02-26-2024 08:13 AM - edited 02-26-2024 08:13 AM
Firepower 1010 locally managed
Failed login attempts are logged as 'user = *****'
I need to be able to see those attempted user names like ASA would do.
How can I do that?
03-09-2024 07:56 PM - edited 03-09-2024 08:09 PM
Sure, so lets first agree that the command we're creating in FlexConfig is either
no logging hide username
or
no loggin hide username
Correct? Based on what's been said here. I want you to know also that this command DOES work on ASA and I have also deployed it on FP 2100 and 4100 devices succesfully.
OK so on my 1010 FDM managed
I go to the top menu Device > Advanced Configuration
FlexConfig > FlexConfig Objects
I Click the + to create a new object.
I named it no-hide-user
In the template box I put "no logging hide username" without the quotes of course.
Or "no loggin hide username"
Click OK and it puts a red box around the template area saying that the command is invalid syntax
If I do "no log hide username" it will save that. I was trying any rendition of the verbiage.
Go to FlexConfig Policy, use the + to add the new object to the existing policy
Save and deploy
The deploy fails because anything after the word log in that context is invalid input.
By the way. I am CCNP VPN currently studying to sit for the Firepower specialty exam. I built, deployed and manage a larger Firepwoer environments with 14 mixed devices including ASA with Firepower services. This is not my first experience nor am I new to Firepower.
I will say I have not done a lot of FlexConfig but I certainly understand how it works now.
However, having said that, the 1010 I have at home is a bit of a different animal, somewhat like the 5505 was back in the day. Definitely NOT the same as the larger devices, so I'm wondering if this command is not valid on the 1010.
05-02-2024 03:53 PM
I have this same problem. We are migrating to FMC managed firepower but I have two sites still running locally managed FDM. I can't find any variation of the "no hide logging username" in the FlexConfig object that will not get rejected. In FMC I had to use "no loggin hide username". It appears our firewalls are being targeted by brute force VPN logins. Trying to identify which accts they are trying. On FMC I ended up deploying a control plane acl to block the IPs. No sure I'll be able to do that yet on FDM.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide