Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA FirePOWER and PROXY

I wonder if there are any clues that helps to extract as much information about users behind proxy as possible? We're migrating ASA 5520 to new ASA with firepower module, but there's a proxy on inside network, talking to ASA with WCCP. So source IP will be always single PROXY address, and domain username is also lost. 

The only possibility I can see is extracting original client ip from X-Forwarded-For header. It can be a solution, but: On intrusion event tab I can add "Original Client IP" column ( this feature is not working by the way on my 5.3.1.1 (build 37) - field is always empty, even if I can see X-Forwarded-For in packet details ). Additionaly, on AMP submenu I can't see any place where "Original Client IP" could be viewed? 

Placing Proxy behind any other interface than inside would be a nicer solution, but WCCP on ASA doesn't support it. 

 

Would be grateful for any help

Lukas

 

10 REPLIES
New Member

Internet<--> IPS <-->Proxy <-

Internet<--> IPS <-->Proxy <-->Client

if the proxy send client ip address with "X-Forwarded-Fo"r how can i read this information with sourcefire and when packet leaves from Sourcefire i want remove "X-Forwarded-For".

is that possible?

zafer

Silver

Hi,

Hi,

Yes, we can disable this XFF information under Policy->Acces control->Network Analysis policy ->tcp preprocessor.

Rate if that helps.

Thanks,

Ankita

Cisco Employee

Sourcefire (aka Firepower)

Sourcefire (aka Firepower), at this time, does not have a way to strip the XFF header off the packet.

Cisco Employee

I would recommend that you

I would recommend that you verify that "extract XFF" is enabled in the HTTP preprocessor.

~ Cheers

New Member

In the HTTP preprocessor

In the HTTP preprocessor turned on "Extract Original Client IP Address", but still see only Proxy's ip address in Analysis->Connections ->Events.

How to obtain original ip, not proxy's ???

New Member

Did you manage to solve this

Did you manage to solve this?
I have the same problem, "Extract Original Client IP Address" is enabled, but in event logs I still see only proxy IP as Initiator IP

Cisco Employee

The default headers that can

The default headers that can be extracted from a packet are X-Forwarded-For and True-Client-IP. If you have a proxy using "Original Client IP Address" (confirm in the packet) then you can add this to the HTTP preprocessor.

New Member

I had this issue also. There

I had this issue also. There are a couple of settings in the HTTP preprocessor.

Firepower 6.0

Go to Policies -> Access Control -> Network Analysis Policy (Top right of browers window).

Edit existing policy, or create new policy.

Policy information -> Settings -> HTTP Configuration

Under Targets click + to add a server and enter the IP address, CIDR, or comma-seperated list. Click OK.

Then check boxes "Detect HTTP Proxy Servers", "Allow HTTP Proxy use", and "Extract Original Client IP Address".

For mine I have "XFF Header Priority" with #1 "X-Forward-For"

Hope this helps.

-Bill

Hello Guys,How can i enable

Hello Guys,

How can i enable "extract XFF" on FMC 6.1? I cannot find Network Analysis Policy section.

Cisco Employee

It's been moved from the

It's been moved from the intrusion policy (<= 5.4.x) to the advanced tab in the access control policy. 

2990
Views
0
Helpful
10
Replies