https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016175#M1109015 <P>As <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a> and <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a> mentioned, you can use "access-group &lt;name&gt; in int outside control-plane" to control who can access TCP/179. Obviously, it is practically impossible to do the same for TCP/443, although technically control-plane ACLs do work for TCP/443 too. This means that TCP/443 is wide open and the firewall doesn't have protection for TCP/443.</P><P>Also, if you, for example, try to rate-limit TCP/443 messages to protect device from DoS, you'd find that none of ASA features work:</P><P>- "class-map type management" doesn't allow you to limit connections or embryonic connections per-host in the corresponding policy-map<BR />- "class" and "member" constructs do not limit to-the-box connections in case of multiple context mode (on ASA), hence "limit-resource rate" doesn't work too (this tool is unavailable on FTD as it doesn't support multiple mode)<BR />- MPF is not capable of connection rate-limiting at all.<BR /><BR /></P><P>HTH</P><P>&nbsp;</P> Sun, 11 Feb 2024 15:40:37 GMT tvotna 2024-02-11T15:40:37Z https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016141#M1109002 <P>I was looking into setting up BGP on an ftd and was wondering where to allow TCP179 and then I realized there is nowhere to even add this as an access entry. Same goes for VPN. Is this not wildly insecure?</P> Sun, 11 Feb 2024 13:57:40 GMT https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016141#M1109002 guacamoley 2024-02-11T13:57:40Z https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016143#M1109004 <P><A href="https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/" target="_blank">https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/</A></P> <P>In FTD using control -plane done via flexconfig&nbsp;</P> <P>Check link' I alos will check new versions of fdm and fmc if there is option to add it directly.</P> <P>Thanks&nbsp;</P> <P>MHM</P> Sun, 11 Feb 2024 14:03:07 GMT https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016143#M1109004 MHM Cisco World 2024-02-11T14:03:07Z https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016144#M1109005 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1583962">@guacamoley</a> you can use the control-plane ACL functionality to restrict access "to" the FTD such as BGP, currently you must use FlexConfig to configure this.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221531-configure-control-plane-access-control-p.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221531-configure-control-plane-access-control-p.html</A></P> <P>&nbsp;</P> Sun, 11 Feb 2024 14:03:11 GMT https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016144#M1109005 Rob Ingram 2024-02-11T14:03:11Z https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016175#M1109015 <P>As <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a> and <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a> mentioned, you can use "access-group &lt;name&gt; in int outside control-plane" to control who can access TCP/179. Obviously, it is practically impossible to do the same for TCP/443, although technically control-plane ACLs do work for TCP/443 too. This means that TCP/443 is wide open and the firewall doesn't have protection for TCP/443.</P><P>Also, if you, for example, try to rate-limit TCP/443 messages to protect device from DoS, you'd find that none of ASA features work:</P><P>- "class-map type management" doesn't allow you to limit connections or embryonic connections per-host in the corresponding policy-map<BR />- "class" and "member" constructs do not limit to-the-box connections in case of multiple context mode (on ASA), hence "limit-resource rate" doesn't work too (this tool is unavailable on FTD as it doesn't support multiple mode)<BR />- MPF is not capable of connection rate-limiting at all.<BR /><BR /></P><P>HTH</P><P>&nbsp;</P> Sun, 11 Feb 2024 15:40:37 GMT https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016175#M1109015 tvotna 2024-02-11T15:40:37Z https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016268#M1109035 <P>Doesn't the FTD have its own DDOS protection with the Network Analysis Policy?&nbsp;</P> Sun, 11 Feb 2024 21:19:01 GMT https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016268#M1109035 guacamoley 2024-02-11T21:19:01Z https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016274#M1109036 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1583962">@guacamoley</a>&nbsp;the NAP is for traffic "through" the FTD not "to".</P> Sun, 11 Feb 2024 21:27:17 GMT https://community.cisco.com/t5/network-security/is-ftd-s-control-plane-wide-open/m-p/5016274#M1109036 Rob Ingram 2024-02-11T21:27:17Z