Connections to 3389 port

Yes, must be a portscan

If you are allowing RDP from the internet, the best approach is probably to configure an RDP gateway and put UTM WAF in front.   Other posts in this forum suggest that this is possible, although I have not yet implemented this configuration myself.

As an interim measure, take a look at ts_block, written by Evan Anderson, available for free from github.   It blocks IP addresses that have too many login failures, or that try to log into specific accounts, such as administrator.  Undocumented restriction:  On the newer operating systems, you need to use the old login method for ts_block to work.   The tool is fed from event log entries, and Microsoft does not log the IP address when a login failure occurs using the new, "more secure", login method.   The entire solutioni is one customizable script and some documentation.   Very elegant and very effective.

None of this will prevent the port scans in your original question, but if you are being scanned, you are probably also getting pasword-guessing break-in attempts.

Please do NOT use RDP over a public internet connection. If you need to access it, then use a VPN or look at RDP gateway like told above.

If you absolutely must use port forwarding, at the very least change the default rdp port to something else.  Preferably something 5 digits longs.

https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop

Are you using a windows pc to connect to the remote desktop?  If so, why not use UTM's L2TP/IPSEC vpn server?  It's relatively easy to configure both on the UTM and windows.  The latter has built in support for this type of vpn so no additional software is needed.  I used the certificate encryption option rather than PSK (PreShared Key).  PSK is easier yet as you just define a passphrase (lengthy and cryptic) rather than import a certificate.  A side benefit is you can have access to other devices on your network directly.  Firewall rules will need to be established.

www.sophos.com/.../asg_8_remote_access_via_l2tp_geng.pdf

What is RDP gateway, i have not seen it in configuration on my UTM9 

A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.

It is not a UTM product, but a product available in Microsoft Server operating systems.

If you cannot use that, than for security it's much better to configure VPN-connection from your clients and then make the RDP machine(s) available to the VPN users and not publicly to the internet.

Why the connection is show ESTABLISHED then

Unknown said:

Why the connection is show ESTABLISHED then

 

That has nothing to do with UTM or anything; it's just that anything (most likely someone or something on the internet) is trying to access open machines and since your local machine is actively accepting connections on 3389 anything that will try to make a connection will also establish a tcp connection.

Ok, but why connections Established are 1 seconds long?

Doug answered that, Almis.  This is someone scanning for IPs with open 3389 ports.  They are creating a database of such IPs and will likely sell that information to the Russian mafia or the Chinese military.  If you don't take one of the suggestions above, you can count on bad guys coming at you with automated password-guessing tools.

Cheers - Bob