Thanks for the Help Guys. It

Brian McPhillips · ‎04-18-2016

We deploying a new sourcefire to replace a legacy firewall and proxy. We are having an issue with the way the Sourcefire is seeing the redirected traffic to the module.When traffic is passing through the module it looks as if web traffic is being originated from the Outside IP address to the Internal ip addresses. This in effect is negating the rules we have going from Inside interface to the outside interface on the firewall and the policies are not being applied at all. We can still browse the internet, it looks like its failing open as no rules are being hit.

I am just wondering if we are doing something wrong or if anyone else has seen this behaviour.

We have recently upgraded to the latest versions. Module 6.0.1, ASA 9.5

Marvin Rhoads · ‎04-18-2016

Have you associated your internal IP addresses with the HOME_NET variable (and made EXTERNAL_NET exclude them)?

See Objects > Object Management > Variable Set and customize the default set.

Brian McPhillips · ‎05-10-2016

Thanks for the Help Guys. It turned out to be the clients weren't logging in directly to the AD controller(using cached). We have a test setup as opposed to how the normal users will be logging in.

The sourcefire couldn't match against a login as it wasn't there. Once we sorted the AD logins out it worked straightaway.

ankojha · ‎05-04-2016

Hi Brian,

If this is an initial setup and your variable set are set to default then you can also see if you have

interfaces mapped to zone correctly or not as it might be causing the device to bypass the policy if zone config is not pushed to the device and default rule is to block all traffic.

Secondly, Also check if #show service-policy sfr is incrementing traffic counts

and access-list is set to redirect correct traffic .

Rate if that helps.

Thanks,

Ankita

Sourcefire/Firepower issue