Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
4
Helpful
7
Replies

Firepower 1140 IP Block not working, need help with configuration

kacper1
Level 1
Level 1

‎10-16-2024 02:52 AM

Hi,

We are facing attacks from Russia, most likely brute-force. We have received information and confirmed that the attacks come from several IP addresses, mainly these three:

  • 45.141.0.0/16
  • 77.221.0.0/16
  • 194.26.0.0/16

We have added these IP addresses to the block list, but after applying the block, it doesn't seem to work. Maybe we misconfigured something, or there is an issue with Cisco. Could you help us, please? We would really appreciate it.

PS. We are also wondering if it would be possible to disable WebVPN and keep only the Cisco AnyConnect VPN application running without WebVPN (https://xxx.xxx.xxx.xxx). Is that possible?

Cisco Firepower 1140 Firewall Device Manager
Software: 7.2.0-82
VDB: 357.0
Intrusion Rule Update: 20220816-1056

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎10-16-2024 02:56 AM

@kacper1 what are you attempt to block traffic to? If you are attempting to block traffic "to" the Firewall for VPNs, then you need a control plane ACL. Example:- https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

The Access Control Policy on the FTD blocks traffic "through" the firewall.

 

kacper1
Level 1
Level 1
In response to Rob Ingram

‎10-16-2024 03:24 AM

Hi,

I added an attachment with a screenshot, but it seems it was not added. I apologize for that; I’m attaching it here again.

I want to block access to WebVPN (WWW) for users from Russia. We noticed that someone knows the IP address of our WebVPN and has launched a brute-force attack trying to log into our VPN/AD. I will also add a screenshot from AD (event).

Preview file
61 KB
Preview file
270 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to kacper1

‎10-16-2024 03:27 AM

@kacper1 so as mentioned traffic "to" the FTD will not be blocked by the ACP rules.

Either use control-plane ACL (or bear in mind @Aref Alsouqi comment) or filter those networks from a device in front of the FTD, the router or another firewall.

Aref Alsouqi
VIP
VIP
In response to kacper1

‎10-16-2024 03:35 AM

One thing you can do which is not going to resolve this issue but it would make those malicious activities a little bit harder (until the actors find out the new port) is to change the default port of the WebVPN services to another port. A better option (if you don't want to go with the control plane ACLs) would be to authenticate the VPN users with certificates. That way there will be no username and password prompt at all. Alternatively you can enrol MFA which will ensure that any password brute force attack won't be successful.

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-16-2024 03:18 AM

As @Rob Ingram mentioned, the firewall will block the transit traffic but not the traffic destined to itself. The exception for that would be suing the control plane ACLs which I honestly don't recommend because they might have some impact on the firewall CPU and they are not straightforward to configure, but they are a supported feature if you wish to explore them.

On the other hand you can leverage the Geolocation feature which still applies to the transit traffic, not to the traffic destined to the firewall itself. Take a look please at this post of mine that shows you how to set it up:

Using the Firepower geolocation | Blue Network Security (bluenetsec.com)

To shutdown the WebVPN portal I think you would need to use FlexConfig on the FTD to do so, not sure if any of the latest FTD versions would support to do so from the UI. Take a look at this post please:

Shutting down the WebVPN Portal on FTD with FlexConfig (linkedin.com)

kacper1
Level 1
Level 1

‎10-16-2024 03:53 AM

Thank you for the quick response.

From what we understood from your messages and the provided links, we don't have FTD or FMC, only FDM (Firewall Device Manager), which looks a bit different. We will try to disable the WebVPN portal using FlexConfig, if that works. If not, we will consider changing the VPN port from 443 to another one, although that will be a bigger operation. We will think about it.

Aref Alsouqi
VIP
VIP
In response to kacper1

‎10-16-2024 03:59 AM

No worries. The FTD could be managed locally by FDM which is the one you have, or it could also be managed centrally by FMC (Firewall Management Center). FMC is usually used when you have multiple firewalls and you want to manage all of them from the same management tool. FDM is the equivalent of the legacy ASDM.

0 Helpful
Customers Also Viewed These Support Documents