Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1977
Views
5
Helpful
4
Replies

WSA and ASA with firepower,This is a problem about firepower event!

Andy Yuan1993
Level 1
Level 1

‎07-05-2019 01:01 AM

Hi everyone

 

My company using WSA and ASA with firepower, flow under the action of WCCP, be ASA redirect to the WSA, when the user's endpoint access to the Internet, I view the event on firepower, found that the source address is the address of the P port in the WSA, is this why?

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-05-2019 05:02 AM

There is a column you can optionally display in connection events as follows:

Original Client IP
The original IP address of the client that initiated an HTTP connection. This address is derived from the
X-Forwarded-For (XFF) or True-Client-IP HTTP header fields or their equivalent.

To see it, go into Analysis > Connection Events > Table view of Connection Events. Click on the X of any column header and select that new field (non-default) from the "disabled columns" section of the list and then apply.

I'm not positive when the field was added - I know it is there in 6.3+ but not sure about older releases.

0 Helpful

Andy Yuan1993
Level 1
Level 1
In response to Marvin Rhoads

‎07-07-2019 06:54 PM

Hi Marvin

I am glad to receive your reply.

My firepower version is v5.4.0.

I can not find the "Original Client IP" Option in the Table view of Connection Events. Will this be an option in version 6.3?

Do I need any configuration on ASA to implement XFF?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Andy Yuan1993

‎07-08-2019 02:08 AM

Your Firepower service module release 5.4.0 is quite old. In fact, it's the initial release on that platform. Think of it as more like 1.0. You should keep up to date on releases (current 6.4 is the latest major release).

The XFF feature was introduced later - 6.0 if I recall correctly. See the following thread for some more details:

https://community.cisco.com/t5/firepower/asa-firepower-and-proxy/td-p/2611587

shgrover
Cisco Employee
Cisco Employee

‎07-08-2019 07:43 AM - edited ‎07-08-2019 07:44 AM

This is expected behaviour as the WSA makes a new connection to the origin server on behalf of the client and hence you would see wsa's p interface on the upstream( p1 /P2 depending on your deployment). IP spoofing is by default disabled on the wsa.

XFF headers need to be enabled as well on the wsa if you want to see the client IP. Please dont make any changes without understanding the effect of these changes . If you decide to go for IP spoofing , you would need to make changes to other devices on the upstream. You can always open a case with us and we can analyse your network design and guide you accordingly before you make any changes and you can take a call on how you would like to route your traffic.

Regards
Shikha Grover

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card