Configuring Management Access
Management access refers to the ability to log into the threat defense device for configuration and monitoring purposes. You can configure the following items:
-
AAA to identify the identity source to use for authenticating user access. You can use the local user database or an external AAA server. For more information about administrative user management, see Managing Device Manager and Threat Defense User Access.
-
Access control to the management interface and to data interfaces. There are separate access lists for these interfaces. You can decide which IP addresses are allowed for HTTPS (used for the device manager) and SSH (used for CLI). See Configuring the Management Access List.
-
Management Web Server certificate, which users must accept to connect to the device manager. By uploading a certificate your web browsers already trust, you can avoid users being ask to trust an unknown certificate. See Configuring the Threat Defense Web Server Certificate.
Configuring the Management Access List
By default, you can reach the device's device manager web or CLI interfaces on the management address from any IP address. System access is protected by username/password only. However, you can configure an access list to allow connections from specific IP addresses or subnets only to provide another level of protection.
You can also open data interfaces to allow the device manager or SSH connections to the CLI. You can then manage the device without using the management address. For example, you could allow management access to the outside interface, so that you can configure the device remotely. The username/password protects against unwanted connections. By default, HTTPS management access to data interfaces is enabled on the inside interface but it is disabled on the outside interface. For the Firepower 1010 or Secure Firewall 1210/1220 that has a default “inside” bridge group, this means that you can make the device manager connections through any data interface within the bridge group to the bridge group IP address (default is 192.168.95.1). You can open a management connection only on the interface through which you enter the device.
Caution |
If you constrain access to specific addresses, you can easily lock yourself out of the system. If you delete access for the IP address that you are currently using, and there is no entry for “any” address, you will lose access to the system when you deploy the policy. Be very careful if you decide to configure the access list. |
Before you begin
You cannot configure both the device manager access (HTTPS access) and remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. If you configure both features on the same interface, ensure that you change the HTTPS port for at least one of these services to avoid a conflict.
Procedure
Step 1 |
Click Device, then click the link. If you are already on the System Settings page, simply click Management Access in the table of contents. You can also configure AAA on this page to allow management access for users defined in an external AAA server. For details, see Managing Device Manager and Threat Defense User Access. |
Step 2 |
To create rules for the management address: |
Step 3 |
To create rules for data interfaces: |
Configuring the HTTPS Port for Management Access on Data Interfaces
By default, accessing the device for management purposes, either for the device manager or the threat defense API, goes through port TCP/443. You can change the management access port for data interfaces.
If you change the port, users must include the custom port on the URL to access the system. For example, if the data interface is ftd.example.com, and you change the port to 4443, then users must modify the URL to https://ftd.example.com:4443.
All data interfaces will use the same port. You cannot configure different ports per interface.
Note |
You cannot change the management access port for the management interface. The management interface always uses port 443. |
Procedure
Step 1 |
Click Device, then click the link. If you are already on the System Settings page, simply click Management Access in the table of contents. |
Step 2 |
Click the Data Interfaces tab. |
Step 3 |
Click the HTTPS Data Port number. |
Step 4 |
In the Data Interfaces Setting dialog box, change the HTTPS Data Port to the one you want to use. You cannot specify the following numbers:
|
Step 5 |
Click OK. |
Configuring the Threat Defense Web Server Certificate
When you log into the web interface, the system uses a digital certificate to secure communications using HTTPS. The default certificate is not trusted by your browser, so you are shown an Untrusted Authority warning and asked whether you want to trust the certificate. Although users can save the certificate to the Trusted Root Certificate store, you can instead upload a new certificate that browsers are already configured to trust.
Procedure
Step 1 |
Click Device, then click the link. If you are already on the System Settings page, simply click Management Access in the table of contents. |
Step 2 |
Click the Management Web Server tab. |
Step 3 |
In Web Server Certificate, select the internal certificate to use for securing HTTPS connections to the device manager. If you have not uploaded or created the certificate, click the Create New Internal Certificate link at the bottom of the list and create it now. The default is the pre-defined DefaultWebserverCertificate object. |
Step 4 |
If the certificate is not self-signed, add all intermediate and root certificates in the full trust chain to the Trusted Chain list. You can add up to 10 certificates in the chain. Click + to add each intermediate certificate, and finally, the root certificate. When you click Save (and then Proceed on the dialog that warns you that the web server will restart), if a certificate is missing, you will get an error message with the common name of the next certificate in the chain that is missing. You will also get an error if you add a certificate that is not in the chain. Examine these messages carefully to identify the certificate you need to add or remove. You can upload the certificates from here by clicking Create New Trusted CA Certificate after clicking +. |
Step 5 |
Click Save. The change is applied immediately, and the system restarts the web server. You do not need to deploy the configuration. Wait a few minutes to allow the restart to finish, then refresh your browser. |