With any FTD remote access VPN you should be aware of the current guidelines and restriction for the same since there is not yet feature parity with the ASA-based solution.
You cannot currently restrict device types allowed on a remote access VPN using FTD alone (with either local management or FMC).
Client certificate authentication is configured under your VPN connection profile AAA tab as shown below:
In my firepower service on 5525-X I don't see any hit for the security intelligence on any traffic , how I can trace where things are missing for the security intelligence.
Check that you have selected some networks and/or URLs in your applied Access control Policy, Security Intelligence settings and that you have logging activated for the blacklisted objects.
It should look similar to what I show on my lab server as follows:
my settings are same like your setting but still the same no events for the security intelligence
I suggest creating an entry on a test_blacklist URL list like the one shown on my example - just some target domain that's seldom used that you can test with.
With that in place, browse to the target domain and see if it's blocked. If it is, you should see a SI event. If not, please share the connection record.
To my knowledge Firepower does not use Telnet. When creating a session to the sfr module and running a netstat -an I see the sensor listening on port 23
sfr$ netstat -an
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
Can anyone tell me why this sensor is listening on tcp port 23 and if this can be turned off?
This seems to be the defaut behavior.
It only appears to be listening at the Linux OS level. If you try to open a telnet connection it will be refused. That's because they're blocking the incoming traffic with iptables.
The only accepted traffic is icmp (ping, restricted to the required icmp message types), tcp/22 (ssh) and tcp/8305 (management port used by FMC).
See the following listing for confirmation:
admin@firepower:/etc/sysconfig$ more iptables # Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015 *mangle :PREROUTING ACCEPT [98319:30342283] :INPUT ACCEPT [98342:30344874] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4427:1360521] :POSTROUTING ACCEPT [4446:1362033] COMMIT # Completed on Tue Sep 15 15:06:41 2015 # Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1921:895829] :DUMP - [0:0] :STATEFUL - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i cplane -j ACCEPT #start ICMP INPUT BLOCK -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT #stop ICMP INPUT BLOCK #start SSL SSH SNMP PORTS INPUT BLOCK -A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT #stop SSL SSH SNMP PORTS INPUT BLOCK #start ESTREAMER PORT INPUT BLOCK #stop ESTREAMER PORT INPUT BLOCK #start MANAGEMENT PORT INPUT BLOCK -A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 8305 -j ACCEPT #stop MANAGEMENT PORT INPUT BLOCK -A INPUT -j STATEFUL -A OUTPUT -o lo -j ACCEPT -A DUMP -j DROP #start MANAGEMENT PORT STATEFUL BLOCK -A STATEFUL -i eth0 -m state --state NEW -j DROP -A STATEFUL -i eth0 -p tcp -m tcp --dport 3306 -j DROP #stop MANAGEMENT PORT STATEFUL BLOCK -A STATEFUL -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT -A STATEFUL -j DUMP COMMIT # Completed on Tue Sep 15 15:06:41 2015 admin@firepower:/etc/sysconfig$