ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2202
Views
15
Helpful
6
Replies
Highlighted
Beginner

FTD Management Access Restriction does not work for Management interface

I have been investigating how to restrict administrative access to FTD firewalls. Our corporate policy requires that we:

1) Enable SSH with Radius Authentication

2) Restrict IP address which can connect to the firewall.

When you install FTD on a ASA firewall the Management interface of the ASA is used by firepower module. This is the interface which is used for the FMC to connect to the firewall. Once the device is managed by an FMC the management interface is not available in the list of interfaces available on the device.

 

Below given is the document which explains how to enable radius authentication for ssh access to the FTD firewall. 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

 

However, the problem here is you can only enable and lock down access to interfaces which are available in the FMC. The management interface is not available in the configuration for modification. This means, I can use an in-line interface for SSH but I have no way of securing the access to the Management Interface itself. I opened a TAC case for this and they said there is no way to lock down the Management interface with radius authentication and you will have to use a local account to log in.

 

I am still not convinced. I think there should be SOME way to lock access to the management interface on the device itself. It would be pretty lame for a next generation security product not to have that feature. 

 

Has anyone had much experience around this issue ?

 

6 REPLIES 6
Highlighted
VIP Advisor

Re: FTD Management Access Restriction does not work for Management interface

NGFW is not so next generation as it appears and this is not configurable AFAIK.

Please remember to rate useful posts, by clicking on the stars below.

Highlighted
VIP Advisor

Re: FTD Management Access Restriction does not work for Management interface

To restrict access to the FMC go to System > Configuration > Access List and enter the desired IPs or subnets that are to access the FMC.

 

To configure ssh access  on the FTD CLI log in to the CLI and issue the command configure ssh-access-list 192.168.1.0/24 if you want to allow access from the 192.168.1.0/24 network.  Keep in mind that you should also include the FMC IP or subnet in this list as this interface is used to register the FTD to FMC.

 

To configure access restriction on FXOS, log in to FXOS GUI and go to Platform Settings > Access List.

 

By default there are no access restrictions to any of these.

When doing this I suggest that you have physical access to the devices incase you lose connectivity, then you can console into the devices.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner
Beginner

Re: FTD Management Access Restriction does not work for Management interface

it only allow me to enter one ACL at the cli when i use the command and if I try to enter antoher acl it overwrite the existing? 

 

Please can someone help how to enter multiple acl using cli command configure ssh-acl ? 

Everyone's tags (1)
Highlighted
VIP Advisor

Re: FTD Management Access Restriction does not work for Management interface

I suggest that you open a new post as this is a very old post and we do not have a detailed description of your problem.  So please open a new post and be as detailed as possible when you describe the issue you are facing.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner
Beginner

Re: FTD Management Access Restriction does not work for Management interface

well asked very simple question related to above post anyway will open the new ticket.

Everyone's tags (1)
Highlighted

Re: FTD Management Access Restriction does not work for Management interface

Please use comma without space between the objects. Please refer attached screenshot. Conifure-ssh-ftd.PNG