

Might have missed it here, what is the status if there is no proxy if you go directly (without proxy). does the Firepower serve the bandwidth as expected?  (or with or without proxy same status ?









***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I use a windows without proxy is okay.

Strange is the proxy server is actual build on linux (no sure which brand), if download inside the linux level (wget), the speed also slow. I have no other linux box on hand, but I think it will be also slow when download from the specific websites.

So here is our findings :


1. Firepower without proxy works fine

2. Firepower with proxy not working as expected.


Do you have any high-level diagram of how this is connected?


In most cases, Linux based is Squid (mostly used, so you mentioned single interface doing in and out traffic)


Try adding one ACL Top of all ACL allow any for the Proxy IP and test it. ( at the same time capture the logs on Firepower also beneficial, if not it is hard to find the issue)






***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Roy Lee

Anybody have idea?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers