04-21-2019 11:33 PM
Hi
we are going to deploy 2 x WSA S190 with WCCP configuration with 2 x FTD. I've following query regarding Design prospective of WSA with FTD.
Topology
1- we've 2 x FTD in active standby scenario
2- all gateways/sub interface has been configured on FTD (Users Wired/Wireless with separate VLANs)
3- we wanted to configure 2 x WSAs for http/https inspection.
Query
1- since all Users gateways are configured on FTD and we want to do inspection of at least 2 or 3 VLANS (Wires Users/Wireless Users) in this case where to put WSA in this topology (in which VLAN we should put 2 x WSAs)
2- should we keep WSAs in separate VLANs other then users/servers VLANs and FTD will redirect traffic to WSA
3- i read that WSA and Users should be behind the same ASA/FTD interface but in my case there are multiple Sub-intercaes and with different VLANs traffic wanted to be inspected via WSA and WSA gateway will also be FTD sub-interface.
4- can we do recundancy with WCCP (instead doing load balancing, i want to achiev active/pasive scenario with WCCP). i read if we use high/low service ids number on WSA then for same traffic then low nember WSA will be active ?
5- we cannot acheive auto synchronization with WCCP or cannot configure Cluster on WSA with WCCP and we need SMA in order to achieve this and virtual SMA will be sufficient ?
i need your support to help me to figure it out
Thanks
Solved! Go to Solution.
04-22-2019 01:43 AM
High Level here is the Deployment suggestion how you can place the WSA in the network.
WCCP and Firpower for WSA Redirection you can use below config guide.
SMA is right way to use for centralise rules for WSA. ( make sure your VM have properly resource with compute, since most of the Logs stored centrally)
I have recently tested One PoC FTD 41XX with S690 ( Not WCCP, used use WPAD to redirect - i believe personally that is the best way to do as enterprise kind of setup)
While i was doing some research i do found some snippets works for users :
This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.
I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https). The FlexConfig deployed this CLI configuration to the FTD.
wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in
04-22-2019 10:07 AM
04-22-2019 01:43 AM
High Level here is the Deployment suggestion how you can place the WSA in the network.
WCCP and Firpower for WSA Redirection you can use below config guide.
SMA is right way to use for centralise rules for WSA. ( make sure your VM have properly resource with compute, since most of the Logs stored centrally)
I have recently tested One PoC FTD 41XX with S690 ( Not WCCP, used use WPAD to redirect - i believe personally that is the best way to do as enterprise kind of setup)
While i was doing some research i do found some snippets works for users :
This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.
I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https). The FlexConfig deployed this CLI configuration to the FTD.
wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in
04-22-2019 02:18 AM
04-22-2019 05:14 AM
The Design document for reference.
Yes WSA and USer can be different network. as long as you routing/ FW rules in place to reach the WSA out and return traffic to user.
Yes i assume you need per interface redirection to WCCP. test and advise.
04-22-2019 10:07 AM
04-22-2019 01:20 PM - edited 04-22-2019 01:21 PM
Hi
i understood that WCCP LB/Redundancy is not possible in our topology if multiple VLANs/Sub interfaces configured on FTD and we have to inspect multiple VLANs traffic with 2xWSA connecting in different subnet due to limitation of ASA Lina on FTD (in which WSA and users traffic should be behind the same interface but in our case WSAs and users are split.
how about this scenario
1- instead of WCCP can we do Policy base routing ?
2- suppose this FTD configured as CORE Firewall and another set of Firewall configured as Perimeter firewall and all sub interfaces configured on CORE FTD and CORE Firewall routing all users traffic toward Perimeter Firewall via outside interface.
3- in this above case if we put WSA on outside interface of the Core firewall or Inside Interface of Perimeter Firewall then in this case we can use achieve our objective (now all users traffic coming only from outside interface only )
4- should we configured WCCP on CORE FTD Firewall outside interface or Perimeter Firewall Inside interface ? (WSA will be placed between CORE and Perimeter firewall so where should we configured WCCP ?
5- can we also use policy Base Routing either on FTD outside interface or Perimer firewall inside interface to redirect traffic ?
Thanks for the comment
04-22-2019 01:57 PM
04-24-2019 10:48 PM
Thanks
I've decided to configure WCCP on switch between FTD and Perimeter Firewall (perimeter FW does not support WCCP, Non Cisco FW).
FTD will be sending all traffic to Switch and switch will be doing redirection for WSA and rest of the traffic it will be sending direct to Perimeter Firewall.
WCCP will be doing load balancing and Redundancy in case of WSA1 goes down ?
we dont need to configure Failover Group on WSA since we are not doing any Explicit Forward Proxy ?
i'll have to put both WSAs IP in Group list on Core switch so core switch will be doing load balancing ?
Regards
i think this will work in our scenario
04-25-2019 06:28 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide