Skip to main content
ITHRBruce
ITHRBruce
New Member
November 1, 2019
Question

Viewing incoming IP addresses

  • November 1, 2019
  • 2 replies
  • 10105 views

I have a Fortigate 100E.

 

We have a Windows Remote Desktop Server that allows users to externally connect via RDP. The server has a mapped external IP address via NAT.

 

Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.

 

Thank you.

 

    2 replies

    abelio
    SuperUser
    abelio
    SuperUser
    November 1, 2019

    Hello

    ITHRBruce wrote:

    I have a Fortigate 100E.

     We have a Windows Remote Desktop Server that allows users to externally connect via RDP.

    Not a good practice; try to take your users to establish VPNs tunnels to your 100E, and once authenticated, rdp to the windows server. SSLVPN is really straightforward to implement.

     

     

    The server has a mapped external IP address via NAT.

     

    Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.

     

    If you cannot the original IP in your logs, probably you're natting your external (all) -> internal (vip) firewall policy. That is a configuration error; please run to fix that, because if so, your server is at risk.

     

    Try to implement vpn tunnels in order to replace this approach.

     

     

     

     

     

     

    fernandezm_FTNT
    Staff
    fernandezm_FTNT
    Staff
    November 2, 2019

    I too agree in NEVER opening up RDP to the outside world.  If you cannot help it, then I would suggest locking it down by 'source' IP.  Also ensure you have an IPS profile assigned to the policy.  In the IPS Profile, you can set the action for certain signature(s) to "quarantine" which will quarantine the offending IP address for a period of time that you select.

     

    As for seeing the IP addresses that are hitting the Firewall or a VIP, I would suggest to take a look at either FortiAnalyzer, FortiCloud (there are two flavors, free which stores logs for 7 days, and a paid that will store for 1 year), or Syslog (e.g. Kiwi Syslog, Sylog-NG, etc). 

     

    In addition to this, ensure that the Windows RDP server and the Fortigate are using the same time source (e.g. NTP) which the Fortigate CAN give to the rest of the internal network(s) under the 'Settings' tabs.  This will ensure that when you look at the logs in Windows (e.g. login failure) that you can cross reference it on the FortiAnalyzer/FortiCloud/Syslog.  You also need to make sure your logging is set to 'All Sessions" not just "Security Events".  The former gives you ALL connections while the latter will ONLY log traffic that has been blocked.  Assuming you are allowing RDP traffic as you stated, unless you have 'All Sessions' you would NEVER see the IP addresses.

     

    Hope this helps.

     

     

    ITHRBruce
    ITHRBruceAuthor
    New Member
    November 4, 2019

    Thank you for this, I will check the logging and NTP settings. This is all very useful, I appreciate the time you took to put it together for me.

    Terms & ConditionsAccessibility statement