Remote Access VPN Features

The following section describes the features of Firepower Threat Defense remote access VPN:

• SSL and IPsec-IKEv2 remote access using the Cisco AnyConnect Secure Mobility Client.

• Cisco Defense Orchestrator supports all combinations such as IPv6 over an IPv4 tunnel.

• Configuration support on both CDO and FDM. Device-specific overrides.

• Support for both Cisco Defense Orchestrator and FTD HA environments.

• Support for multiple interfaces and multiple AAA servers.

• Rapid Threat Containment support using RADIUS CoA or RADIUS dynamic authorization.

• Support for DTLS v1.2 protocol with Cisco AnyConnect Secure Mobility Client version 4.7 or higher.

• AnyConnect client modules support for additional security services for RA VPN connections.

• VPN load balancing.

AAA

• Server authentication using self-signed or CA-signed identity certificates.

• AAA username and password-based remote authentication using RADIUS server or LDAP or AD.

• RADIUS group and user authorization attributes, and RADIUS accounting.

• Double authentication support using an additional AAA server for secondary authentication.

• NGFW Access Control integration using VPN Identity.

• LDAP or AD authorization attributes using Cisco Defense Orchestrator web interface.

• Support for single sign-on using SAML 2.0.

• Support for multiple identity provider trustpoints with Microsoft Azure that can have multiple applications for the same Entity ID, but a unique identity certificate.

VPN Tunneling

• Address assignment

• Split tunneling

• Split DNS

• Client Firewall ACLs

• Session Timeouts for maximum connect and idle time

Monitoring

• New VPN Dashboard Widget showing VPN users by various characteristics such as duration and client application.

• Remote access VPN events including authentication information such as username and OS platform.

• Tunnel statistics available using the FTD Unified CLI.