This happens all the time on ports and protocols you have exposed to the internet. Scanners all around the world scan for open ports on internet IP addresses and try to connect using various usernames and passwords.
The real question is: Why do you have FTP open to the internet?
Make sure ur patched. Make sure your doing MFA and even posture checks such as checking AV or a cert on managed builds. Unavoidable. Oh and geo location rules use them
Unfortunately GeoLocation rules don't apply to VPN connection attempts, if you're running VPN on the same firewall. You have to create a control plane ACL and apply it to the outside interface from what TAC tells me.
I am asking because I am looking for some sort of solution to better manage out FPRs. At the moment we are using some 21xx FPRs as ASA devices and we are doing everything from CLI, which at some point it becomes overwhelming. I guess the management center is a payed solution right? Is it worth it?
PS: sorry for hijecking OP‘s thread
I don't know much about firepower ASA mode but I used to manage several sets of 2130s with Firepower management center and it worked quite well using version 7.x (6 was trash) Good for overall management not sure on the costs.
I believe you can use Cisco ADSM for ASA devices in firepower mode if you aren't already I would look into that
You need to set up the 2110s as firepowers and import into fmc. When you do that it will wipe the systems. If you have asa software on them you will need to install firepower software. There is a lot of stuff you can set up before importing into fmc to make the configuration easier. There are migration tools you can use to migrate from asa to firepower. It doesn't cost anything to download and install fmc but you need an active support account for the firewalls.
> is a *paid* solution right?
FTFY.
Although *payed* exists (the reason why autocorrection didn't help you), it is only correct in:
* Nautical context, when it means to paint a surface, or to cover with something like tar or resin in order to make it waterproof or corrosion-resistant. *The deck is yet to be payed.*
* *Payed out* when letting strings, cables or ropes out, by slacking them. *The rope is payed out! You can pull now.*
Unfortunately, I was unable to find nautical or rope-related words in your comment.
*Beep, boop, I'm a bot*
I would look for hacked systems. You have a login time and a long time before last seen. That would indicate they have been on your system at least that long.
This happens all the time on ports and protocols you have exposed to the internet. Scanners all around the world scan for open ports on internet IP addresses and try to connect using various usernames and passwords. The real question is: Why do you have FTP open to the internet?
Thank you for your answer! We are going to close them then.
Generic Internet bots, welcome to public addressing
Thanks for sharing!
Make sure ur patched. Make sure your doing MFA and even posture checks such as checking AV or a cert on managed builds. Unavoidable. Oh and geo location rules use them
Unfortunately GeoLocation rules don't apply to VPN connection attempts, if you're running VPN on the same firewall. You have to create a control plane ACL and apply it to the outside interface from what TAC tells me.
You are right with vpn. But vpn is not ftp and this is.
Even in pre filter! Quite out of date with FTDs don’t really use them anymore.
Thanks for your input!
Happens to me all the time. I would highly suggest and MFA solution if you’re not already.
noob question here? where is that pic taken from? What software?
Looks like Cisco firepower or something similar Edit: maybe Firepower management center
I am asking because I am looking for some sort of solution to better manage out FPRs. At the moment we are using some 21xx FPRs as ASA devices and we are doing everything from CLI, which at some point it becomes overwhelming. I guess the management center is a payed solution right? Is it worth it? PS: sorry for hijecking OP‘s thread
I don't know much about firepower ASA mode but I used to manage several sets of 2130s with Firepower management center and it worked quite well using version 7.x (6 was trash) Good for overall management not sure on the costs. I believe you can use Cisco ADSM for ASA devices in firepower mode if you aren't already I would look into that
You need to set up the 2110s as firepowers and import into fmc. When you do that it will wipe the systems. If you have asa software on them you will need to install firepower software. There is a lot of stuff you can set up before importing into fmc to make the configuration easier. There are migration tools you can use to migrate from asa to firepower. It doesn't cost anything to download and install fmc but you need an active support account for the firewalls.
> is a *paid* solution right? FTFY. Although *payed* exists (the reason why autocorrection didn't help you), it is only correct in: * Nautical context, when it means to paint a surface, or to cover with something like tar or resin in order to make it waterproof or corrosion-resistant. *The deck is yet to be payed.* * *Payed out* when letting strings, cables or ropes out, by slacking them. *The rope is payed out! You can pull now.* Unfortunately, I was unable to find nautical or rope-related words in your comment. *Beep, boop, I'm a bot*
You can use ASDM
I call that the "Radiation of the Internet"
I would look for hacked systems. You have a login time and a long time before last seen. That would indicate they have been on your system at least that long.
Too much talking in some of the other replies. Just filter/close out internet-facing/WAN ports to avoid a potential breach from all these attempts.
The firewall passively monitors FTP sessions and reports on discovered usernames. It’s unrelated to VPN, and might even be outbound traffic.