Question
auto-block repeated VPN login failures?
This seems to be something which should be related to the FortiOS VPN services, even if it might be implemented by the IPS capability. I say this because it would be the FortiGate protecting itself, not functioning as a gateway security appliance to protect something else. Sometimes I see login failure patterns like this: Message meets Alert condition date=2013-11-28 time=11:21:07 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:07 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Message meets Alert condition date=2013-11-28 time=11:21:03 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:03 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Does FortiOS (I' m running 5.0.4) do any kind of automatic blocking of a client IP address which repeatedly fails to login to a FortiOS VPN service over a short period of time? If it doesn' t do so by default, then is there a straightforward way to tell FortiOS to do so? It seems like an obvious thing in a soup-to-nuts UTM security appliance like FortiGate. thanks,