Re: Cisco FTD VPN access / Geolocation block for Control Plane

Umer Khan · ‎06-20-2023

We have Cisco FTD 2110s that are managed with FMC and we are trying to figure out how to block access to our remote access VPN by IP. We already have a geolocation block for Access Control in FMC. But, are we still not able to do geo-ip-based restrictions for the control plane traffic?

Rob Ingram · ‎06-20-2023

@Umer Khan unfortunately geo-block to the FTD is not possible at present. You can either use a traditional control-plane ACL (guide), configure a device in front of the FTD to block based on Geolocation or DUO 2FA provides that ability.

Marvin Rhoads · ‎06-20-2023

FTD (any management type) does not currently have a feature to restrict remote access VPN by Geolocation. The current recommendation from Cisco is to combine your VPN with an MFA solution like Cisco Duo where you can restrict by Geolocation. (Microsoft Authenticator can also do as do most MFA solutions.)

bcoverstone · ‎12-30-2023

I will request this feature for the next beta release.

Marvin Rhoads · ‎01-02-2024

@bcoverstone FYI there is already an enhancement request filed for this feature: https://bst.cisco.com/bugsearch/bug/CSCvs65322

Damon Smith · ‎02-08-2024

Submitted 4 years ago....

Marvin Rhoads · ‎02-08-2024

Enhancement requests are sometimes never filled. It's customers who buy the equipment being vocal that bumps the priority to something that ends up being in the shipping product.

That said, Cisco was saying just this week at Cisco Live EMEA that they hope to ship this feature in FMC/ FTD 7.7, due out in late 2024. There will be no 7.5, so 7.6 will be the next major release, around June/July this year.

tvotna · ‎02-09-2024

This would be a step forward, but not a panacea for global companies. Their firewalls will still be susceptible to trivial DoS attacks as shown in this post: https://community.cisco.com/t5/vpn/preventing-dos-attacks-to-webvpn-service-is-that-possible/m-p/5008162

It's interesting that Cisco PSIRT doesn't care at all. Probably waiting for another major outbreak...

dpeldo22 · ‎05-09-2024

That's exciting news! Do you have any additional info on this? I can't find any video sessions or announcements on this, so I'm watching the Cisco Live events on youtube to see if they make a mention of it there. I'd love to hear more about this, as I'm sure most Firepower admins are as well.

Thanks Marvin!

Marvin Rhoads · ‎05-09-2024

@dpeldo22 it was mentioned verbally at CL EMEA in February 2024. Cisco rarely published roadmaps publicly, so we just have to wait and see if it indeed appears in version 7.7. For now, 7.6 is still in early beta testing so it will be several months until the 7.7 beta even kicks off and - at best - late 2024 until it ships.

julius.vazgys · ‎10-18-2024

How it is sad and absurd. Cheaper solutions like sophos , fortigate has it ...

Jordan1212 · ‎12-12-2024

I'd dare to say, this is the most anticipated update, years in the making. Cisco, please focus more on security and basics, than flashy features and AI.

davidburke841 · ‎01-03-2025

This needs to be addressed. We had 14.1 million failed logins to our VPN in the last 30 days. Without being able to rate limit, we have attackers knocking on our door constantly. Once they grab a user's ID they are locking them out of our AD network. Our only fix is to rename user AD accounts.

Rob Ingram · ‎01-03-2025

@davidburke841 you can now use Threat Detection. If the number of consecutive connection attempts meets the configured threshold within this period, the attacker's IPv4 address is shunned. https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

Damon Smith · ‎01-03-2025

"Authentication failures via SAML are not supported yet."

I got all excited, only to have my hopes dashed....