topic Re: FTD 6.3 Posture support in Network Security

FTD 6.3 Posture support

dfinibg6 — Fri, 21 Feb 2020 17:06:49 GMT

Hi Community,

Cisco released note for FTD 6.3 has not officially included posture in this version, would this create an issue with future support assuming we successfully implement posture?

Regards,

Re: FTD 6.3 Posture support

Francesco Molino — Tue, 07 May 2019 04:33:43 GMT

Hi

Even if it's not supported, this doesn't mean it can't work. Like you said you have it working.
If you have any issues, you won't get any support and in a production environment it could be a big issue.

Now, we don't know when this feature will be there (even in 6.4 i believe it's not supported). If Cisco implement this feature in a different way it works in asa today, you'll probably have your actual config failing and you'll impact all users but again, this is an assumption. You're kind of gambling by deploying this feature without any support and if you make this call you are aware that potentially you can face some impacting issues.

Re: FTD 6.3 Posture support

Marvin Rhoads — Tue, 07 May 2019 08:46:22 GMT

The RADIUS + Change of Authorization (CoA) feature support in FTD 6.4 includes using ISE (as a RADIUS server) to assess posture and then send a CoA to FTD as a result of the posture assessment.

See @hslai 's posting here:

https://community.cisco.com/t5/firepower/ftd-remote-access-vpn-with-ise-posture/m-p/3848834

Re: FTD 6.3 Posture support

rick505d3 — Fri, 10 May 2019 02:14:39 GMT

Hi Marvin,

Is that also true for the support for AnyConnect ISE posture in Firepower 6.4? The release notes for 6.3 and 6.4 doesn't state this explicitly, and the config guides for 6.3 and 6.4 are identical on support for ise posture

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_remote_access_vpns.html

Unsupported Features of AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
Posture variants such as Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.

Regards,

Rick.

Re: FTD 6.3 Posture support

Francesco Molino — Fri, 10 May 2019 02:55:47 GMT

When doing posture, the assessment is done between the client and ise over anyconnect.
Between ftd and ise, you need coa, communication with ise and url redirect. The first 2 I'm sure these are working fine but for the last one (url redirect), not tested yet and not sure if that works.
Maybe @marvin has tested this last capability.

Re: FTD 6.3 Posture support

Peter Koltl — Tue, 24 Nov 2020 13:34:13 GMT

Can the PostureRedirectSGT be replaced to a final SGT by means of CoA ?