Automatically Quarantine IPs that Attempt to Telnet etc. from Wan?

Forum|Forum|9 years ago
September 27, 2016
1 reply
10498 views

Hi All,

Fortigate 300D v5.4.1, seeing lots of attempts to telnet, ssh, etc. into wan facing interfaces.

Can anybody recommend a good way to automatically quarantine IPs that attempt telnet, ssh, or similar to our wan facing interfaces?

I'd like to both quiet the logs and make any brute force attempts less likely - there is no admin access on these interfaces, but even so.

In a similar vein, is there a good way to blackhole these connections? Not sure how to do that for a particular service like telnet to wan interface.

5.4

emnoc

New Member

I would not waste my time with that, you need to trust your firewall. if you have no admin-services enable on the untrusted-internet wan interface, why care if someone is wasting their time with a telnet or ssh probe?

tanrAuthor

New Member

Good point. I'm not worried about the telnet attempts getting in, really.

I would like to figure out how to quiet or consolidate the thousands of logs generated, though.

For now I'm just adding -service=TELNET,SSH,PING,HTTPS to most of my FortiAnalyzer log views of (external) policy violations.

Mehdi

New Member

Hi tanr,

can you post a pic of your logs? are those logs in Anomaly log?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded