Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
5
Replies

Sourcefire Proxy Behind Firewall.

jheesen123
Level 1
Level 1

‎10-30-2017 03:38 PM - edited ‎02-21-2020 06:36 AM

According to TAC Cisco will not support user identification behind a proxy IP address even it it send X-Forwarded-For headers.   This is a real let down as other vendors do support this.   Almost all organizations have some form of URL filtering and many require the use of an internal proxy server.   

 

They said "Put the proxy in front of the firewall".   This is a ridiculous answer the problem.    The issue being SFM can not map the LDAP users to the "origin client IP".     This is a big problem since you can not create user based rules or events etc, trace down issues easily at all.   Seems like an easy fix that could be solved with some sort of regex script.  

 

This case has been open over a month and this is what they came up with.   Not to mention many Firepower cases take forever to resolve using TAC

Labels:
0 Helpful
5 Replies 5

mikael.lahtela
Level 4
Level 4

‎10-31-2017 12:32 PM

Hi,

Not clear for me how the traffic is going trough your setup.
Is it a. client->proxy->firewall->internet or b. client->firewall->proxy->internet?
And next there is no information what firewall or management you are using.
If you are running Firepower behind proxy (A) you can see XFF address in Firepower Management Center. (but it's hidden under connection events>table view>x to change tables add original client ip).

br, Micke
0 Helpful

jheesen123
Level 1
Level 1
In response to mikael.lahtela

‎10-31-2017 02:30 PM

The configuration is

client->proxy->firewall->internet

I can see the true IP of the client, I have no issues with that part. The issue is there's not a way to do an LDAP user mapping with the XFF address information. Most the built in alerting widets etc are designed around the source IP and no the original client IP. It makes it difficult to manage the firewall the way its intended. You can not do any LDAP firewall based rules in this scenario either.

deployment uses FMC 6.2.2 on a pair of 5515x running 6.2

Thanks.

0 Helpful

mikael.lahtela
Level 4
Level 4
In response to jheesen123

‎10-31-2017 02:39 PM

Now it's clear for me and sounds like a limitation in your case.
One option is to contact your Cisco representative and do a feature request.
They might add that in the future releases.

br, Micke
0 Helpful

jheesen123
Level 1
Level 1
In response to mikael.lahtela

‎11-01-2017 08:56 AM

Yes, its a limitation. This is a extremely common configuration however, tough to tell customers they can't operate the firewall as they hoped or would have to migrate all URL filtering to Cisco.

Thanks.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card