I have a scenario where my FTDs are only reachable for management by the FMC over Internet. The FTDs are running HA so data interface access isn't an option. I assume data in transit is properly encrypted but how do I secure access to the FTD management interface? I have yet to find an ACL option for the actual management interface, I'm thinking about using black-hole routing but it seems kind of cheap.
i would put management in different VLAN, Do NAT on Internet Router with Public to Private IP, if you know FMC Public IP, then i will restrict with ACL to allow only FMC IP contacting FTD.
Since if you do not have option to deploy Lan, if you have only option to communicate from External Internet.
Thank you for the answer. As I don't have any control over our Internet router I'd like to look into the ACL option. How is that done?
if the Internet Router does not do NAT, then how will an external connection establish to FTD, that fails - since Manangment is RFC1918 address (that was my impression) or Do you have Public IP configured on Manangment?
Ah, I might have forgotten that piece of information. My management interfaces have public IPs.
I found the CLI settings ssh-access-list and https-access-list which seems to do the trick for SSH access but what about SNMP?