Showing results for 
Search instead for 
Did you mean: 


FTD Remote Access VPN Restriction

Hello, everyone. We have implemented Anyconnect RA VPN on FTD device. However now i want to restrict from which source global IP Addresses i can connect to. I now in ASA it can be done by control-plane ACL but in FTD i do not see any place to configure it. 

Abheesh Kumar
Rising star


Try to create a deny rule in pre-filter policy with the source IP you would like to restrict.




No, It didnot work as i expected. Because ACP and Prefilter Policies are for passthrough traffic. I needed ACL for control plane that i implemented using flexconfig. I denied only my phones global IP into FTD`s vpn webpage and permitted any any. But this way noone could open that webpage

As far as I know, control plane type ACL is not currently offered as a feature on FTD.

I see. I have also seen that access-group command is not supported by Flex so that means i would not be able to apply access-list to-the-box. It is disappointing. I think i have to change my NGFW to another vendor.

Even on ASAs, that's a very uncommonly used feature. I have worked on hundreds of customer ASAs and never seen it used.


What's your use case (business requirement) making it critical for you?

The director of security department requires it from me so that only IP addresses from my country can connect to out RA VPN. Actually i have opened TAC case. We have worked together with an engineer, deployed control-plane ACL by Flex but with no result. This issue is already a bug case and waiting response from devolopers whether it is bug or control-plane acl is not yet supported on FTD

Hi Orkhan,
Please share the details once you get update from TAC. As i am also in a very similar situation now that one of my customer required the exact thing. They wan to allow only RA-VPN to be accessed from some specific country IP's.


Hello Abheesh, 

You can check the case status via this link: CSCvn78593. As TAC advised me not to wait a quick action for this problem. Whether this is bug or not supported in FTD, it may take really long time to be added. My advise to you put another ASA for only RA VPN behind FTD devices and cut traffic with basic ACL or Prefilter.  Thanks in advance!

Hi Orkhan,
Thank you for sharing the details.

If you put your RA-dedicated ASA inside on the FTD device then you can use Geoblocking in your ACP rule.

It seems to be fixed now... since and later. And for the 6.3 since


I was also waiting for this.





Is it fixed in version 6.6. ?

Yes if it was already fixed in later releases of 6.2 and 6.3 then I suppose it will also work with 6.6 with flexconfig.

Marvin Rhoads
VIP Community Legend

Even though control-plane ACLs are technically supported with Flexconfig, it is not currently supported (as of 6.6) to do geoblocking of RA VPN that way.

A TAC engineer confirmed this with me just today. There is an (currently unpublished) enhancement bugID for this: CSCvs65322 ENH | Geo-location based AnyConnect Client connections

Recognize Your Peers
Content for Community-Ad