Solved: WSA Design query with FTD/WCCP

hashimwajid1 · ‎04-21-2019

Hi

we are going to deploy 2 x WSA S190 with WCCP configuration with 2 x FTD. I've following query regarding Design prospective of WSA with FTD.

Topology

1- we've 2 x FTD in active standby scenario
2- all gateways/sub interface has been configured on FTD (Users Wired/Wireless with separate VLANs)
3- we wanted to configure 2 x WSAs for http/https inspection.

Query

1- since all Users gateways are configured on FTD and we want to do inspection of at least 2 or 3 VLANS (Wires Users/Wireless Users) in this case where to put WSA in this topology (in which VLAN we should put 2 x WSAs)

2- should we keep WSAs in separate VLANs other then users/servers VLANs and FTD will redirect traffic to WSA

3- i read that WSA and Users should be behind the same ASA/FTD interface but in my case there are multiple Sub-intercaes and with different VLANs traffic wanted to be inspected via WSA and WSA gateway will also be FTD sub-interface.

4- can we do recundancy with WCCP (instead doing load balancing, i want to achiev active/pasive scenario with WCCP). i read if we use high/low service ids number on WSA then for same traffic then low nember WSA will be active ?

5- we cannot acheive auto synchronization with WCCP or cannot configure Cluster on WSA with WCCP and we need SMA in order to achieve this and virtual SMA will be sufficient ?

i need your support to help me to figure it out

Thanks

balaji.bandi · ‎04-22-2019

High Level here is the Deployment suggestion how you can place the WSA in the network.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sba_webSec_dg.pdf

WCCP and Firpower for WSA Redirection you can use below config guide.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/flexconfig_policies.html?bookSearch=true

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html#id_39923

SMA is right way to use for centralise rules for WSA. ( make sure your VM have properly resource with compute, since most of the Logs stored centrally)

I have recently tested One PoC FTD 41XX with S690 ( Not WCCP, used use WPAD to redirect - i believe personally that is the best way to do as enterprise kind of setup)

While i was doing some research i do found some snippets works for users :

This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.

I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https). The FlexConfig deployed this CLI configuration to the FTD.

wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Ken Stieers · ‎04-22-2019

Ok my answers are based on a couple of assumptions:
Your users on different VLANs are hitting different interfaces on the FTD (eg more than one "inside" interface)
WCCP is implemented in the ASA "Lina" engine in FTD, which is why you use flexconfig to config it... and the ASA WCCP rules/limitations apply.

1. If you're going to split users on the FTD across 2 interfaces, you have to put one WSA behind each interface. You can't route WCCP traffic from one interface through the firewall to another interface and out to the WSA... it has to "bounce off the interface" to a WSA it can reach.

2. You can do this... I do.. I have the WSA, and the ASA on the same vlan, and the users are routed through that vlan, but they're all entering the ASA through the same interface.

3. Yes, so you can't put both WSA's on the same vlan if you do this. If you're splitting users, you'll have to split the WSAs, and you won't be able to do LB/failover with WCCP

4. WCCP doesn't do Active/Passive. Even if it did, you would still run into the issues in answers 1 and 3 above. You can try weighting it, set one REALLY low, and the high.

5. Yes, virtual SMA will be sufficient. If you aren't doing centralized logging, it can be an M100 or even a M000 (config push only takes resources when you push), if you want to centralize logs, use at least an M100, or maybe a 300, depends upon how much traffic you're pushing.

Also, no reason to create multiple services, esp

View solution in original post

balaji.bandi · ‎04-22-2019

High Level here is the Deployment suggestion how you can place the WSA in the network.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sba_webSec_dg.pdf

WCCP and Firpower for WSA Redirection you can use below config guide.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/flexconfig_policies.html?bookSearch=true

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html#id_39923

SMA is right way to use for centralise rules for WSA. ( make sure your VM have properly resource with compute, since most of the Logs stored centrally)

I have recently tested One PoC FTD 41XX with S690 ( Not WCCP, used use WPAD to redirect - i believe personally that is the best way to do as enterprise kind of setup)

While i was doing some research i do found some snippets works for users :

This was an FTD 2110 deployment, the client was not ready to use native URL filtering on the FTD, they wanted to continue to use a third party appliance via WCCP redirection.

I used two FlexConfig objects to deploy the configuration for service 0 (http) and service 70 (https). The FlexConfig deployed this CLI configuration to the FTD.

wccp 0 redirect-list WS-Redirect group-list WS-Gateway
wccp 70 redirect-list WS-Redirect group-list WS-Gateway
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hashimwajid1 · ‎04-22-2019

Thanks Balaji

its mention in Design Documents that WSA and Users should be behind the same Firewall interface (they can be in different network).

