hardening anyconnect ssl on cisco secure firewall 7.7

 Hardening

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Service access object (geo block anyconnect):

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222810-configure-geolocation-based-policies-for.html

Auto shun (flex config)

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html#toc-hId--1375473333

Threat detection service remote-access-authenticaiton hold-down 15 threshold 5

hold down - how long after the last failed attempt when new failures are counterd

thresthold - number of failed auths, if we fail login with in 5 mins 3 times

Show commands:

show threat-detection service remote-access-authentication

show threat-detection service remote-access-client-initiations

show threat-detection service invalid-vpn-access

Logs locations in FMC:

Some of them change depending on version of interface 

Cog (top right) > monitoring > syslog

Monitoring → VPN → Remote Access (anyconnect)

Analysis → Connections → Events (won't show auth success/failure here)

Health → Events (shows cpu/memory issues)

There is a unified log as well

Log level

FMC GUI → Devices → Platform Settings

syslog > logging

Syslog messages:

%ASA-6-113004: AAA user authenticated successfully

%ASA-6-113005: AAA user authentication Rejected

%ASA-4-722051: Group <group> User <user> IP <ip> Session connected

%ASA-6-722041: Session disconnected (reason...)

***

Enable Access Control Logging for VPN User Traffic

On the rule that allows anyconnect in (log at start/log at end/ send to FMC) (still won't show login attempts)

search messsage *x.x.x.x*

Ok so lessons learned there:

You won't see anything in analysis > connections > events (doesn't show ssl rejected stuff, only successful https etc connections)

SAML (staff profile) rejection was not showing in the logs. I will ask cisco about this maybe it's a different event ID or Duo doesn't send anytning back to the firewall when SAML fails. He could see it in Duo logs so was happy enough there.

AAA/radius (contractors profile) was where we saw the issues coming in.

We needed to enable informational level logging under devices > platform settings. (we hit a bug there it didn't set first time not sure what happened, I watched him set it so watch out for that)

Once we had informational we could see some stuff under the cog > monitor > syslog.

Filter "message" for *x.x.x.x* where x.x.x.x is the IP you are looking for

We saw ssl denied for the German IP based on geoblock

We saw username ***** denied from my UK IP

The username was hidden in the logs

Added flex config "no loggin hide username" cisco said you have to leave off the "g" loggin is not a typo

Shun settings were 20 failed logins in 10 mins, he said he had to set it high because users were actually typing password wrong 10 times so that is something he will have to live with. Attackers can still try from the approved IPs for 20 tries then get shun'd but at this stage they can change IP address and try again

*** SAML

SAML failed logins won't show in the FMC log in the same way. Best to review these in the SAML provider dashboard/logs (Duo/Azure etc). These logs can be forwarded from there to a central SIEM. Duo have a tool called duo log sync.

filter to include class “vpnc”, which outputs logs like:

%FTD-6-611102: User authentication failed: IP = IP address, Uname: user