Solved: Re: Stable FTD released version and fixed brute force attack

Da ICS16 · ‎05-15-2025

Dear Team,

We are looking the stable FTD version can upgrade to fixed the vulnerability and ensure it cover suck of attack like VPN brute force...and prevent AD Account locked out even attacker known the legit AD user.

Kindly share commend / good practice to resolve it.

Best Regards,

Rob Ingram · ‎05-15-2025

@Da ICS16 the threat detection feature for remote access VPN services helps prevent Denial of Service (DoS) attacks and is supported in the following releases.

These threat detection features are supported in the Cisco Secure Firewall Threat Defense versions listed next:

7.0 version train-> supported from7.0.6.3 and newer versions within this specific train.
7.2 version train-> supported from7.2.9 and newer version within this specific train.
7.4 version train-> supported from7.4.2.1 and newer version within this specific train.
7.6 version train-> supported from7.6.0 and any newer versions.

7.4.2 is the current Cisco gold star version.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

View solution in original post

Rob Ingram · ‎05-15-2025

@Da ICS16 the threat detection feature for remote access VPN services helps prevent Denial of Service (DoS) attacks and is supported in the following releases.

These threat detection features are supported in the Cisco Secure Firewall Threat Defense versions listed next:

7.0 version train-> supported from7.0.6.3 and newer versions within this specific train.
7.2 version train-> supported from7.2.9 and newer version within this specific train.
7.4 version train-> supported from7.4.2.1 and newer version within this specific train.
7.6 version train-> supported from7.6.0 and any newer versions.

7.4.2 is the current Cisco gold star version.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Da ICS16 · ‎05-15-2025

Hello @Rob Ingram Thanks for helpful commend.

Da ICS16 · ‎05-19-2025

Hello @Rob Ingram

Cisco TAC is also recommended to upgrade to the current cisco golden star version. Did you tested and resolve the case from vpn bruteforce? thanks,

Marvin Rhoads · ‎05-19-2025

I have found that changing your VPN login URL to a non-default value (e.g., vpn.company.com/corp instead of simply vpn.company.com) and sending the defaultWebVPN profile to a non-existent AAA server is the best protection against these attacks.

Da ICS16 · ‎05-19-2025

Hello @Marvin Rhoads

Thanks for commend. it is the workaround solution? Could you share doc/url me to review?

Best Regards,

Marvin Rhoads · ‎05-20-2025

@Da ICS16 it's this solution:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html#toc-hId-1334521269

Basically, valid users' profiles point to a non-published group-url. They use your legitimate authentication method. Non-legitimate users that try to go the the default profile are directed to either a. use certificates (which they won't have) or to a "sinkhole" (invalid) AAA server which will never authenticate them (nor affect any legitimate users' accounts).