cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2278
Views
0
Helpful
7
Replies

managmente-diagnostic interface on firepower 2110

Musement
Level 1
Level 1

HI all,

 

im new on this community, i hope is the correct section.

i have 2 firepower 2110 in HA, and all works fine(VPN, ha, NAT, acl etc etc), im trying to create or to configure a whitelist ip on the management interface, i wanna enable the access only to the firepower manager to the ssh and http port. Is that possible?
im talking about the interface in charge to comunicate with the firepower manager not the diagnostic interface.
I have also tryeed to configure a new policy on Devcice > platform setting but nothing, ssh and http/s is always open

any tips?

 

Thank you

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

The platform settings you tried only affect https and ssh access via DATA interfaces.

For restricting access to the MANAGEMENT interface, this is one of the few things we configure from the FTD cli directly. Use the commands:

configure https-access-list address_list
configure ssh-access-list address_list

You can find further details here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp4200953591

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp4200953591

i have already tryed to configure this, but i receive that erro in both cases:

Changes to https access list can only be made when local manager is active.

Correct. https access on the management interfaces is only applicable when the device is locally managed (i.e., via Firepower Device Manager or FDM).

We can verify that there is no https listener by checking netstat from expert mode. 

Here is an FTD Virtual appliance that is managed via Firepower Management Center (FMC):

 

admin@vftd-new:~$ netstat -a | grep http
admin@vftd-new:~$ netstat -a | grep ssh 
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0     52 vftd-new.ccielab.mr:ssh JumpServer.cciela:54374 ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
admin@vftd-new:~$

Here is an ASA 5506 running FTD that is locally managed:

admin@ftd-5506:~$ netstat -a | grep http
tcp        0      0 localhost:http-alt      *:*                     LISTEN     
tcp        0      0 *:https                 *:*                     LISTEN     
tcp     1966      0 ftd-5506:60897          ec2-34-250-161-68:https CLOSE_WAIT 
tcp        0      0 ftd-5506:56312          ec2-3-213-3-169.c:https TIME_WAIT  
tcp        0      0 ftd-5506:56311          ec2-3-213-3-169.c:https TIME_WAIT  
tcp6       0      0 [::]:https              [::]:*                  LISTEN     
admin@ftd-5506:~$ netstat -a | grep ssh 
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0     64 ftd-5506:ssh            192.168.0.165:13540     ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
admin@ftd-5506:~$

ok now with a little trick i have restricted the access to the ssh but for the https i have the same problem

The device should not be listening on https (tcp/443) for the management interface unless you have configured local management.

No listener = no need to restrict access.

yeps, so the question is:  if i configure the remote manager via Cisco Firepower management Cernter i think i can't use the local manager right? if yes i cant disable the http server

 

If you are using FMC then there is no http listener active on the device. FMC communicates with the device using TLS over tcp/8305 bidirectionally (FMC initiates policy updates and device initiates eventing).

If you are using FDM (local manager) then you cannot disable the http(s) server as FDM uses https as its means of communicating with the device. The GUI is displayed in a browser delivered via https and configuration changes are sent via the device API over https. You can restrict what address(es) are allowed to access the https server using the command mentioned earlier in this thread.

You are required to choose one method or the other - FMC or "local management". (Local management can be FDM or CDO (Cisco Defense Orchestrator) the cloud-based option.) Choosing one disables the other.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: