Skip to main content
yadsingh
yadsingh
New Member
April 27, 2024
Question

Understanding sslvpn logs

  • April 27, 2024
  • 3 replies
  • 1731 views

We are recently experiencing high number of dos attack on our sslpvn. I am sure that they are using web mode to try and brute force us. However, I am unable to point that out using ssl-login-fail messages as when I have tried failing authentication on purpose using my ssl vpn client it showed tunnel type: web. 

 

Is there any way I can tell if the sslvpn user has been using web based browser to brute force or or an sslvpn client looking at historical logs. 

3 replies

ozkanaltas
ozkanaltas
Valued Contributor III
April 27, 2024

Hello @yadsingh ,

 

You can search "Tunnel Type : ssl-web" in logs. 

 

image.png

 

P.S. 

 

Sorry for the misdirection.

 

Fortigate writes the same logs for both tries. 

 

In this case, if don't use a web portal you can close the portal. In this way, you can learn tries where did to come.

hbac
Staff
hbac
Staff
April 27, 2024

Hi @yadsingh,

 

I'm afraid you will see the same logs for web mode and client mode. However, most of the brute force attacks are automated using web mode. You can following these articles to completely disable web mode: 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-SSL-VPN-Web-Mode-or-Tunnel-Mode-in/ta-p/217990

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-prevent-the-SSL-VPN-web-login-portal-from/ta-p/215905

 

Regards, 

dbu
Staff
dbu
Staff
April 27, 2024

Another way to understand more from live situation is to run the below debugs : 

diag debug app fnbamd -1

diag debug app sslvpn -1

diag console timestamp enable
diag debug enable

 

Terms & ConditionsAccessibility statement