topic Re: FTD/FMC 7.2.x: How to do Object-groups with a lot of IP ranges? in Network Security

FTD/FMC 7.2.x: How to do Object-groups with a lot of IP ranges?

Network Diver — Wed, 26 Jun 2024 08:05:55 GMT

Hi,

We're using ASA and have some object-groups that contain hundreds to thousands of IP ranges, for example AS networks, for example public IP ranges of cloud providers, customers or networks where bots are originating attacking our AnyConnect VPN peers. For example:

object-group network VPN_Blacklist network-object 91.108.241.0 255.255.255.0 network-object 62.122.184.0 255.255.255.0 network-object 94.156.8.0 255.255.255.0 network-object 94.156.64.0 255.255.248.0 network-object 152.89.198.0 255.255.255.0 network-object 194.26.135.0 255.255.255.0 network-object 185.216.70.0 255.255.255.0 network-object 81.181.254.0 255.255.255.0 network-object 216.151.183.0 255.255.255.0 network-object 216.131.116.0 255.255.254.0 network-object 216.131.80.0 255.255.254.0 network-object 216.151.180.0 255.255.255.0 network-object 216.131.112.0 255.255.255.0 network-object 216.131.78.0 255.255.254.0 ...

I'm currently playing around with an FMC/FTD 7.2 test setup to check if FTD is a reasonable successor of our ASA firewalls. I noticed that on FTD object-groups just containing networks is no longer possible. For each network an object must be created and then the object can be added to an object-group. Even with importing objects via CSV it is still an overkill to do that for every IP range that is used only once in an object-group.

Is there a better method than tis? How could one handle such a requirement in FTD, for example allow only outbound Teams Traffic to Microsoft Cloud or block traffic from bad sites to AnyConnect VPN peer? Do you generally only use FTD in transparent mode in front of ASA or replace ASA on internet edge?

Regards,

Bernd

Re: FTD/FMC 7.2.x: How to do Object-groups with a lot of IP ranges?

Rob Ingram — Wed, 26 Jun 2024 08:25:55 GMT

@Network Diver

In regard to blocking AnyConnect connections, on the FTD/ASA you can only (currently) block traffic to the FTA/ASA itself using a control-plane ACL using network objects. You cannot use Geolocation objects, if you want that funtionality you'd have to place an FTD in front of the RAVPN headend device.

Have you seen these Cisco guides to harden RAVPN:-

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

For outbound access, in the Access Control rules to cloud destinations (Teams, Outlook etc) you could use applications rather than network objects.

Re: FTD/FMC 7.2.x: How to do Object-groups with a lot of IP ranges?

MHM Cisco World — Wed, 26 Jun 2024 08:38:03 GMT

Use control plane ACL and permit public IP allow to access via anyconnect and deny all other it better that deny all these prefix and allow few

MHM

Re: FTD/FMC 7.2.x: How to do Object-groups with a lot of IP ranges?

Network Diver — Wed, 26 Jun 2024 11:03:07 GMT

About AnyConnect: As we have "Work from Anywhere" and since Covid mostly work remotely, the number of good networks is currently larger than the ones where botnets originate. These usually come from hosting datacenters with infected servers or from Russia. Chances that our employees spend their holidays in a datacenter in a foreign country are way smaller than they spend it in a hotel. 🙂

I have to look at Application rules.

The knowledge/learning gap between ASA and FTD is as big as from ASA to any other firewall vendor.

Re: FTD/FMC 7.2.x: How to do Object-groups with a lot of IP ranges?

MHM Cisco World — Wed, 26 Jun 2024 11:08:41 GMT

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

the cisco publish doc about this issue this year
take look

MHM