SEC0412 – Firepower 7.0 AnyConnect VPN Custom Attributes (Part 1)

Features that use custom attributes

Dynamic split tunneling based on DNS domain name
Traditional split tunneling is static and requires static IP definition inside an ACL, if an AWS or Azure based website that has changing IP addresses requires to be accessed over tunnel, then as an admin we will be making changes to split tunnel ACL every time IP address of the website changes, this is not feasible solution

Solution is Dynamic split tunneling

We will do both include and exclude DST object for Webex

DST exclude object will be used for group policy where all traffic is tunneled (included)

I don’t think we need to add wildcard asterix on this domain name

DST include object will be used for group policy where enterprise traffic is tunneled only (Split include) and we want app or Webex to go to enterprise over the tunnel, this is so firewalls can perform additional inspection on Webex traffic (if there is a compliance requirement)

After timeout default action will be taken
Default action of defer means keep the same version and not update client

You can also define minimum version under defer action so client must be running this minimum version in order to defer or delay update, this is so client does not keep running too old version