Cisco Added the Remote Access “sysopt permit-vpn” GUI command in Firepower/FTD 6.3 code

Here is what the documentation tells you about VPN traffic in 6.3. It’s an interesting read. Pay attention to the part I bolded:

Quote From 6.3 Release notes:

Changed default behavior for VPN traffic handling in the access control policy (sysopt connection permit-vpn ).

The default behavior for how VPN traffic is handled by the access control policy has changed. Starting in 6.3, the default is that all VPN traffic will be processed by the access control policy. This allows you to apply advanced inspections, including URL filtering, intrusion protection, and file policies, to VPN traffic. You must configure access control rules to allow VPN traffic. Alternatively, you can use FlexConfig to configure the sysopt connection permit-vpn command, which tells the system to bypass the access control policy (and any advanced inspections) for VPN-terminated traffic

So, if you go an configure the Remote Access VPN through the GUI, you will see this screen now available. I had to look at it a couple times to make sure I was clear on what I was seeing.

The flexconfig option for this command was available in 6.2.3 and works in 6.3 also, but the release notes don’t mention the GUI option.

Hey, either way, we finally got our sysopt permit-vpn command with an easy to remember GUI click!

Leave a Reply

Your email address will not be published.