Configure Threat Detection for Remote Access VPN Services on Secure Firewall Threat Defense

Available Languages

Download Options

  • PDF     (324.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (372.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (303.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 25, 2024
Document ID:222383

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the process of configuring threat detection for Remote Access VPN services on Cisco Secure Firewall Threat Defense (FTD).

    Prerequisites

    Cisco recommends you to have knowledge of these topics:

    • Cisco Secure Firewall Threat Defense (FTD).
    • Cisco Secure Firewall Management Center (FMC).
    • Remote Access VPN (RAVPN) on FTD.

    Requirements

    These threat detection features are supported in the Cisco Secure Firewall Threat Defense versions listed next:

    • 7.0 version train-> supported from7.0.6.3 and newer versions within this specific train.
    • 7.2 version train-> supported from7.2.9 and newer version within this specific train.
    • 7.4 version train-> supported from7.4.2.1 and newer version within this specific train.
    • 7.6 version train-> supported from7.6.0 and any newer versions.

    Note: These features are currently not supported in version trains 7.1 or 7.3.

    Components Used

    The information described in this document is based on these hardware and software versions:

    • Cisco Secure Firewall Threat Defense Virtual version 7.0.6.3.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Threat detection features for remote access VPN services help prevent Denial of Service (DoS) attacks from IPv4 addresses by automatically blocking the host (IP address) that exceeds the configured thresholds to prevent further attempts until you manually remove the shun of the IP address. There are separate services available for the next types of attack:

    • Repeated failed authentication attempts to remote access VPN services (brute-force username/password scanning attacks).
    • Client initiation attacks, where the attacker starts but does not complete the connection attempts to a remote access VPN headend repeated times from a single host.
    • Connection attempts to invalid remote access VPN services. That is, when attackers try to connect to specific built-in tunnel groups intended solely for the internal functioning of the device. Legitimate endpoints should never attempt to connect to these tunnel groups.

    These attacks, even when unsuccessful in their attempt to gain access, can consume computational resources and prevent valid users from connecting to the remote access VPN services.

    When you enable these services, the Secure Firewall automatically shuns the host (IP address) that exceeds the configured thresholds, to prevent further attempts until you manually remove the shun of the IP address.

    Note: All the threat detection services for remote access VPN are disabled by default.

    Configure

    Note: The configuration of these features on Secure Firewall Threat Defense is currently supported only via FlexConfig.

    1. Log in to the Secure Firewall Management Center.

    2. In order to configure the FlexConfig Object, navigate to Objects > Object Management > FlexConfig > FlexConfig Object, then click Add FlexConfig Object.

    FlexConfig Object Menu

    3. Once the Add FlexConfig Object window is opened, add the required configuration to enable the threat-detection features for Remote Access VPN:

    • FlexConfig Object Name: enable-threat-detection-ravpn
    • FlexConfig Object description: Enable Threat Detection for Remote Access VPN services.
    • Deployment: Everytime
    • Type: Append.
    • Text box: add the "threat detection service" commands based on the available features described next.

    Note: You can enable the 3 available threat-detection features for Remote Access VPN using the same FlexConfig object, or you can create one FlexConfig object individually for each feature to be enabled.

    Feature 1: Threat Detection for Attempts to Connect to Internal-Only (Invalid) VPN Services

    In order to enable this service, add the threat-detection service invalid-vpn-access command in the FlexConfig object text box.

    Feature 2: Threat Detection for Remote Access VPN Client Initiation Attacks

    In order to enable this service, add the threat-detection service remote-access-client-initiations hold-down <minutes> threshold <count> command in the FlexConfig object text box, where:

    • hold-down <minutes> defines the period after the last initiation attempt during which consecutive connection attempts are counted. If the number of consecutive connection attempts meets the configured threshold within this period, the attacker's IPv4 address is shunned. You can set this period between 1 and 1440 minutes.
    • threshold <count> is the number of connection attempts required within the hold-down period to trigger a shun. You can set the threshold between 5 and 100.

    For example, if the hold-down period is 10 minutes and the threshold is 20, the IPv4 address is automatically shunned if there are 20 consecutive connection attempts within any 10-minute span.

    Note: When setting the hold-down and threshold values, take NAT usage into account. If you use PAT, which allows many requests from the same IP address, consider higher values. This ensures valid users have enough time to connect. For instance, in a hotel, numerous users can attempt to connect in a short period.

    Feature 3: Threat Detection for Remote Access VPN Authentication Failures

    In order to enable this service, add the threat-detection service remote-access-authentication hold-down<minutes> threshold <count> command in the FlexConfig object text box, where:

    • hold-down <minutes> defines the period after the last failed attempt during which consecutive failures are counted. If the number of consecutive authentication failures meets the configured threshold within this period, the attacker's IPv4 address is shunned. You can set this period between 1 and 1440 minutes.
    • threshold <count> is the number of failed authentication attempts required within the hold-down period to trigger a shun. You can set the threshold between 1 and 100.

    For example, if the hold-down period is 10 minutes and the threshold is 20, the IPv4 address is automatically shunned if there are 20 consecutive authentication failures within any 10-minute span.

