Nowdays FTD major missing in terms of Remote Access and tunneling are the following (in my opinion)
- Lack of Geographical restrictions for remote access tunnel group (should be for each tunnel group, makes no sense to do it for the whole firewall interface) and anonymizers
- Lack of SAML authentication support for Remote Access
- Lack of VTI tunnel interfaces -> this is really a major drawbacks for hybrid cloud connectivity

@giovanni.augusto #2 and #3 should be coming in Firepower 6.7 this fall.

For #1 I agree - be sure to contact your Cisco account manager and mention ENH bugID CSCvs65322 !

any update in version 6.7 ?

So I was talking to TAC today; while the workaround works but it doesn't scale well, I have to block a country in Asia, and that country has 13K IP subnets, yes we can import .csv with 13k objects each line is one network, but how to group those 13k objects into one object-group to apply it to the extend ACL? 

that wont work.

I have the same Problem. If I configure Object and ACL in FMC and try to write flexconfig like

access-group <acl-name> in interface <interface-name> control-plane

it doesn't work, because ftd doesn't have the ACL and the Object. In flexconfig I can not write ACL.

Anybody have idea or config example how I can do it?

Regards,

You need to create an acl first in the FMC ... lets say controlplaneacl

Then the flexconfig command is (use nameif of the interface instead of the word nameif in the command):

access-group $controlplaneacl in interface nameif control-plane

So example:

access-group $controlplaneacl in interface WAN control-plane

@jovalo your suggested approach worked fine. I plan to writeup a more detailed how-to for this since the question comes up more and more often lately.

For now, here's my result...

Behavior without control-plane ACL:

Before Flexconfig

> show running-config access-group
access-group CSM_FW_ACL_ global
> 

Behavior after adding flexconfig with control-plane ACL blocking my PC’s address:

After flexconfig

Note the presence of the access-group command applied to the interface and the hit count in the access-list itself:

> show running-config access-group
access-group ACL-Control_Plane-Test in interface Outside-Home control-plane
access-group CSM_FW_ACL_ global
> 
> show access-list ACL-Control_Plane-Test
access-list ACL-Control_Plane-Test; 2 elements; name hash: 0xab9a61e4
access-list ACL-Control_Plane-Test line 1 extended deny object-group ProxySG_ExtendedACL_8589937617 object Spectre-DHCP any (hitcnt=8) 0x29d27b31 
  access-list ACL-Control_Plane-Test line 1 extended deny ip host 192.168.0.165 any (hitcnt=8) 0x1f6ec140 
access-list ACL-Control_Plane-Test line 2 extended permit object-group ProxySG_ExtendedACL_8589937621 any4 any (hitcnt=0) 0x175edbeb 
  access-list ACL-Control_Plane-Test line 2 extended permit ip any4 any (hitcnt=0) 0x08985061 
>

Funny, but I see the error that the acl doesn't exist

Don't forget in the FlexConfig Object to add the object by:

Insert --> Insert Policy Object --> Extended ACL object --> choose a name like controlplaneacl --> select the acl

Then that name (in this case controlplaneacl) can be used as a object with the $ so example of the flexconfig line:

access-group $controlplaneacl in interface WAN control-plane

I posted a more complete how-to in this other thread:

https://community.cisco.com/t5/network-security/block-access-to-remote-access-vpn-by-ip-address/m-p/4406832

In coming days I plan to write it all up in a comprehensive white paper for posting on the community.