FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff
Article Id 347334
Description This article explains the configuration for the automation script to BAN the brute force attacker's IP. 
Scope FortiGate, SSL VPN.
Solution

The below image represents the elements required for this configuration:

 

image.png

 

  • Navigate to Security Fabric -> Automation and select Create New under 'Stitch'.
  • Proceed to configure the 'Trigger' element as per below:

 

image.png

 

  • Do take note of the Field Filter where it has been specified to use the 'User' parameter and the Value will be 'admin'.
  • The meaning of the above is that when FortiGate sees a brute force attacker trying to log in with the username: admin then this automation stitch will be triggered.
  • In order to know the most used user name that the attacker uses for the Brute Force attack the SSL VPN logs should be monitored continuously and create an automation stitch for that user.
  • Though it allows to addition of the same field filter multiple times with different values for example: 'user: cooper' and 'user: admin', in real it will not work because the stitch will only be triggered when there is a complete match meaning the log entry should have both 'user: admin' and 'user: cooper' in it and this will not be seen anywhere in the logs.

 

Example for the above:


image.png

 

Configure the Action element in the stitch as per below and the ACTION here will be a CLI Script:

 

image.png

 

The command to place the attacker IP in the Banned list would be as per below:

 

diagnose user banned-ip add src4 %%remip%% 0 admin

 

  • This means blocking the source IP using the username 'admin'.
  • Once there is a VPN log entry for SSL VPN login failure and if the parameter user: admin is seen then that specific source IP will be placed under the banned IP list.
 

image.png

 

To verify the Banned IP list:

 

diag user banned-ip list

 

image.png

 

Note: For versions 7.0.x and below the commands are as per below:

 

diag user quarantine list

diagnose user quarantine add src4 %%remip%% 0 admin

 

This will not work if the intended objective is to prevent a specific IP from restricting authentication attempts on SSL VPN. Banned IP will only work when traffic is passing through FortiGate, real forwarding traffic. Logging in on SSL VPN is local-in traffic, traffic directed to FortiGate.

 

Related article:

Technical Tip: Retain permanent IP bans and quarantines after rebooting FortiGate