Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8037
Views
0
Helpful
4
Replies

Can we use Firepower as a proxy

Go to solution
engahmedsaied
Level 1
Level 1

‎06-16-2017 04:31 PM - edited ‎03-12-2019 06:25 AM

In version 6.x Can we use Firepower as a proxy for clients ?!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to engahmedsaied

‎06-17-2017 05:15 AM

I see what you're asking.

In this case the answer is "no". A FirePOWER module (or dedicated FirePOWER appliance) cannot act as a proxy in the way you are asking.

In the case of a FirePOWER service module it only inspects traffic redirected to it via the service policy in the parent ASA. It can then intercept that traffic and enforce policy. Otherwise, the end user system has no interaction with it.

If your routing directs the outgoing traffic via your ASA with FirePOWER service module then it can inspect and control user traffic consistent with the configured policy. If the network routing does not steer the traffic via the ASA then the end user cannot override that.

You can implement a proxy the way you are asking using the Cisco Web Security Appliance (WSA). That's one of its primary modes of operation.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-17-2017 04:49 AM

You can force client authentication via a captive portal.

It's pretty basic but it does work.

Reference:

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

Is that what you're looking for?

0 Helpful

Go to solution
engahmedsaied
Level 1
Level 1
In response to Marvin Rhoads

‎06-17-2017 05:04 AM

Hello Marvin,

If users' gateway is ASA and ASA with Firepower then traffic will redirect to sensor to check URL and applications according to policy configured.

but if the gateway is not ASA can we open browser and write IP address for sensor or ASA ? can this work and which port can we use ? is there is a port sensor listen for it, or it doesn't work like that only traffic reach to ASA redirected to sensor 

as I have a branch users cannot reach internet direct but when they put TMG IP address as a proxy it works as they go through TMG, what if we need that users there go through ASA not TMG.

can we add a route that route internet traffic to ASA ?

and why we cannot write ASA or sensor IP in browser as a proxy because it will not listen on that traffic ?!

Please clarify this point what is the difference if I put IP in browser as a proxy or set users gateway to it and the IP is ASA

thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to engahmedsaied

‎06-17-2017 05:15 AM

I see what you're asking.

In this case the answer is "no". A FirePOWER module (or dedicated FirePOWER appliance) cannot act as a proxy in the way you are asking.

In the case of a FirePOWER service module it only inspects traffic redirected to it via the service policy in the parent ASA. It can then intercept that traffic and enforce policy. Otherwise, the end user system has no interaction with it.

If your routing directs the outgoing traffic via your ASA with FirePOWER service module then it can inspect and control user traffic consistent with the configured policy. If the network routing does not steer the traffic via the ASA then the end user cannot override that.

You can implement a proxy the way you are asking using the Cisco Web Security Appliance (WSA). That's one of its primary modes of operation.

0 Helpful

Go to solution
engahmedsaied
Level 1
Level 1
In response to Marvin Rhoads

‎06-17-2017 05:24 AM

Clear answer.

Thanks Marvin.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card