Skip to main content
Fortiben1
Fortiben1
Explorer II
November 28, 2024
Question

SSL VPN failed login

  • November 28, 2024
  • 4 replies
  • 2632 views

Hey People! 

 

I would like to raise a concern I have a little knowledge in firewall role. Just wanna regarding on the SSL failed Login. our client want to block the IP address of unknown and random credentials found on VPN event logs. We already block those IP using the deny policy (example we already add the 80.94.95.x) but upon checking the VPN event logs the still existing on the logs. Am I doing it wrong? or is not possible to block the IP using local policy is it possible to minimize this load of logs?. our client said they are already disabled the SSL VPN because they are using IPSEC 

 

1233333.png555.png

the first image is the firewall object

the second is from VPN event logs 

Thank you (Version 7.2.8)

4 replies

AEK
SuperUser
AEK
SuperUser
November 28, 2024

Hi Ben

Your client did the right choice to use IPsec, because SSL VPN is not recommended anymore, for security reason.

Regarding your requirement to block the IP addresses, I think it is not efficient to do as you described, but a more efficient way is to set a block period after 3 attempts, and to restrict VPN access with GeoIP. You may for example allow your country only.

AEK
    Fortiben1
    Fortiben1Author
    Explorer II
    November 28, 2024

    Hi sir AEK, 

    Thank you for your answer :). will recommend to restrict VPN access with GeoIP. Just can't validate  right now about the restriction on geoip because I have a limited view on the firewall. 
    but why the IP still showing on logs even we already made a deny policy. 

    calink
    Staff
    calink
    Staff
    November 28, 2024

    You can set up an automation stitch. See the following article for more details:

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-logins/ta-p/287171 

      Fortiben1
      Fortiben1Author
      Explorer II
      November 28, 2024

      Thank you Sir calink! 
      I will check on this and might recommend :) 

      sjoshi
      Staff
      sjoshi
      Staff
      November 28, 2024

      Hi,

       

      You can setup local in policy and block those IP ranges.

      https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy

      Thanks, Salon
        Fortiben1
        Fortiben1Author
        Explorer II
        November 28, 2024

        Hi Sir, 

        Thank you for this insight. I will recommend this also. ang will place the IP add. that has malicious IP add from SSL failed login.

        Renante_Era
        Staff
        Renante_Era
        Staff
        November 28, 2024

        You can create a group then block that group via local-in-policy. You can automate the entry of IP address/32 in that group using automation stitch as shown below. However, I don't recommend that since it might lead to false positive -- what I mean is that a legit user might not be able to login which means that you need to manually remove the legit user's public IP address from that group.
        How to automatically block the malicious ... - Fortinet Community
        Screenshot 2024-11-28 164400.png

         

        Terms & ConditionsAccessibility statement