11-25-2016 11:24 PM - edited 03-10-2019 06:43 AM
We are running Firepower 6.0 on the FireSight and a 7000 series sensor. HTTP traffic which the IPS sensor is inspecting is coming via a web proxy which has the X-Forwarder-For enabled on it. I have checked this by running a capture on the sensor and can see the real source IP address in the HTTP header of the traffic instead of the proxy IP.
How do we enable the packet capture when an IPS incident is triggered to include the XFF information? At the moment we only get the single attack packet. How do we increase the packet capture size to include the whole session?
Also there is no documentation on the signature "(119:30) HI_CLIENT_BOTH_TRUEIP_XFF_HDRS". Does anyone know what this does?
Thanks
11-28-2016 03:47 AM
I think that you will have more luck succeeding if you were running Firepower 6.1
Release notes: http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html
Search for XFF.
Either way you should check out the manual for the Network Analysis Policy regarding XFF to see if you missed a checkmark or two. :)
http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/application_layer_preprocessors.html#ID-2244-000004d5
Search for Extract Original Client IP Address
11-28-2016 04:04 AM
Thank you for that Dennis.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide