Hello, everyone. We have implemented Anyconnect RA VPN on FTD device. However now i want to restrict from which source global IP Addresses i can connect to. I now in ASA it can be done by control-plane ACL but in FTD i do not see any place to configure it.
No, It didnot work as i expected. Because ACP and Prefilter Policies are for passthrough traffic. I needed ACL for control plane that i implemented using flexconfig. I denied only my phones global IP into FTD`s vpn webpage and permitted any any. But this way noone could open that webpage
I see. I have also seen that access-group command is not supported by Flex so that means i would not be able to apply access-list to-the-box. It is disappointing. I think i have to change my NGFW to another vendor.
Even on ASAs, that's a very uncommonly used feature. I have worked on hundreds of customer ASAs and never seen it used.
What's your use case (business requirement) making it critical for you?
The director of security department requires it from me so that only IP addresses from my country can connect to out RA VPN. Actually i have opened TAC case. We have worked together with an engineer, deployed control-plane ACL by Flex but with no result. This issue is already a bug case and waiting response from devolopers whether it is bug or control-plane acl is not yet supported on FTD
Please share the details once you get update from TAC. As i am also in a very similar situation now that one of my customer required the exact thing. They wan to allow only RA-VPN to be accessed from some specific country IP's.
You can check the case status via this link: CSCvn78593. As TAC advised me not to wait a quick action for this problem. Whether this is bug or not supported in FTD, it may take really long time to be added. My advise to you put another ASA for only RA VPN behind FTD devices and cut traffic with basic ACL or Prefilter. Thanks in advance!
Even though control-plane ACLs are technically supported with Flexconfig, it is not currently supported (as of 6.6) to do geoblocking of RA VPN that way.
A TAC engineer confirmed this with me just today. There is an (currently unpublished) enhancement bugID for this: CSCvs65322 ENH | Geo-location based AnyConnect Client connections