05-21-2021 12:37 PM
I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?
Thank you!
03-02-2024 06:47 PM
02-23-2024 07:07 AM
I 100% agree with this assessment. And I do have to play whack a mole. every day I'm looking at VPN attempts and failues, doing an IP Lookup and then adding an IP (or large subnets) to my ip blacklist. The fact that there is so much security intelligence (like the Cisco-Intelligence-feed that is updated regularly) that can be applied to the passing traffic. We should be able to leverage a database or feed at the control plane level. I've actually considered installing an edge router that has that type of functionality, but then why do I need a NGFW??
02-25-2024 03:25 AM
Blocking to-the-box connections by geo IP (CSCvs65322) is not enough. FTD and ASA should also support:
- "set connection per-client-max" and "set connection per-client-embryonic-max" in MPF for to-the-box connections
- connection rate-limiting in MPF for both to-the-box and through-the-box connections
- connection rate-limiting for to-the-box connections in ASA resource manager in multiple mode ("limit-resource" system CLI)
- user-configurable TLS/JA3 filtering for to-the-box TCP/443 traffic
- pre-defined TLS/JA3 filters for AnyConnect on all supported operating systems
- multicore support for VPN control-plane on high-end platforms
- adaptive call admission control for IKEv2 and TLS which takes box load into consideration rather than just the number of tunnels under negotiation (TLS currently doesn't have any call admission control)
- much more efficient IKEv2 control plane which doesn't fail under stress
- diagnostic capabilities
Until then ASA/FTD configured as RA VPN hub should always be protected by some other specialized perimeter device capable of session rate-limiting and TLS/JA3 filtering.
03-23-2024 12:46 PM
So here's what I have done to mitigate the whack a mole issue.
I installed 2 OPNSense firewalls as my edge routers to the internet. They have next gen ability to use GEO IP and IP Lists like ET and FIREHOL. Then I setup rules to block traffic based on those lists. I've also created a report in Firepower to give me AAA authentication errors so I can tell how many hits I'm taking and if those IP addresses aren't on a list, then i can add them manually at the edge.
06-19-2024 06:02 PM
Can you do deploy an OPNSense firewall in front of the FTD in transparent/non-routed mode?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide