topic Re: Cisco FTD VPN access / Geolocation block for Control Plane in Network Security

Cisco FTD VPN access / Geolocation block for Control Plane

Umer Khan — Tue, 20 Jun 2023 13:14:24 GMT

We have Cisco FTD 2110s that are managed with FMC and we are trying to figure out how to block access to our remote access VPN by IP. We already have a geolocation block for Access Control in FMC. But, are we still not able to do geo-ip-based restrictions for the control plane traffic?

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Rob Ingram — Tue, 20 Jun 2023 13:32:40 GMT

@Umer Khan unfortunately geo-block to the FTD is not possible at present. You can either use a traditional control-plane ACL (guide), configure a device in front of the FTD to block based on Geolocation or DUO 2FA provides that ability.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Marvin Rhoads — Tue, 20 Jun 2023 13:36:58 GMT

FTD (any management type) does not currently have a feature to restrict remote access VPN by Geolocation. The current recommendation from Cisco is to combine your VPN with an MFA solution like Cisco Duo where you can restrict by Geolocation. (Microsoft Authenticator can also do as do most MFA solutions.)

Re: Cisco FTD VPN access / Geolocation block for Control Plane

bcoverstone — Sun, 31 Dec 2023 00:51:22 GMT

I will request this feature for the next beta release.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Marvin Rhoads — Tue, 02 Jan 2024 15:50:21 GMT

@bcoverstone FYI there is already an enhancement request filed for this feature: https://bst.cisco.com/bugsearch/bug/CSCvs65322

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Damon Smith — Thu, 08 Feb 2024 18:41:11 GMT

Submitted 4 years ago.... 😞

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Marvin Rhoads — Thu, 08 Feb 2024 19:27:35 GMT

Enhancement requests are sometimes never filled. It's customers who buy the equipment being vocal that bumps the priority to something that ends up being in the shipping product.

That said, Cisco was saying just this week at Cisco Live EMEA that they hope to ship this feature in FMC/ FTD 7.7, due out in late 2024. There will be no 7.5, so 7.6 will be the next major release, around June/July this year.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

tvotna — Fri, 09 Feb 2024 15:55:27 GMT

This would be a step forward, but not a panacea for global companies. Their firewalls will still be susceptible to trivial DoS attacks as shown in this post: https://community.cisco.com/t5/vpn/preventing-dos-attacks-to-webvpn-service-is-that-possible/m-p/5008162

It's interesting that Cisco PSIRT doesn't care at all. Probably waiting for another major outbreak...

Re: Cisco FTD VPN access / Geolocation block for Control Plane

dpeldo22 — Thu, 09 May 2024 13:59:48 GMT

That's exciting news! Do you have any additional info on this? I can't find any video sessions or announcements on this, so I'm watching the Cisco Live events on youtube to see if they make a mention of it there. I'd love to hear more about this, as I'm sure most Firepower admins are as well.

Thanks Marvin!

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Marvin Rhoads — Thu, 09 May 2024 14:44:03 GMT

@dpeldo22 it was mentioned verbally at CL EMEA in February 2024. Cisco rarely published roadmaps publicly, so we just have to wait and see if it indeed appears in version 7.7. For now, 7.6 is still in early beta testing so it will be several months until the 7.7 beta even kicks off and - at best - late 2024 until it ships.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

julius.vazgys — Fri, 18 Oct 2024 20:22:35 GMT

How it is sad and absurd. Cheaper solutions like sophos , fortigate has it ...

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Jordan1212 — Thu, 12 Dec 2024 16:28:05 GMT

I'd dare to say, this is the most anticipated update, years in the making. Cisco, please focus more on security and basics, than flashy features and AI.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

davidburke841 — Fri, 03 Jan 2025 15:54:58 GMT

This needs to be addressed. We had 14.1 million failed logins to our VPN in the last 30 days. Without being able to rate limit, we have attackers knocking on our door constantly. Once they grab a user's ID they are locking them out of our AD network. Our only fix is to rename user AD accounts.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Rob Ingram — Fri, 03 Jan 2025 15:58:19 GMT

@davidburke841 you can now use Threat Detection. If the number of consecutive connection attempts meets the configured threshold within this period, the attacker's IPv4 address is shunned. https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Marvin Rhoads — Fri, 03 Jan 2025 16:08:19 GMT

@davidburke841 have you implemented the hardening recommendations described here: https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html#toc-hId-2028751869 ?

Those are available now across multiple releases.

7.7 will be adding the geolocation blocking feature for RA VPN. We currently expect it around February this year.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

davidburke841 — Fri, 03 Jan 2025 16:06:57 GMT

@Rob Ingram Thanks Rob! Looks like I need to do a .X upgrade to get this feature. I noticed that 7.6 wasn't recommended yet so I assumed 7.7 was a ways out.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

dpeldo22 — Fri, 03 Jan 2025 16:50:17 GMT

The best way we figured out how to remedy this was to create URL aliases for your Remote Access vpn profiles. We've worked out a pretty seamless process where we create a new alias, then change the url alias for our vpn profiles once a year by changing the Anyconnect Client Profile xml file that the clients download. We leave the old alias in place for a week or two, and then delete it. We're changing the URL just to make sure old employees or vendors aren't able to try to get in if they don't have the URL, so it works pretty good.

We had the same problem as you and it was taking a lot of manpower to stay ahead of password sprays, so this was the next best thing since we didn't want to put another firewall in line.

Edit: Also, we changed the RA port from 443 to a new one. So our alias looks something like https://remoteaccess.somedomain.com:5593/random30CharacterString
Once that url is in the xml file and users authenticate once, the client will point to the new url for all subsequent connections.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

Damon Smith — Fri, 03 Jan 2025 16:11:48 GMT

"Authentication failures via SAML are not supported yet."

I got all excited, only to have my hopes dashed....

Re: Cisco FTD VPN access / Geolocation block for Control Plane

dpeldo22 — Fri, 03 Jan 2025 16:13:49 GMT

Remember though, Shunning isn't necessarily a permanent block. Do a bit of reading on shunning first before you decide to do an upgrade from the recommended ftd version.

Re: Cisco FTD VPN access / Geolocation block for Control Plane

bcoverstone — Tue, 07 Jan 2025 23:53:36 GMT

We're not supposed to talk about fight club, but I might be able to confirm geo fencing for VPN access in 7.7 is cool. I might also be able to confirm that this version is hypothetically legit in a number of other areas.