I would like to share a success story/configuration after struggling for month against VPN attacks putting high load on our ISE, 2FA, AD servers and trying 100K+ credentials in 15 minutes from different IP addresses.
We are running an ASA image (also possible on FTD, link below) on FTD1150 hardware where there is no option to block geolocation or use security intelligence etc.
So we first started to protect the assets by creating a control-plane ACL and adding the IPs there manually however there were so many we couldn’t handle it.
Yesterday I got the info that in our version there is a new threat detection feature that can shun the IPs automatically targeting the VPN service. I checked the ISE logs to get the correct thresholds and timers and settled with 10 min hold-down and 10 failures as a threshold below (1 min 5 failures would cause false positives).
It worked so magically that the hourly 500K failures lowered to 170! over last night!
Be aware the shuns won’t be cleared automatically, you can use the event manager applet below or clear it all manually with the clear shun command.
Clear shun IP is also an option.
Requirements for ASA image:
9.16 version train → supported from 9.16(4)67 and newer versions within this specific train.
9.18 version train → supported from 9.18(4)40 and newer versions within this specific train.
9.20 version train → supported from 9.20(3) and newer versions within this specific train.
9.22 version train → supported from 9.22(1.1) and any newer versions.
Configuration we used: ! Threat Detection for Attempts to Connect to Internal-Only (Invalid) VPN Services threat-detection service invalid-vpn-access ! Threat Detection for Remote Access VPN Client Initiation Attacks threat-detection service remote-access-authentication hold-down 10 threshold 10 ! Threat Detection for Remote Access VPN Authentication Failures threat-detection service remote-access-client-initiations hold-down 10 threshold 20
! Optional: to clear the shuns automatically every 7 days, you can do this manually of course event manager applet Clear_Shun_Weekly description Clear shunned IPs every 7 days event none event timer watchdog time 604800 action 1 cli command "clear shun" output none
Saw this in the partner EMEA TAC Security workshop earlier this week as well, very useful.
Also, geoblocking for “to the box” traffic (VPN) on Firepower will be coming around Q2 in 2025 according to the plans, probably in 7.7 as the first release. Most likely only in FMC though.
Just upgraded to 7.4.2.1 FTD and enabled this via flexconfig. Anyone having issues with it shunning properly on ftd? It doesn’t seem to be shunning for us.
This is exactly what I’ve been looking for. We have the same scenario. Multple VPN attempt on our FTD and ISE is full of failed logins. I’ve been manually adding IPs (when I can keep up) to a control plane ACL. I’ve been asking for another FTD to sit behind our primary just for VPN but no luck yet so this looks like a great alternative for now. Much appreciated. I know what I’m doing Monday!
Does anyone know if it is possible to whitelist a specific IP-address from the threat-detection service?
Some of our users use VPN from the inside of the network. Their traffic is source translated to an address on the same DMZ as the ASA which is causing false positives.
Enabled this a few minutes ago and already have over 1085 entries. Hopefully this decreases our AD account lockouts originating from the RA-VPN SSL page…
This setup works perfectly! Glad to make some blackhat’s bot get an error. However, there’s an issue during large legit meetings. When attendees connect to the VPN using their laptops over the conference room Wi-Fi, the Wi-Fi IP gets shunned -Im adjusting holddown/threshold. Is there a way to trust or whitelist an IP to prevent this issue?
This document is a good mix too. Certificate auth is the way to do. Have customer been having issues for months and this has solved 100% of their lockout issues.
I upgraded my FTD firewalls over the weekend and it appears to be working. Can someone please explain the disabled portion when I do a: Show threat-detection service remote-access-authentication details:
This is what mine states at the moment.
show threat-detection service remote-access-authentication details
Yeah this will be also available as you said, cisco confirmed it to us as well. However we would like to stay on asa image for our vpn headend. Rock solid.
A workaround could be to query the shun for the NAT address with a script and delete it if found using these commands: show shun [ip_address] no shun ip_address