Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
4
Replies

FTD/FMC 7.2.x: How to do Object-groups with a lot of IP ranges?

Bernd Nies
Level 1
Level 1

‎06-26-2024 01:05 AM - edited ‎06-26-2024 01:05 AM

Hi,

We're using ASA and have some object-groups that contain hundreds to thousands of IP ranges, for example AS networks, for example public IP ranges of cloud providers, customers or networks where bots are originating attacking our AnyConnect VPN peers. For example:

 

object-group network VPN_Blacklist
 network-object 91.108.241.0 255.255.255.0
 network-object 62.122.184.0 255.255.255.0
 network-object 94.156.8.0 255.255.255.0
 network-object 94.156.64.0 255.255.248.0
 network-object 152.89.198.0 255.255.255.0
 network-object 194.26.135.0 255.255.255.0
 network-object 185.216.70.0 255.255.255.0
 network-object 81.181.254.0 255.255.255.0
 network-object 216.151.183.0 255.255.255.0
 network-object 216.131.116.0 255.255.254.0
 network-object 216.131.80.0 255.255.254.0
 network-object 216.151.180.0 255.255.255.0
 network-object 216.131.112.0 255.255.255.0
 network-object 216.131.78.0 255.255.254.0
 ...

 

I'm currently playing around with an FMC/FTD 7.2 test setup to check if FTD is a reasonable successor of our ASA firewalls. I noticed that on FTD object-groups just containing networks is no longer possible. For each network an object must be created and then the object can be added to an object-group. Even with importing objects via CSV it is still an overkill to do that for every IP range that is used only once in an object-group.

Is there a better method than tis? How could one handle such a requirement in FTD, for example allow only outbound Teams Traffic to Microsoft Cloud or block traffic from bad sites to AnyConnect VPN peer? Do you generally only use FTD in transparent mode in front of ASA or replace ASA on internet edge?

Regards,

Bernd

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎06-26-2024 01:25 AM

@Bernd Nies

In regard to blocking AnyConnect connections, on the FTD/ASA you can only (currently) block traffic to the FTA/ASA itself using a control-plane ACL using network objects. You cannot use Geolocation objects, if you want that funtionality you'd have to place an FTD in front of the RAVPN headend device.

Have you seen these Cisco guides to harden RAVPN:-

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

For outbound access, in the Access Control rules to cloud destinations (Teams, Outlook etc) you could use applications rather than network objects.

0 Helpful

MHM Cisco World
VIP
VIP

‎06-26-2024 01:38 AM

Use control plane ACL and permit public IP allow to access via anyconnect and deny all other it better that deny all these prefix and allow few

MHM

0 Helpful

Bernd Nies
Level 1
Level 1

‎06-26-2024 04:03 AM

About AnyConnect: As we have "Work from Anywhere" and since Covid mostly work remotely, the number of good networks is currently larger than the ones where botnets originate. These usually come from hosting datacenters with infected servers or from Russia. Chances that our employees spend their holidays in a datacenter in a foreign country are way smaller than they spend it in a hotel.

I have to look at Application rules.

The knowledge/learning gap between ASA and FTD is as big as from ASA to any other firewall vendor.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card