Skip to main content
sam653
sam653
Explorer
October 16, 2024
Solved

SSLVPN failed user login attempts constantly been seen

  • October 16, 2024
  • 5 replies
  • 2777 views

Hello,

 

I am seeing constant alerts on my Fortigate under sslvpn events "sslvpn login failed"

 

This is not coming from the authorized users. Is there anything that can be done on it.

 

 

Thanks

Best answer by sprashant

Hello @sam653 

 

You can refer to following resource:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-p/331260

 

This will walk you over the steps to strengthen the SSL VPN

5 replies

sprashant
Staff
sprashantAnswer
Staff
October 16, 2024

Hello @sam653 

 

You can refer to following resource:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-p/331260

 

This will walk you over the steps to strengthen the SSL VPN

    hjhajj
    Staff
    hjhajj
    Staff
    October 16, 2024

    Hello @sam653 

    In  addition to the  above  given  document, Kindly also refer to the following document which explains how to secure and limit an SSL VPN unknown user login

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-secure-and-limit-an-SSL-VPN-unknown-user/ta-p/224096

    Thanks and Regards,
    Harmandeep Kaur Jhajj

     

    Sgagan
    Staff
    Sgagan
    Staff
    October 16, 2024

    Greetings @sam653 

    You can also configure an automation stitch in order to permanently block failed login attempts:
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-logins/ta-p/287171

    vbandha
    Staff
    vbandha
    Staff
    October 17, 2024

    Hello @sam653 

    One other option to block these attempts is via local in policy.

     

    With local in policy the attempt is blocked before any processing is done by fortigate so this will not generate any logs. 

    Here is an article with more information on this:

    https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/363127/local-in-policies

     

    You can use geo location address object in source if the attempts are coming from specific countries:

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-p/196741

     

    Regards,

    Varun

    FortiArt
    Staff
    FortiArt
    Staff
    October 17, 2024

    Try to use ZTNA rather than sslvpn as this is more secure as per:

     

    https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration

     

    Hope this help

      Terms & ConditionsAccessibility statement