A Firepower Threat
Defense device is a Next Generation Firewall (NGFW) that provides secure gateway capabilities similar to the Secure Firewall ASA.
Firepower Threat
Defense devices support Remote Access VPN (RA VPN) using the AnyConnect Secure Mobility Client only, no other clients, or clientless VPN access is supported. Tunnel establishment and connectivity are done with IPsec
IKEv2 or SSL. IKEv1 is not supported when connecting to a Secure Firewall Threat Defense device.
Windows, macOS, and Linux AnyConnect is configured on the Firepower Threat
Defense headend and deployed upon connectivity, giving remote users the benefits of an SSL or
IKEv2 IPsec VPN client without the need for client software installation and
configuration. In the case of a previously installed client, when the user
authenticates, the Firepower Threat
Defense headend examines the revision of the client, and upgrades the client as
necessary.
Without a previously installed client, remote users enter the IP address of an interface
configured to download and install the AnyConnect. The Firepower Threat
Defense headend downloads and installs the client that matches the operating system of the
remote computer, and establishes a secure connection.
The AnyConnect apps for Apple iOS and Android devices are installed from the platform app store.
They require a minimum configuration to establish connectivity to the Firepower Threat
Defense headend. As with other headend devices and environments, alternative deployment
methods, as described in this chapter, can also be used to distribute the AnyConnect software.
Currently, only the AnyConnect core VPN and the AnyConnect VPN Profile can be configured on the Firepower Threat
Defense and distributed to endpoints. A Remote Access VPN Policy wizard in the Secure
Firewall Management Center quickly and easily sets up these basic VPN capabilities.
Guidelines and Limitations for AnyConnect and Firepower Threat
Defense
-
The only supported VPN client is the AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not
supported as its own entity; it is only used to deploy the AnyConnect.
-
Using AnyConnect with Firepower Threat
Defense requires version 4.0 or later of AnyConnect, and version 6.2.1 or later of the Secure Firewall Management Center.
-
There is no inherent support for the AnyConnect Profile Editor in the Secure Firewall Management Center; you must
configure the VPN profiles independently. The VPN Profile and AnyConnect VPN package are added as File Objects in the Secure Firewall Management
Center, which become part of the RA VPN configuration.
-
Secure Mobility, Network Access Management, and all the other AnyConnect modules and their profiles beyond the core VPN capabilities are not
currently supported.
-
VPN Load balancing is not supported.
-
Browser Proxy is not supported.
-
All posture variants (HostScan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based
on the client posture are not supported.
-
The Firepower Threat
Defense device does not configure or deploy the files necessary to customize or
localize AnyConnect.
-
Features requiring Custom Attributes on the AnyConnect are not supported on Firepower Threat
Defense such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile
clients.
-
Authentication cannot be done on the Firepower Threat
Defense headend locally; therefore, configured users are not available for remote
connections, and the Firepower Threat
Defense cannot act as a Certificate Authority. Also, the following authentication
features are not supported:
-
Secondary or double authentication
-
Single Sign-on using SAML 2.0
-
TACACS, Kerberos (KCD Authentication) and RSA SDI
-
LDAP Authorization (LDAP Attribute Map)
-
RADIUS CoA
For details on configuring and deploying AnyConnect on a Firepower Threat
Defense, see the Firepower Threat Defense Remote Access VPN chapter in the
appropriate release of the Firepower Management Center Configuration Guide, Release
6.2.1 or later.