Posture checking on Cisco Firepower

carl_townshend · ‎02-26-2025

Hi All

I would like to implement some "posture" checking on our FTD firewall managed in cdFMC, I want to ensure all remote access vpn clients have some sort of AntiVirus running on there pc's etc.

On the ASA this could be done with hostscan.

What are the requirements for doing these checks? do I need ISE? what licences would I need? and can anyconnect handle this? cheers

Rob Ingram · ‎02-26-2025

@carl_townshend you can use Dynamic Acces Policies (DAP) on the FTD, you do not require ISE. You require Secure Client/AnyConnect licenses and the relevant module installed.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html

Licensing for Dynamic Access Policies

The threat defense must have one of the AnyConnect licenses that supports remote access VPN:

Secure Client Premier
Secure Client Advantage
Secure Client VPN Only

The management center must have export-controlled features enabled.

Marvin Rhoads · ‎02-26-2025

I would add that posture checking using DAP leverages the "Secure Firewall Posture" hidden module of Secure Client. So make sure your policy is set to install that module as it is responsible for querying the endpoint and replying the the FTD regarding the various posture conditions your have configured.

carl_townshend · ‎02-26-2025

Hi Marvin

we already use the dynamic access policies, I’m looking to enable some kind of checking on the client for antivirus.

do I need ISE for this or is it something I can do without ISE and just from the FTD?

if so, where are these settings?

cheers

Marius Gunnerud · ‎02-26-2025

Personally I would use ISE instead of DAP when doing posture assessments. That being said, you could look into matching on registry keys when looking for Anti-Virus on the host machine.

--
Please remember to select a correct answer and rate helpful posts

carl_townshend · ‎02-27-2025

Hi All

So I have got it working to a point, I have the secure posture module installed and have created a DAP policy.

What I want to do is create a policy so that if you dont have "ANY" Antivirus installed, you get kicked off, I cannot see any options to do this.

How would I achieve this with a DAP policy on the FTD please?

Marvin Rhoads · ‎02-27-2025

I don't believe you can use DAP to check for "ANY" AV (or AntiMalware as they call it). The OWASP telemetry reports which product(s) are installed but the DAP logic cannot check for that.

carl_townshend · ‎03-03-2025

Hi All
What is the point of the posture assessment on the firewall if we can not check if something "doesn't" exist?
As an example, I would like to ensure that when any third party connects to us they have some kind of antivirus installed and if it finds none, then they are terminated. Is this not possible?

If so then am I correct in saying that with posture, you are looking for a specific thing that exists or doesnt exist? this means that If I connect a computer with no AV, it would simply let me connect as I didnt meet the policy above? this sounds counter intuative.

How does everyone else tackle this issue?

What kind of things are best when dealing with untrusted third parties connecting to our VPN?

Many thanks