FTD SSL/VPN and NGFW

elliot_adlerson · ‎02-19-2025

Hello folks,

I want to migrate my edge firewall from the Cisco to the fortigate and i want to apply the following:

-Allowing the users and denying them in global ACP base on user in user section in ACP.

-Applying Malware and intrusion (NGFW features) policies to the ssl/vpn users.

As you can note that this is not the fancy setup i want and i have already done that with my fortinet firewall but seems like that its not working in Cisco as far as i noticed.

Please note that i dont want to bypass vpn traffic from Global Access control policy because i don't want to lose NGFW features!meaning i dont want to allow user base on filter list on the SSLVPN Group Policy. which the picture of the document is below

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-ravpn.html

So kindly let me know if you had this setup before and how to do this in best approach.

Thanks for your support.

Regards,

Rob Ingram · ‎02-20-2025

@elliot_adlerson what are you using to manage the FTD, local management with FDM or centrally via FMC/cdFMC?

You are correct, if you want the NGFW functionality don't bypass VPN traffic.

You will need to setup authentication, either RADIUS/LDAP to permit the users. Then configure the required rules in the Access Control policy, if you require malware/IPS etc you will obviously require the relevant licenses installed and the policies configured correctly.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215532-configure-remote-access-vpn-on-ftd-manag.html

elliot_adlerson · ‎02-20-2025

@Rob IngramThanks for your anwser.

An an answer for your question am using FMC and also using MFA of duo by integrating with AD and Cisco ISE.

And i have created the ACP which i definded user1 in user section.

but seems like the user1 does not hit the rule and when i remove the users in user section it will properly since all users in ssl/vpn network addresses will be allowed, this issue will happen only when i define my AD user through a realm configured on fmc.

TAC Engineer stated that they will allow and deny base on user only in filter list in ssl/vpn group policy and they dont use these user in ACP.

So Iam wondering if anyone have allowed or denied user in ACP approach.

Also i have attached the design iam seeking.

Thanks.

Regards,

Rob Ingram · ‎02-20-2025

@elliot_adlerson hard to tell from your screenshot why the users are not matching the rule. I assume the AD realm is setup correctly and you've imported the AD groups or ? Are the binding present on the FTD?

You need to use the ACP to define rules based on users/group, you'd not be able to apply rules based on AD users/group via any other method, i.e. VPN Filter.

Using the ACP to permit/deny RAVPN traffic is the recommended method.

elliot_adlerson · ‎02-20-2025

@Rob Ingram belive it or not the issue was on ACP you should not use SSL/VPN range in source network and user at the same time.

i tested with ACP which only defined user and leaved source network empty them worked!

So that was the issue at that time and now it has been solved.

Rob Ingram · ‎02-21-2025

@elliot_adlerson glad its working. However, you should be able to use a network object that represent's the VPN IP address pool in the Access Control rule, assuming that the authenticated user has received an IP address from that network. If not, then traffic would not match that rule.