Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4677
Views
6
Helpful
9
Replies

Cisco FTD VPN access / Geolocation block for Control Plane

Umer Khan
Level 1
Level 1

‎06-20-2023 06:14 AM

We have Cisco FTD 2110s that are managed with FMC and we are trying to figure out how to block access to our remote access VPN by IP. We already have a geolocation block for Access Control in FMC. But, are we still not able to do geo-ip-based restrictions for the control plane traffic?

5 people had this problem
9 Replies 9

Rob Ingram
VIP
VIP

‎06-20-2023 06:32 AM

@Umer Khan unfortunately geo-block to the FTD is not possible at present. You can either use a traditional control-plane ACL (guide), configure a device in front of the FTD to block based on Geolocation or DUO 2FA provides that ability.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-20-2023 06:35 AM - edited ‎06-20-2023 06:36 AM

FTD (any management type) does not currently have a feature to restrict remote access VPN by Geolocation. The current recommendation from Cisco is to combine your VPN with an MFA solution like Cisco Duo where you can restrict by Geolocation. (Microsoft Authenticator can also do as do most MFA solutions.)

bcoverstone
Level 1
Level 1

‎12-30-2023 04:51 PM

I will request this feature for the next beta release.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to bcoverstone

‎01-02-2024 07:50 AM

@bcoverstone FYI there is already an enhancement request filed for this feature: https://bst.cisco.com/bugsearch/bug/CSCvs65322

Damon Smith
Level 1
Level 1
In response to Marvin Rhoads

‎02-08-2024 10:41 AM

Submitted 4 years ago....

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Damon Smith

‎02-08-2024 11:27 AM

Enhancement requests are sometimes never filled. It's customers who buy the equipment being vocal that bumps the priority to something that ends up being in the shipping product.

That said, Cisco was saying just this week at Cisco Live EMEA that they hope to ship this feature in FMC/ FTD 7.7, due out in late 2024. There will be no 7.5, so 7.6 will be the next major release, around June/July this year.

tvotna
Spotlight
Spotlight
In response to Marvin Rhoads

‎02-09-2024 07:55 AM

This would be a step forward, but not a panacea for global companies. Their firewalls will still be susceptible to trivial DoS attacks as shown in this post: https://community.cisco.com/t5/vpn/preventing-dos-attacks-to-webvpn-service-is-that-possible/m-p/5008162

It's interesting that Cisco PSIRT doesn't care at all. Probably waiting for another major outbreak...

 

0 Helpful

dpeldo22
Level 1
Level 1
In response to Marvin Rhoads

‎05-09-2024 06:27 AM - edited ‎05-09-2024 06:59 AM

That's exciting news! Do you have any additional info on this? I can't find any video sessions or announcements on this, so I'm watching the Cisco Live events on youtube to see if they make a mention of it there. I'd love to hear more about this, as I'm sure most Firepower admins are as well.

Thanks Marvin!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dpeldo22

‎05-09-2024 07:44 AM

@dpeldo22 it was mentioned verbally at CL EMEA in February 2024. Cisco rarely published roadmaps publicly, so we just have to wait and see if it indeed appears in version 7.7. For now, 7.6 is still in early beta testing so it will be several months until the 7.7 beta even kicks off and - at best - late 2024 until it ships.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card