02-26-2025 08:32 AM
Hi All
I would like to implement some "posture" checking on our FTD firewall managed in cdFMC, I want to ensure all remote access vpn clients have some sort of AntiVirus running on there pc's etc.
On the ASA this could be done with hostscan.
What are the requirements for doing these checks? do I need ISE? what licences would I need? and can anyconnect handle this? cheers
02-26-2025 08:37 AM
@carl_townshend you can use Dynamic Acces Policies (DAP) on the FTD, you do not require ISE. You require Secure Client/AnyConnect licenses and the relevant module installed.
The threat defense must have one of the AnyConnect licenses that supports remote access VPN:
Secure Client Premier
Secure Client Advantage
Secure Client VPN Only
The management center must have export-controlled features enabled.
02-26-2025 09:20 AM
I would add that posture checking using DAP leverages the "Secure Firewall Posture" hidden module of Secure Client. So make sure your policy is set to install that module as it is responsible for querying the endpoint and replying the the FTD regarding the various posture conditions your have configured.
02-26-2025 11:00 AM
Hi Marvin
we already use the dynamic access policies, I’m looking to enable some kind of checking on the client for antivirus.
do I need ISE for this or is it something I can do without ISE and just from the FTD?
if so, where are these settings?
cheers
02-26-2025 03:14 PM
Personally I would use ISE instead of DAP when doing posture assessments. That being said, you could look into matching on registry keys when looking for Anti-Virus on the host machine.
02-27-2025 05:04 AM
Hi All
So I have got it working to a point, I have the secure posture module installed and have created a DAP policy.
What I want to do is create a policy so that if you dont have "ANY" Antivirus installed, you get kicked off, I cannot see any options to do this.
How would I achieve this with a DAP policy on the FTD please?
02-27-2025 08:05 AM
I don't believe you can use DAP to check for "ANY" AV (or AntiMalware as they call it). The OWASP telemetry reports which product(s) are installed but the DAP logic cannot check for that.
03-03-2025 08:07 AM
Hi All
What is the point of the posture assessment on the firewall if we can not check if something "doesn't" exist?
As an example, I would like to ensure that when any third party connects to us they have some kind of antivirus installed and if it finds none, then they are terminated. Is this not possible?
If so then am I correct in saying that with posture, you are looking for a specific thing that exists or doesnt exist? this means that If I connect a computer with no AV, it would simply let me connect as I didnt meet the policy above? this sounds counter intuative.
How does everyone else tackle this issue?
What kind of things are best when dealing with untrusted third parties connecting to our VPN?
Many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide