0

We have a user traffic flow like below (PC - Internet)

PC => Cisco ASA FW+IPS integrated => Fortigate Proxy (ISP connected to this Proxy) = > Internet

PC = > ASA+IPS ==> Fortigate Proxy ==> Internet.

Question is Can this IPS monitor if there is any attack on Fortigate proxy? Can you guide simply how to configure it? Thanks a lot

Improve this question
1
  • 1
    Yes, an IDS/IPS can monitor bidirectional traffic. Actually configuring it is a specific question beyond the scope of this site.
    – gowenfawr
    Commented Mar 18, 2015 at 12:06

1 Answer 1

Reset to default
0

Given the layout provided, no, the Cisco ASA/IPS can't detect any Internet-based attacks on the Fortigate because it can't see the traffic on that interface.

That said, gowenfawr is right about the IPS seeing bi-directional traffic, though only on interfaces connected to the IPS.

Depending on an number of factors, you could mirror the Fortigate <-> Internet link to a dedicated port on your ASA. As far as I know, that would give you visibility, but no way to actively stop the attacks.

Improve this answer
3
  • Thanks Both, However, Fortigate Proxy is connected to a ASA(IPS) interface but only thing is Fortigate is in front of IPS. Thats where its confusing. By your answers i understand it can monitor if Fortigate is connected to ASA.
    – PCIrs
    Commented Mar 19, 2015 at 2:01
  • Is mirroring considered as moving the connection back to ASA or just creating a virtual link to ASA?. Becuase we can't move the physical internet connection to ASA. Fortigate proxy will be at the outer layer of our network.Hope it is possible to monitor bi directional if the interface is connected to it. Please confirm
    – PCIrs
    Commented Mar 19, 2015 at 2:04
  • You can read more about port mirroring here, and using it would require having a switch that supports it sitting between the Fortigate and the upstream device. If the upstream device is a modem (which likely won't like having as switch in it's way), or you don't want to have a switch there, an aggregator like this will do the trick.
    – GregL
    Commented Mar 20, 2015 at 16:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .