Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3001
Views
5
Helpful
5
Replies

Wildcard or variables in Access Policies on FTD

Go to solution
neroshake
Level 1
Level 1

‎09-28-2017 11:31 PM - edited ‎02-21-2020 06:24 AM

Hello,

 

Is there any way to achieve implementation of wildcard masks or variables in IP addresses in FTD? Particularly for example I need to create a policy to deny the traffic from particular host to IP addresses ending with .121 in all our branches (there are 70 branches with subnets like 192.168.10.0/24, 192.168.11.0/24, 192.168.13.0/24, etc). I want to accomplish this by creating a single rule? The oprion of creating 70 network objects is also not convenient.

 

Thank you!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jesper Erbs2
Level 1
Level 1

‎09-30-2017 07:11 AM - edited ‎10-01-2017 01:29 PM

Hello Neroshake,

Wildcards are not currently supported in the Firepower Threat Defense or the ASA.

I would create a group and add them individually to the group - Thereby you save time by not having to create 70 network object. See the example below:

Udklip.PNG

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎09-29-2017 12:26 AM

Hi,

Yes, you can apply wildcard mask to filter specific hosts from different networks. For example,
if you have 192.168.11.0/24, 192.168.13.0/24, 192.168.14.0/24,..., and you choose to allow only to one host in each network (192.168.x.121), run the following command:

access-list 1 permit 192.168.0.121 0.0.255.0

What you basically did is that you want to match 192.168 and 121, but not the 3rd octet.

Please rate it if you find it helpful : )

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

Go to solution
neroshake
Level 1
Level 1
In response to Meheretab Mengistu

‎09-30-2017 12:20 AM

Thank you, meheretabm!

 

My deployment is a HA of two FTDs managed by FMC. Where I should enter that ACLs and how do I connect them with Access Policies?

 

Thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to neroshake

‎09-30-2017 07:33 AM - edited ‎09-30-2017 07:33 AM

The earlier respondent was thinking about ASA and/or router ACLs. Unfortunately FTD does not currently have 100% feature parity with ASA - even in something as basic as ACLs.

 

An FTD / FMC standard or extended access-list entry does not currently (as of 6.2.2) permit non-contiguous netmasks such as you would have to use here to specify all of the .121 hosts with a single object.

 

You can't even work around by using flexconfig as the access-list command is blacklisted from flexconfig.

 

I believe the only method is to create all of the individual /32 entries as network objects and then combine them into a group which you can then use in your policies.

Go to solution
Jesper Erbs2
Level 1
Level 1

‎09-30-2017 07:11 AM - edited ‎10-01-2017 01:29 PM

Hello Neroshake,

Wildcards are not currently supported in the Firepower Threat Defense or the ASA.

I would create a group and add them individually to the group - Thereby you save time by not having to create 70 network object. See the example below:

Udklip.PNG

0 Helpful

Go to solution
Jesper Erbs2
Level 1
Level 1
In response to Jesper Erbs2

‎09-30-2017 07:12 AM

Or use scripting and REST API, but that will take longer than the above if you have no experience with it. :)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card