Technical Tip: Automation script to BAN Brute Force attacker IP for SSL VPN

The below image represents the elements required for this configuration:

• Navigate to Security Fabric -> Automation and select Create New under 'Stitch'.
• Proceed to configure  the "Trigger" element as per below,

• Do take note of the Field Filter where it has been specified to use the 'User' parameter and the Value will be 'admin'.
• The meaning of the above is that when FortiGate sees a brute force attacker trying to log in with the username: admin then this automation stitch will be triggered
• In order to know the most used user name that the attacker uses for the Brute Force attack the SSL VPN logs should be monitored continuously and create an automation stitch for that user.
• Though it allows to addition of the same field filter multiple times with different values for example: user: cooper and user: admin, in real it will not work because the stitch will only be triggered when there is a complete match meaning the log entry should have both user: admin and user: cooper in it and this will not be seen anywhere in the logs.

Example for the above:

Configure the Action element in the stitch as per below and the ACTION here will be a CLI Script:

The command to place the attacker IP in the Banned list would be as per below:

diagnose user banned-ip add src4 %%remip%% 0 admin

• This means blocking the source IP using the username 'admin'.
• Once there is a VPN log entry for SSL VPN login failure and if the parameter user: admin is seen then that specific source IP will be placed under the banned IP list.

To verify the Banned IP list:

diag user banned-ip list

Note: For versions 7.0.x and below the commands are as per below:

diag user quarantine list

diagnose user quarantine add src4 %%remip%% 0 admin

Related article: