Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
1
Helpful
5
Replies

Is FTD’s control plane wide open?

Go to solution
guacamoley
Level 1
Level 1

‎02-11-2024 05:57 AM

I was looking into setting up BGP on an ftd and was wondering where to allow TCP179 and then I realized there is nowhere to even add this as an access entry. Same goes for VPN. Is this not wildly insecure?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎02-11-2024 06:03 AM

https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

In FTD using control -plane done via flexconfig 

Check link' I alos will check new versions of fdm and fmc if there is option to add it directly.

Thanks 

MHM

View solution in original post

0 Helpful
5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎02-11-2024 06:03 AM

https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

In FTD using control -plane done via flexconfig 

Check link' I alos will check new versions of fdm and fmc if there is option to add it directly.

Thanks 

MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎02-11-2024 06:03 AM

@guacamoley you can use the control-plane ACL functionality to restrict access "to" the FTD such as BGP, currently you must use FlexConfig to configure this.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221531-configure-control-plane-access-control-p.html

 

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to Rob Ingram

‎02-11-2024 07:40 AM

As @Rob Ingram and @MHM Cisco World mentioned, you can use "access-group <name> in int outside control-plane" to control who can access TCP/179. Obviously, it is practically impossible to do the same for TCP/443, although technically control-plane ACLs do work for TCP/443 too. This means that TCP/443 is wide open and the firewall doesn't have protection for TCP/443.

Also, if you, for example, try to rate-limit TCP/443 messages to protect device from DoS, you'd find that none of ASA features work:

- "class-map type management" doesn't allow you to limit connections or embryonic connections per-host in the corresponding policy-map
- "class" and "member" constructs do not limit to-the-box connections in case of multiple context mode (on ASA), hence "limit-resource rate" doesn't work too (this tool is unavailable on FTD as it doesn't support multiple mode)
- MPF is not capable of connection rate-limiting at all.

HTH

 

0 Helpful

Go to solution
guacamoley
Level 1
Level 1
In response to tvotna

‎02-11-2024 01:19 PM

Doesn't the FTD have its own DDOS protection with the Network Analysis Policy? 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to guacamoley

‎02-11-2024 01:27 PM

@guacamoley the NAP is for traffic "through" the FTD not "to".

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card