Configure HTTP access

You can enable the HTTPS server to provide a health check mechanism for a cloud load balancer, for example, for the Firewall Threat Defense Virtual on AWS using an Application Load Balancer.

Use HTTPS with the Firewall Threat Defense only as described for health checks and management. You cannot configure the Firewall Threat Defense through a web interface in this management mode.

Configure HTTP access only on data interfaces, including interfaces you set as management-only. Use only data interfaces for HTTP access, not the dedicated Management interface. The Management interface is separate from the other interfaces on the device. Use the Management interface only to set up and register your device to the Cloud-Delivered Firewall Management Center. It has a separate IP address and static routing.

Configure HTTPS access as described in this section. An access rule for the host IP address is not required.

Use HTTPS only on a reachable interface. If your HTTPS host is on the outside interface, initiate the management connection directly to it.

Before you begin

  • Configure HTTPS and AnyConnect VPN module of Cisco Secure Client on separate TCP ports if both features are required on the same interface. For example, assign a different port to HTTPS, such as port 4443.

  • Create network objects to define the hosts or networks that are allowed for HTTPS connections. You can add these objects as part of this procedure. If you plan to use object groups for IP addresses, ensure the groups exist in the rules. Select Objects to configure objects.

    Note

    Use the any-ipv4 or any-ipv6 network object group instead of the system-provided any object.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select HTTP Access.

Step 3

Check the Enable HTTP Server check box to enable the HTTP server.

Step 4

(Optional) Change the HTTP port. The default is 443.

Step 5

Identify the interfaces and IP addresses that allow HTTP connections.

Allow HTTP connections only from specific interfaces and client IP addresses by configuring this table. You may use network addresses instead of individual IP addresses.

  1. Click Add to add a new rule, or click Edit to edit an existing rule.

  2. Configure the rule properties:

    • IP Address—The network object or group that identifies the hosts or networks you are allowing to make HTTP connections. Choose an object from the drop-down menu, or click + to add a new network object.

    • Available Zones/Interfaces—Add the zones that contain the interfaces to which you will allow HTTP connections. For interfaces not in a zone, type the interface name into the field under the selected Selected Zones/Interfaces list. Then click Add. The device applies these rules only if it includes the selected interfaces or zones.

  3. Click OK.

Step 6

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

After you complete this task, the device enables HTTP access on the specified interfaces and IP addresses. Use secure connections for health checks or management.