Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2178
Views
0
Helpful
1
Replies

Websense Deployment Strategies with Sourcefire

jefwalke
Cisco Employee
Cisco Employee

‎07-28-2015 02:50 PM

I have several deployments with ASA-FirePOWER and Websense using WCCP prior to the packets being inspected on the ASA-SFR module; are there any best practices in regards to deployment methodologies that you can share?  One of the biggest issues is that the Intrusion Events report the initiator/responder as the Websense IP rather than the XFF host IP, even with XFF enabled on the Websense side.  Any deployments where Websense was located north of the ASAs? Any feedback would be much appreciated.

Labels:
0 Helpful
1 Reply 1

jefwalke
Cisco Employee
Cisco Employee

‎07-30-2015 11:49 AM

From Tom Marsh (tomarsh@cisco.com):

Jeff-  WCCP redirection can’t pass through ASA interfaces so it comes into an ASA interface and then bounces back out that same interface to the proxy.  You’ll always see the actual IP in the header as the Initiator/Responder address, never the XFF IP.  

Best bet is for the customer to use pac files to force traffic through ASA interfaces, re-think sensor placement, or get another sensor to use internally (none of these are great solutions however).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card