HTTP Access

You can enable the HTTPS server to provide a health check mechanism for a cloud load balancer, for example, for the threat defense virtual on AWS using an Application Load Balancer.

Other uses for HTTPs on the threat defense are not supported; for example, the threat defense does not have a web interface for configuration in this management mode.

This configuration only applies to data interfaces, including any you have configured as management-only. It does not apply to the dedicated Management interface. The Management interface is separate from the other interfaces on the device. It is used to set up and register the device to the management center. It has a separate IP address and static routing.

To use HTTPS, you do not need an access rule allowing the host IP address. You only need to configure HTTPS access according to this section.

You can only use HTTPS to a reachable interface; if your HTTPS host is located on the outside interface, you can only initiate a management connection directly to the outside interface.

Before you begin

  • You cannot configure both HTTPS and AnyConnect VPN module of Cisco Secure Client on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. If you must configure both features on the same interface, use different ports. For example, open HTTPS on port 4443.

  • You need network objects that define the hosts or networks you will allow to make HTTPS connections to the device. You can add objects as part of the procedure, but if you want to use object groups to identify a group of IP addresses, ensure that the groups needed in the rules already exist. Select Objects > Object Management to configure objects.

    Note

    You cannot use the system-provided any network object group. Instead, use any-ipv4 or any-ipv6.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select HTTP Access.

Step 3

Check the Enable HTTP Server check box to enable the HTTP server.

Step 4

(Optional) Change the HTTP port. The default is 443.

Step 5

Identify the interfaces and IP addresses that allow HTTP connections.

Use this table to limit which interfaces will accept HTTP connections, and the IP addresses of the clients who are allowed to make those connections. You can use network addresses rather than individual IP addresses.

  1. Click Add to add a new rule, or click Edit to edit an existing rule.

  2. Configure the rule properties:

    • IP Address—The network object or group that identifies the hosts or networks you are allowing to make HTTP connections. Choose an object from the drop-down menu, or click + to add a new network object.

    • Available Zones/Interfaces—Add the zones that contain the interfaces to which you will allow HTTP connections. For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interfaces list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones.

  3. Click OK.

Step 6

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.