1- in our case all Sub interfaces/Gateways configured on FTD so can i put WSA in dedicated VLAN and FTD will be redirecting the different Users Wired/Wireless traffic toward WSA ?

2- since FTD having the gateways/wub-interfaces of all users then i've to apply the WCCP configuration on all sub-interfaces ?

Sub-interface data
Sub-interface wireless

wccp interface data 0 redirect in
wccp interface wireless 0 redirect in

wccp interface data 70 redirect in
wccp interface wireless 70 redirect in

balaji.bandi · ‎04-22-2019

The Design document for reference.

Yes WSA and USer can be different network. as long as you routing/ FW rules in place to reach the WSA out and return traffic to user.

Yes i assume you need per interface redirection to WCCP. test and advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ken Stieers · ‎04-22-2019

Ok my answers are based on a couple of assumptions:
Your users on different VLANs are hitting different interfaces on the FTD (eg more than one "inside" interface)
WCCP is implemented in the ASA "Lina" engine in FTD, which is why you use flexconfig to config it... and the ASA WCCP rules/limitations apply.

1. If you're going to split users on the FTD across 2 interfaces, you have to put one WSA behind each interface. You can't route WCCP traffic from one interface through the firewall to another interface and out to the WSA... it has to "bounce off the interface" to a WSA it can reach.

2. You can do this... I do.. I have the WSA, and the ASA on the same vlan, and the users are routed through that vlan, but they're all entering the ASA through the same interface.

3. Yes, so you can't put both WSA's on the same vlan if you do this. If you're splitting users, you'll have to split the WSAs, and you won't be able to do LB/failover with WCCP

4. WCCP doesn't do Active/Passive. Even if it did, you would still run into the issues in answers 1 and 3 above. You can try weighting it, set one REALLY low, and the high.

5. Yes, virtual SMA will be sufficient. If you aren't doing centralized logging, it can be an M100 or even a M000 (config push only takes resources when you push), if you want to centralize logs, use at least an M100, or maybe a 300, depends upon how much traffic you're pushing.

Also, no reason to create multiple services, esp

hashimwajid1 · ‎04-22-2019

Hi

i understood that WCCP LB/Redundancy is not possible in our topology if multiple VLANs/Sub interfaces configured on FTD and we have to inspect multiple VLANs traffic with 2xWSA connecting in different subnet due to limitation of ASA Lina on FTD (in which WSA and users traffic should be behind the same interface but in our case WSAs and users are split.

how about this scenario

1- instead of WCCP can we do Policy base routing ?

2- suppose this FTD configured as CORE Firewall and another set of Firewall configured as Perimeter firewall and all sub interfaces configured on CORE FTD and CORE Firewall routing all users traffic toward Perimeter Firewall via outside interface.

3- in this above case if we put WSA on outside interface of the Core firewall or Inside Interface of Perimeter Firewall then in this case we can use achieve our objective (now all users traffic coming only from outside interface only )

4- should we configured WCCP on CORE FTD Firewall outside interface or Perimeter Firewall Inside interface ? (WSA will be placed between CORE and Perimeter firewall so where should we configured WCCP ?

5- can we also use policy Base Routing either on FTD outside interface or Perimer firewall inside interface to redirect traffic ?

Thanks for the comment

Ken Stieers · ‎04-22-2019

Again, assuming the ASA limitations apply:

1. Maybe? I don't know if they brought that over yet...

2. ASA WCCP is only on ingress, so it can't be on the core firewall outside interface as that would be on egress from the box...

3. See 2 above

4. You COULD do it on perimeter inside interface (ingress to that firewall)

5. Ditto, see #1.

hashimwajid1 · ‎04-24-2019

Thanks

I've decided to configure WCCP on switch between FTD and Perimeter Firewall (perimeter FW does not support WCCP, Non Cisco FW).

FTD will be sending all traffic to Switch and switch will be doing redirection for WSA and rest of the traffic it will be sending direct to Perimeter Firewall.

WCCP will be doing load balancing and Redundancy in case of WSA1 goes down ?

we dont need to configure Failover Group on WSA since we are not doing any Explicit Forward Proxy ?

i'll have to put both WSAs IP in Group list on Core switch so core switch will be doing load balancing ?

Regards

i think this will work in our scenario

Ken Stieers · ‎04-25-2019

Yes, WCCP will load balance, so if one goes down, the other will get all of the traffic.

Correct, no need to do a failover group.

Yes, in the ACL for what to send to the WSA, you want to "allow" all of your internal networks, and DENY both WSAs. (so that traffic from one WSA doesn't get looped back to the other one)