Configuring Management Access
Management access refers to the ability to log into the Firepower Threat Defense device for configuration and monitoring purposes. You can configure the following items:
-
AAA to identify the identity source to use for authenticating user access. You can use the local user database or an external AAA server. For more information about administrative user management, see Managing FDM and FTD User Access.
-
Access control to the management interface and to data interfaces. There are separate access lists for these interfaces. You can decide which IP addresses are allowed for HTTPS (used for the FDM) and SSH (used for CLI). See Configuring the Management Access List.
-
Management Web Server certificate, which users must accept to connect to the FDM. By uploading a certificate your web browsers already trust, you can avoid users being ask to trust an unknown certificate. See Configuring the FTD Web Server Certificate.
Configuring the Management Access List
By default, you can reach the device's FDM web or CLI interfaces on the management address from any IP address. System access is protected by username/password only. However, you can configure an access list to allow connections from specific IP addresses or subnets only to provide another level of protection.
You can also open data interfaces to allow the FDM or SSH connections to the CLI. You can then manage the device without using the management address. For example, you could allow management access to the outside interface, so that you can configure the device remotely. The username/password protects against unwanted connections. By default, HTTPS management access to data interfaces is enabled on the inside interface but it is disabled on the outside interface. For the Firepower 1010 that has a default “inside” bridge group, this means that you can make the FDM connections through any data interface within the bridge group to the bridge group IP address (default is 192.168.1.1). You can open a management connection only on the interface through which you enter the device.
Caution |
If you constrain access to specific addresses, you can easily lock yourself out of the system. If you delete access for the IP address that you are currently using, and there is no entry for “any” address, you will lose access to the system when you deploy the policy. Be very careful if you decide to configure the access list. |
Before you begin
You cannot configure both the FDM access (HTTPS access) and remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. Because you cannot configure the port used by these features in the FDM, you cannot configure both features on the same interface.
Procedure
Step 1 |
Click Device, then click the link. If you are already on the System Settings page, simply click Management Access in the table of contents. You can also configure AAA on this page to allow management access for users defined in an external AAA server. For details, see Managing FDM and FTD User Access. |
Step 2 |
To create rules for the management address: |
Step 3 |
To create rules for data interfaces: |
Configuring the FTD Web Server Certificate
When you log into the web interface, the system uses a digital certificate to secure communications using HTTPS. The default certificate is not trusted by your browser, so you are shown an Untrusted Authority warning and asked whether you want to trust the certificate. Although users can save the certificate to the Trusted Root Certificate store, you can instead upload a new certificate that browsers are already configured to trust.
Procedure
Step 1 |
Click Device, then click the link. If you are already on the System Settings page, simply click Management Access in the table of contents. |
Step 2 |
Click the Management Web Server tab. |
Step 3 |
In Web Server Certificate, select the internal certificate to use for securing HTTPS connections to the FDM. If you have not uploaded or created the certificate, click the Create New Internal Certificate link at the bottom of the list and create it now. The default is the pre-defined DefaultWebserverCertificate object. |
Step 4 |
If the certificate is not self-signed, add all intermediate and root certificates in the full trust chain to the Trusted Chain list. You can add up to 10 certificates in the chain. Click + to add each intermediate certificate, and finally, the root certificate. When you click Save (and then Proceed on the dialog that warns you that the web server will restart), if a certificate is missing, you will get an error message with the common name of the next certificate in the chain that is missing. You will also get an error if you add a certificate that is not in the chain. Examine these messages carefully to identify the certificate you need to add or remove. You can upload the certificates from here by clicking Create New Trusted CA Certificate after clicking +. |
Step 5 |
Click Save. The change is applied immediately, and the system restarts the web server. You do not need to deploy the configuration. Wait a few minutes to allow the restart to finish, then refresh your browser. |