I have been investigating how to restrict administrative access to FTD firewalls. Our corporate policy requires that we:
1) Enable SSH with Radius Authentication
2) Restrict IP address which can connect to the firewall.
When you install FTD on a ASA firewall the Management interface of the ASA is used by firepower module. This is the interface which is used for the FMC to connect to the firewall. Once the device is managed by an FMC the management interface is not available in the list of interfaces available on the device.
Below given is the document which explains how to enable radius authentication for ssh access to the FTD firewall.
However, the problem here is you can only enable and lock down access to interfaces which are available in the FMC. The management interface is not available in the configuration for modification. This means, I can use an in-line interface for SSH but I have no way of securing the access to the Management Interface itself. I opened a TAC case for this and they said there is no way to lock down the Management interface with radius authentication and you will have to use a local account to log in.
I am still not convinced. I think there should be SOME way to lock access to the management interface on the device itself. It would be pretty lame for a next generation security product not to have that feature.
Has anyone had much experience around this issue ?
NGFW is not so next generation as it appears and this is not configurable AFAIK.
To restrict access to the FMC go to System > Configuration > Access List and enter the desired IPs or subnets that are to access the FMC.
To configure ssh access on the FTD CLI log in to the CLI and issue the command configure ssh-access-list 192.168.1.0/24 if you want to allow access from the 192.168.1.0/24 network. Keep in mind that you should also include the FMC IP or subnet in this list as this interface is used to register the FTD to FMC.
To configure access restriction on FXOS, log in to FXOS GUI and go to Platform Settings > Access List.
By default there are no access restrictions to any of these.
When doing this I suggest that you have physical access to the devices incase you lose connectivity, then you can console into the devices.
it only allow me to enter one ACL at the cli when i use the command and if I try to enter antoher acl it overwrite the existing?
Please can someone help how to enter multiple acl using cli command configure ssh-acl ?
I suggest that you open a new post as this is a very old post and we do not have a detailed description of your problem. So please open a new post and be as detailed as possible when you describe the issue you are facing.
well asked very simple question related to above post anyway will open the new ticket.
Please use comma without space between the objects. Please refer attached screenshot.