cancel
Showing results for 
Search instead for 
Did you mean: 
maitane
Level 7

How to configure de MWG for the MFE can see these clients sources IP

Hi!
We would like to configure the MWG 7.1.0.5 so that the MFE could see the source IP from the client host and not those of the MWG own?
There are 8 WR5500 devices. 2 directors (Active-Pasive) and 6 scanners. Above these, we have 2 McAfee Firewall Enterprise (MFE) configured HA active/active.
The MFE doesn´t support "x-forwarding for", so we can´t know the client source Ip. Does anybody know how to configure de MWG for the MFE can see these clients sources IP?
Thanks in advance.
0 Kudos
3 Replies
McAfee Employee

Re: How to configure de MWG for the MFE can see these clients sources IP

What you are asking for is IP spoofing. Unfortunatley, this is not possible when using MWG in HA mode. In versions MWG 7.1.5+ IP spoofing is possible in all modes EXCEPT proxy HA.

~Jon

0 Kudos
maitane
Level 7

Re: How to configure de MWG for the MFE can see these clients sources IP

Hi Jon!!

We have MFE configured in HA mode (Active-Active)

However, MGW 7.1.5 are configured in transparent router mode with the following details:

[GLOBAL DESCRIPTION]
There are 8 WR5500 appliances. 4 of them are going to be physically placed in a Data Center and the other 4 are going to be placed in another Data Center . 2 director nodes (one with highest VRRP priority and the other with lowest VRRP priority) and the rest of the others scanning nodes. These data centers are both active. The installation mode chosen is transparent router because the final pc don´t have a proxy configuration in their browsers.

[NETWORK CARDS DESCRIPTION]
Each of these appliances have 4 network cards: Eth0 is used ONLY for management purposes. To be able to connect to the port 4712, ssh, SNMP, central management and NTP synchronization. Eth1 is the EXTERNAL network card of our transparent router, this is the network card used to reach the default router to the internet. Eth2 is the INTERNAL network card of our transparent router, this is the network card from which our clients will try to connect to the Internet. Eth3 is intended to be used for communication between director and scanning nodes.


With all this, would it be possible?
If so, how?

Thanks.
Regards.

0 Kudos
McAfee Employee

Re: How to configure de MWG for the MFE can see these clients sources IP

That makes things easy. Transparent router mode supports IP spoofing.

You will need to check the box for "IP spoofing (HTTP/HTTPS)" under Configuration > Proxies.

If you use IP spoofing your network paths must go out one path, and come back in the same way. If you have asynchronous routes (go out one path, come back in another) you could encounter a situation where devices may incorrectly redirect the traffic (either back to the client directly, instead of back to the Web Gateway where it came from). This isnt anything specific to MWG, but a general consideration when using IP spoofing.

I highly recommend testing this change out before making it on your production appliances, this is somewhat of a bigger change.

~Jon

0 Kudos