Creating control plane ACL with FMC

ABaker94985 — Thu, 18 Nov 2021 19:11:30 GMT

We have a pair of 2140 FTDs running 6.6.1 that are managed by an FMC running 6.7. We'd like to upgrade the FTDs to later firmware, but can't at the moment. We're in the process of phasing out some ASA 5505's that are running site-to-site VPN tunnels, and unfortunately these older models can't run SHA-2. Until we get these replaced, we can't upgrade to a later software version.

We have a requirement to install AnyConnect ASAP, but there is a high severity vulnerability for the web services on 6.6.1. Until we can install later software, I think we can work around using control plane ACL on the FTDs and restrict access to AnyConnect to the couple of individuals who need to use the client VPN - we don't want to expose the web services until we're sure the vulnerabilities have been addressed.

Can a control plane ACL be configured via FMC? I've been searching for an answer, but I'm not finding the correct documentation.

Thank you.

Re: Creating control plane ACL with FMC

Rob Ingram — Thu, 18 Nov 2021 19:22:19 GMT

Hi @ABaker94985 no not natively in the FMC GUI, but you can use Flexconfig to configure a Control Plane ACL.

https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

Re: Creating control plane ACL with FMC

ABaker94985 — Thu, 18 Nov 2021 19:31:27 GMT

That's exactly what I was needing! I greatly appreciate the info.

topic Re: Creating control plane ACL with FMC in Network Security

Creating control plane ACL with FMC

Re: Creating control plane ACL with FMC

Re: Creating control plane ACL with FMC