    Note: When setting the hold-down and threshold values, take NAT usage into account. If you use PAT, which allows many requests from the same IP address, consider higher values. This ensures valid users have enough time to connect. For instance, in a hotel, numerous users can attempt to connect in a short period.

    Note: Authentication failures via SAML are not supported yet. 

    This example configuration enables the three available threat detection services for remote access VPN with a hold-down period of 10 minutes and a threshold of 20 for client initiation and failed authentication attempts. Configure the hold-down and threshold values according to your environment requirements.

    This example uses a single FlexConfig object to enable the 3 available features.

    threat-detection service invalid-vpn-access
    threat-detection service remote-access-client-initiations hold-down 10 threshold 20
    threat-detection service remote-access-authentication hold-down 10 threshold 20

    New FlexConfig ObjectNew FlexConfig Object

    4. Save the FlexConfig Object.

    5. Navigate to Devices > FlexConfig and select the FlexConfig Policy assigned to your Secure Firewall.

    6. From the available FlexConfig Objects displayed on the left pane, select the FlexConfig object you configured in step 3, click ">", and save the changes.

    FlexConfig Object Assignment

    7. Deploy the changes and verify.

    Deployment

    Verify

    In order to display statistics for threat detection RAVPN services, log in to the CLI of the FTD and run the show threat-detection service [service] [entries|details] command. Where the service can be: remote-access-authentication, remote-access-client-initiations, or invalid-vpn-access.

    You can limit the view further by adding these parameters:

    • entries — Display only the entries being tracked by the threat detection service. For example, the IP addresses that have had failed authentication attempts.
    • details — Display both service details and service entries.

    Run the show threat-detection service command to display statistics of all the threat detection services that are enabled.

    ciscoftd# show threat-detection service
    Service: invalid-vpn-access
    State     : Enabled
    Hold-down : 1 minutes
    Threshold : 1
    Stats:
        failed      :          0
        blocking    :          0
        recording   :          0
        unsupported :          0
        disabled    :          0
    Total entries: 0
Service: remote-access-authentication
    State     : Enabled
    Hold-down : 10 minutes
    Threshold : 20
    Stats:
        failed      :          0
        blocking    :          1
        recording   :          4
        unsupported :          0
        disabled    :          0
    Total entries: 2
Name: remote-access-client-initiations
    State     : Enabled
    Hold-down : 10 minutes
    Threshold : 20
    Stats:
        failed      :          0
        blocking    :          0
        recording   :          0
        unsupported :          0
        disabled    :          0
    Total entries: 0

    In order to view more details of potential attackers that are being tracked for the remote-access-authentication service, run the show threat-detection service <service> entries command.

    ciscoftd# show threat-detection service remote-access-authentication entries
    Service: remote-access-authentication
    Total entries: 2

Idx Source              Interface            Count          Age        Hold-down
--- ------------------- -------------------- -------------- ---------- ---------
  1 192.168.100.101/ 32              outside              1        721         0
  2 192.168.100.102/ 32              outside              2        486       114
Total number of IPv4 entries: 2

NOTE: Age is in seconds since last reported. Hold-down is in seconds remaining.

    In order to view the general statistics and details of a specific threat detection remote access VPN service run the show threat-detection service <service> details command.

    ciscoftd# show threat-detection service remote-access-authentication details
    Service: remote-access-authentication
    State     : Enabled
    Hold-down : 10 minutes
    Threshold : 20
    Stats:
        failed      :          0
        blocking    :          1
        recording   :          4
        unsupported :          0
        disabled    :          0
     Total entries: 2

Idx Source              Interface            Count          Age        Hold-down
--- ------------------- -------------------- -------------- ---------- ---------
  1 192.168.100.101/ 32              outside              1        721         0
  2 192.168.100.102/ 32              outside              2        486       114
Total number of IPv4 entries: 2

NOTE: Age is in seconds since last reported. Hold-down is in seconds remaining.

    Note: The entries display only the IP addresses being tracked by the threat-detection service. If an IP address has met the conditions to be shunned, the blocking count increases and the IP address is no longer displayed as an entry.

    Additionally, you can monitor shuns applied by the VPN services, and remove shuns for a single IP address or all the IP addresses with the next commands:

    • show shun [ip_address]

    Shows shunned hosts, including those shunned automatically by threat detection for VPN services, or manually using the shun command. You can optionally limit the view to a specified IP address.

    • no shun ip_address [interface if_name]

    Removes the shun from the specified IP address only. You can optionally specify the interface name for the shun, if the address is shunned on more than one interface and you want to leave the shun in place on some interfaces.

    • clear shun

    Removes the shun from all IP addresses and all interfaces.

    Note: IP addresses shunned by threat detection for VPN services do not appear in the show threat-detection shun command, which applies to scanning threat detection only.

    In order to read all the details for each command output and available syslog messages related to the threat detection services for remote access VPN, please refer to the Command Reference document.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    25-Oct-2024
    Updated Background Information for further clarity.
    1.0
    12-Sep-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Angel Ortiz Jimenez
      Security Technical Leader

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products