0

We have a user traffic flow like below (PC - Internet)

PC => Cisco ASA FW+IPS integrated => Fortigate Proxy (ISP connected to this Proxy) = > Internet

PC = > ASA+IPS ==> Fortigate Proxy ==> Internet.

Question is Can this IPS monitor if there is any attack on Fortigate proxy? Can you guide simply how to configure it? Thanks a lot

PCIrs
  • 101
  • 1
  • 1
    Yes, an IDS/IPS can monitor bidirectional traffic. Actually configuring it is a specific question beyond the scope of this site. –  Mar 18 '15 at 12:06

1 Answers1

0

Given the layout provided, no, the Cisco ASA/IPS can't detect any Internet-based attacks on the Fortigate because it can't see the traffic on that interface.

That said, gowenfawr is right about the IPS seeing bi-directional traffic, though only on interfaces connected to the IPS.

Depending on an number of factors, you could mirror the Fortigate <-> Internet link to a dedicated port on your ASA. As far as I know, that would give you visibility, but no way to actively stop the attacks.

GregL
  • 9,370
  • 2
  • 25
  • 36
  • Thanks Both, However, Fortigate Proxy is connected to a ASA(IPS) interface but only thing is Fortigate is in front of IPS. Thats where its confusing. By your answers i understand it can monitor if Fortigate is connected to ASA. – PCIrs Mar 19 '15 at 02:01
  • Is mirroring considered as moving the connection back to ASA or just creating a virtual link to ASA?. Becuase we can't move the physical internet connection to ASA. Fortigate proxy will be at the outer layer of our network.Hope it is possible to monitor bi directional if the interface is connected to it. Please confirm – PCIrs Mar 19 '15 at 02:04
  • You can read more about port mirroring [here](http://en.wikipedia.org/wiki/Port_mirroring), and using it would require having a switch that supports it sitting between the Fortigate and the upstream device. If the upstream device is a modem (which likely won't like having as switch in it's way), or you don't want to have a switch there, an aggregator like [this](https://www.networktaps.com/v/aggregator.htm) will do the trick. – GregL Mar 20 '15 at 16:57