Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
0
Helpful
6
Replies

Proxy server behind firepower

Roy Lee
Level 1
Level 1

‎10-29-2021 01:39 AM

Hi All,

We have implemented a 1 leg proxy appliance inside LAN and NATed by firepower and then a PacketShaper bandwidth controller then to Internet. The internet bandwidth is 50Mbps.

Strange thing is when download files from some specific website like wetransfer / citrix file share, the download speed will be under 100Kbps.

While download from some other website like Microsoft download / Google drive / One drive, the download speed is at least 10Mbps.

Maybe it also affect some web browsing but not noticeable.

I tried to change the proxy applicant internal IP and also the NATed public IP, no luck.

I setup a software proxy (ccproxy, squid) using the same internal IP and NATed public IP of the appliance, working very good.

I changed the proxy appliance to go via another old ASA, it works fine!

So the problem should be related to firepower or the bandwidth controller.

I will try to take out Packetshaper bandwidth controller to test later, but want to know if any hints on firepower.

I didn't apply Qos or File inspection on the ACL of firepower related to the proxy appliance.

Is there steps/area in firepower that I can identify the problem and fix?

Thanks.

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎10-29-2021 01:57 AM

Do you have any Firepower IPS Policies enabled ?

 

what model of FTD and what code running ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Roy Lee
Level 1
Level 1
In response to balaji.bandi

‎10-29-2021 02:13 AM

Hi @balaji.bandi , I do have 1 Intrusion Policy but not applied to the Access Rules related to the proxy appliance.

I am using FirePower 2100 with FTD version 6.2.3.1

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Roy Lee

‎11-01-2021 12:43 AM

Might have missed it here, what is the status if there is no proxy if you go directly (without proxy). does the Firepower serve the bandwidth as expected?  (or with or without proxy same status ?

 

 

 

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Roy Lee
Level 1
Level 1
In response to balaji.bandi

‎11-01-2021 01:16 AM

I use a windows without proxy is okay.

Strange is the proxy server is actual build on linux (no sure which brand), if download inside the linux level (wget), the speed also slow. I have no other linux box on hand, but I think it will be also slow when download from the specific websites.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Roy Lee

‎11-01-2021 02:36 AM

So here is our findings :

 

1. Firepower without proxy works fine

2. Firepower with proxy not working as expected.

 

Do you have any high-level diagram of how this is connected?

 

In most cases, Linux based is Squid (mostly used, so you mentioned single interface doing in and out traffic)

 

Try adding one ACL Top of all ACL allow any for the Proxy IP and test it. ( at the same time capture the logs on Firepower also beneficial, if not it is hard to find the issue)

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Roy Lee
Level 1
Level 1

‎10-31-2021 07:16 PM

Anybody have idea?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card