im new on this community, i hope is the correct section.
i have 2 firepower 2110 in HA, and all works fine(VPN, ha, NAT, acl etc etc), im trying to create or to configure a whitelist ip on the management interface, i wanna enable the access only to the firepower manager to the ssh and http port. Is that possible?
im talking about the interface in charge to comunicate with the firepower manager not the diagnostic interface.
I have also tryeed to configure a new policy on Devcice > platform setting but nothing, ssh and http/s is always open
The platform settings you tried only affect https and ssh access via DATA interfaces.
For restricting access to the MANAGEMENT interface, this is one of the few things we configure from the FTD cli directly. Use the commands:
configure https-access-list address_list configure ssh-access-list address_list
You can find further details here:
i have already tryed to configure this, but i receive that erro in both cases:
Changes to https access list can only be made when local manager is active.
Correct. https access on the management interfaces is only applicable when the device is locally managed (i.e., via Firepower Device Manager or FDM).
We can verify that there is no https listener by checking netstat from expert mode.
Here is an FTD Virtual appliance that is managed via Firepower Management Center (FMC):
admin@vftd-new:~$ netstat -a | grep http admin@vftd-new:~$ netstat -a | grep ssh tcp 0 0 *:ssh *:* LISTEN tcp 0 52 vftd-new.ccielab.mr:ssh JumpServer.cciela:54374 ESTABLISHED tcp6 0 0 [::]:ssh [::]:* LISTEN admin@vftd-new:~$
Here is an ASA 5506 running FTD that is locally managed:
admin@ftd-5506:~$ netstat -a | grep http tcp 0 0 localhost:http-alt *:* LISTEN tcp 0 0 *:https *:* LISTEN tcp 1966 0 ftd-5506:60897 ec2-34-250-161-68:https CLOSE_WAIT tcp 0 0 ftd-5506:56312 ec2-3-213-3-169.c:https TIME_WAIT tcp 0 0 ftd-5506:56311 ec2-3-213-3-169.c:https TIME_WAIT tcp6 0 0 [::]:https [::]:* LISTEN admin@ftd-5506:~$ netstat -a | grep ssh tcp 0 0 *:ssh *:* LISTEN tcp 0 64 ftd-5506:ssh 192.168.0.165:13540 ESTABLISHED tcp6 0 0 [::]:ssh [::]:* LISTEN admin@ftd-5506:~$
The device should not be listening on https (tcp/443) for the management interface unless you have configured local management.
No listener = no need to restrict access.
yeps, so the question is: if i configure the remote manager via Cisco Firepower management Cernter i think i can't use the local manager right? if yes i cant disable the http server
If you are using FMC then there is no http listener active on the device. FMC communicates with the device using TLS over tcp/8305 bidirectionally (FMC initiates policy updates and device initiates eventing).
If you are using FDM (local manager) then you cannot disable the http(s) server as FDM uses https as its means of communicating with the device. The GUI is displayed in a browser delivered via https and configuration changes are sent via the device API over https. You can restrict what address(es) are allowed to access the https server using the command mentioned earlier in this thread.
You are required to choose one method or the other - FMC or "local management". (Local management can be FDM or CDO (Cisco Defense Orchestrator) the cloud-based option.) Choosing one disables the other.