Solved: WCCP on FMC OR NOT? SSL Decption before WCCP?

Carter Zhu · ‎10-08-2021

Here is the senario, client wants to migrate to FMC/FTD from existing ASA, and on the ASA, there is WCCP enabled to rediect the web trafffic to WSA. FTD has full licenses.

Question 1: is it better to leverage the FTD policy to inspect the web traffic instead of redirecting to WSA with WCCP? - I dont know much about features on WSA, not sure what are the benefits of WSA over FTD to inspect web traffic.

Question 2: if we enable the SSL-Decryption and WCCP both on the FTD, does the Cert re-sign happens before WCCP redirect? - is WCCP still supported on FMC 6.7 via Flexconfig?

Thanks.

Ken Stieers · ‎10-08-2021

1. The FTD does not have the full depth of inspection that the WSA does. Nor does it have the same flexibility of configuration... Moving the WSA functionality to FTD is a whole other project. Save yourself some sanity... replace the firewall, make sure it is all working, then start adding functionality.
2. If you do WCCP to send web traffic to the WSA, you don't need/want the FTD to decrypt the traffic, or even really inspect it much (we do geoblock, but that's it). Extra work/complication for no gain.
Also, keep this in mind... if you're NOT using Security Analytics and Logging, your FMC is keeping comparatively NOTHING for logs .... A few hours or days at best... a WSA will have logging data for many months (mine was at about 14 or 15 months). So things like Cisco Threat Response will actually have data to work against (did a user click on that link they got in email on yesterday??) with a WSA...

View solution in original post

Ken Stieers · ‎10-08-2021

1. The FTD does not have the full depth of inspection that the WSA does. Nor does it have the same flexibility of configuration... Moving the WSA functionality to FTD is a whole other project. Save yourself some sanity... replace the firewall, make sure it is all working, then start adding functionality.
2. If you do WCCP to send web traffic to the WSA, you don't need/want the FTD to decrypt the traffic, or even really inspect it much (we do geoblock, but that's it). Extra work/complication for no gain.
Also, keep this in mind... if you're NOT using Security Analytics and Logging, your FMC is keeping comparatively NOTHING for logs .... A few hours or days at best... a WSA will have logging data for many months (mine was at about 14 or 15 months). So things like Cisco Threat Response will actually have data to work against (did a user click on that link they got in email on yesterday??) with a WSA...

Carter Zhu · ‎10-08-2021

Thank you for your advice, Ken.

What if the client wants to add the SSL-Decrytion to certain web traffic? I guess it should be applied on the WSA instead of FTD, correct?

I guess the client does not have SSL-Decrytion enabled on their WSA, which I will confirm with them next week, that is probably why they come up with the idea of decryting traffic on the FTD before redirecting to WSA. But if it is a HTTPS traffic decrypted by FTD, WSA still could not inspect it without SSL-Decrytion enabled. In this case, the best solution would be enabling WCCP on FTD and SSL-Decryption on WSA for the specific traffic, is my understanding correct?

Ken Stieers · ‎10-08-2021

Yes. Your best option is doing the decryption on the WSA.

Im not sure if decryption on the FTD and then sending it to the WSA is even an option.

I'm sort of getting the feeling that they think decryption on the FTD is easier to set up than WSA... its not...same basic cert requirements on the decryption device and the client machines...l