Page 2 of 2

Re: Transparent HTTP Proxy

Posted: 25 Jul 2017 18:13
by eb_ottawa
Was checking logs on the pfSense and they're heading out to the CG. Which services need to be running on the CG.
Current output.

Code: Select all

mode router                 on
mode dns                    on
mode dhcp                   off
mode snat                   off
mode firewall               off
mode vlan                   off
mode ha                     off
mode qos                    off
mode ftppassive             off
mode web                    on
mode tweb                   on
mode sslmediate             off
mode rweb                   off
mode guard                  on
mode antivirus              on
mode authenticate           off
mode cache                  on
mode compress               off
mode log                    on
mode anonymous              on
mode waf                    off

Re: Transparent HTTP Proxy

Posted: 25 Jul 2017 18:20
by eb_ottawa
Added the subnet to "Transparent Networks" under Network > Main Settings and that seemed to have done the trick.

Re: Transparent HTTP Proxy

Posted: 25 Jul 2017 18:28
by david
Actually you mentioned this:
Workstation IP is .13 -> pfSense CG Vlan .254 -> CG .250 -> ASA -> Internet
Which is not exactly the same as the network topology we used in our lab. Does it mean that in addition to this your pfsense is directly connected to your ASA ? I mean do you have the following (the difference between your topology and ours is in red):

pfSense --> CG --> ASA --> Internet
pfSens --> ASA --> Internet

Below firewall rules that we used in our lab.

WANGW is the default gateway for traffic other than Web traffic (80). It represents your ASA.
Please note the order (the rule with route via CG is before the rule with the default gateway).
I hope it could help.

Re: Transparent HTTP Proxy

Posted: 25 Jul 2017 18:30
by eb_ottawa
It actually works properly now... as follows


Workstation VLAN -> Office ASA -> pfSense Router (we have multiple WANs for backup) -> Fibre PTP -> CG -> ASA -> Internet

(CG is VLAN'd over the Fibre PTP as to bypass the ASA for the internal interface on CG)

Used to be a routing nightmare, but I've been doing cleanup since I got here (8 months ago). Really liking the product. Next step, SSL Mediation.

Re: Transparent HTTP Proxy

Posted: 25 Jul 2017 18:30
by david
Your configuration seems to be good. You can turn off the dns mode if you don't use CG as DNS for other machines.

Re: Transparent HTTP Proxy

Posted: 25 Jul 2017 18:33
by eb_ottawa
Thanks for all the help.

So yes, next step SSL Mediation then HA... COO approved purchase, so it's good to have a great forum here with staff replying promptly as documentation on the low side.

Re: Transparent HTTP Proxy

Posted: 25 Jul 2017 18:43
by david
If you define transparent networks ([NETWORK] > [Main Settings] > [Transparent Networks]), you tell to CG to only intercept traffic from those networks and let traffic from other networks being simply routed (without interception --> without any treatment by CG). If no transparent network is defined, all networks are intercepted by default.

I'm happy to hear that it works now. Please note that for security reasons it's preferable that your turn the Audit mode off once you finish your tests.

Best Regards,