Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3261
Views
5
Helpful
5
Replies

Management interface access

Go to solution
Isaiah
Level 1
Level 1

‎04-03-2017 11:03 AM - edited ‎03-12-2019 02:10 AM

I have a pair of Firepower 4110s.  Is there any way to restrict what IP addresses are even able to connect to the Chassis management interface SSH, HTTPS, and SNMP interfaces?  And same for the CLI on the FTD logical device management interface?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-04-2017 04:11 AM

FX-OS 2.1 added lockdown features as part of FIPS/CC (Common Criteria) certification.

See the Configuration guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos211/web-config/b_GUI_ConfigGuide_FXOS_211/security_certifications_compliance.html#id_30486

Similar settings for the FTD logical devices are done from your FMC, under a platform settings policy, as described here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/platform_settings_for_firepower_threat_defense.html#task_2133E7672043462081102935A3042AB3

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-04-2017 04:11 AM

FX-OS 2.1 added lockdown features as part of FIPS/CC (Common Criteria) certification.

See the Configuration guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos211/web-config/b_GUI_ConfigGuide_FXOS_211/security_certifications_compliance.html#id_30486

Similar settings for the FTD logical devices are done from your FMC, under a platform settings policy, as described here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/platform_settings_for_firepower_threat_defense.html#task_2133E7672043462081102935A3042AB3

0 Helpful

Go to solution
Isaiah
Level 1
Level 1
In response to Marvin Rhoads

‎04-04-2017 08:50 AM

Ah, yes, thank you, it looks like the software version is the answer for the FX-OS chassis management interface. 

However, it seems like the platform settings policy restrictions apply only to the virtual diagnostic interface or the inband data interfaces, and not to the virtual management interface.  Anything is able to establish SSH connections to the FTD management interface, regardless of what is configured in the platform policy.  This is what I am trying to lock down.

From the config guide, this is the problem:

The physical management interface is shared between the Diagnostic logical interface and the Management logical interface; this configuration applies only to the Diagnostic logical interface, if used. The Management logical interface is separate from the other interfaces on the device. It is used to set up and register the device to the Firepower Management Center. It has a separate IP address and static routing.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Isaiah

‎04-04-2017 08:56 AM

Hmm I don't have one handy to verify on, but the FTD Management interface access restriction by source IP for both HTTPS and SSH should be a policy enforced by the platform settings.

If that's not working for you, I'd check with a TAC case whether it's setup and deployed properly or if there's a bug identified on this new feature.

The FMC Configuration Guide clearly indicates it's a feature:

Step 4   Identify the interfaces and IP addresses that allow SSH connections.

Use this table to limit which interfaces will accept SSH connections, and the IP addresses of the clients who are allowed to make those connections. You can use network addresses rather than individual IP addresses.

  1. Click Add to add a new rule, or click the Edit icon to edit an existing rule.
  2. Configure the rule properties:

    • IP Address—The network object that identifies the hosts or networks you are allowing to make SSH connections. Choose an object from the drop-down menu, or add a new network object by clicking the + button.

    • Security Zones—Add the zones that contain the interfaces to which you will allow SSH connections. For interfaces not in a zone, you can type the interface name into the field below the Selected Security Zone list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones.

  3. Click OK.
0 Helpful

Go to solution
Isaiah
Level 1
Level 1
In response to Marvin Rhoads

‎04-10-2017 09:04 AM

Just an update that TAC confirmed that at this time there is no way to create access controls on the FTD management interface.  The diagnostic interface only is the one that the platform settings policy applies to.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Isaiah

‎04-10-2017 07:09 PM

isaiahgrothe  ,

That's good to know. Thanks for the update.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card