Configuring WSA L4 Traffic Monitor in vSphere

mfranklin11 · ‎08-11-2020

Hello all, I am seeking a bit of guidance.. I have stood up 2 new WSA S600V appliances in our VMWare environment, with an M600V for centralized management. So far so good on getting everything configured. We are using transparent redirection via WCCP from our ASA. Previously we had physical WSA appliances and had configured a span port off of our 4506 for the L4 traffic monitor tap interface. Since we've gone with virtual appliances I decided to take a different approach. I configured a dedicated port group in vSphere for the proxy traffic (P1), with promiscuous mode enabled and connected the tap interface (T1) to that same port group. This way the proxy traffic flowing across the port group would be presented to the L4 tap interface. This is working and the L4 traffic monitor is detecting/monitoring/blocking this traffic, the only issue I am seeing is that the source IP for the malicious traffic is the proxy interface on the WSA itself as opposed to the client (workstation). Not a major issue as I can just match up the destination address to the other WSA logs to get the full picture. I guess I'm curious if anyone else has tried this or would have any suggestions/recommendations?

opryluts · ‎08-12-2020

Hi there.

A couple of questions to better understand your deployment:

1. Do you use the same WSA's interface for both client and server traffic legs? For instance, P1 handles clients to WSA and WSA to servers traffic or not

2. Is there a split routing in place?

3. Do you use IP spoofing on WSA?

4. Do you mirror the traffic from the P1 port group in both directions?

Also collecting packet captures on the T1/T2 interfaces would help you to isolate if it is a WSA related or ESXi network related issue. If you see both traffic legs in the captures that means something is wrong with WSA L4 networking and vise versa.

mfranklin11 · ‎08-12-2020

Hello and thanks for the quick reply! Please find the answers to your questions below. I ran a packet capture on the tap interface (T1), filtered the output down to my test VM and I am able to see both sides of the conversations (source and destination) in the capture.

1. Do you use the same WSA's interface for both client and server traffic legs? For instance, P1 handles clients to WSA and WSA to servers traffic or not

Yes, all proxy traffic (client <> WSA <> Internet) is tunneled through the [P1] interface which is on the same subnet as the inside interface of the ASA. I have dedicated management [M1] on a separate subnet and duplex TAP on [T1].

2. Is there a split routing in place?

Nope, all wccp traffic is flowing across the same subnet from the ASA to the WSA, no routes are defined on the WSA.

3. Do you use IP spoofing on WSA?

No

4. Do you mirror the traffic from the P1 port group in both directions?

Yes, since we are tapping from a virtual interface connected to the vSphere port group, there isn't an option to set ingress or egress on the portgroup, so I decided to go with a duplex tap interface.

opryluts · ‎08-14-2020

Thank you for the details.

In such scenario I'd assume it is expected. WSA gets a client request and it forwards it to the destination webserver using its own IP as a source. That traffic gets mirrored to the T1 interface so TAP sees traffic as WSA SRC IP -> WebserverIP port 80 or 443. If the destination is considered to be malicious, it blocks/records that event.

With regards to L4TM settings do you monitor all traffic or you except proxy traffic from L4TM on WSA?