Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
svkamleshkumar
Staff
Staff

Created on ‎08-18-2024 02:31 AM Edited on ‎06-01-2025 11:13 PM By Community Manager

Article Id 334036

Technical Tip: Blocking SSL VPN failed login attempts sourced from addresses of ISDB Objects

Description

This article describes blocking SSL VPN failed login attempts using an ISDB address object.

This article will require changing the SSL VPN configuration and is applicable when the requirement is to block IP addresses of specific ISDB objects failing to authenticate with the SSL VPN service frequently.
Scope FortiGate v7.2.0 and later.
Solution

Alternatively, to block IP addresses using automation stitches, follow the below guides:

Technical Tip: How to permanently block SSL VPN failed logins using an Automation Stitch

Technical Tip: Enhance SSL VPN Security by blocking offenders IP addresses using FortiAnalyzer Event...


To address the issue of multiple and continuous failed SSL VPN login attempts from a set of IP addresses that belong to a specific ISDB object. Follow the steps below:

 

Step 1: Identify a list of IP addresses for failed login attempts and associate IP addresses with ISBD objects.

 

Note down a few key remote IP addresses associated with failed VPN login attempts that are suspected as malicious.

 

svkamleshkumar_0-1723929265518.png

 

  • Navigate to Policy & Object -> Internet Service Database -> IP address Lookup tool.
  • Use this tool recursively for noted IP addresses to identify a common ISDB address object.

 

svkamleshkumar_1-1723929265536.png

 

In conclusion, this step identifies the ISDB object associated with multiple failed SSL VPN login attempts. As shown in the above screenshot, most of the attempts in this case were identified from the 'ColoCrossing-ColoCrossing.Hosting.Service' service and 'Hosting-Bulletproof.Hosting'.

 

Note:

If FortiGate does not display a specific ISDB entry for most of the IP addresses, it indicates that these IPs are not part of any specific ISDB object and the subsequent steps outlined in this document will not be applicable.

 

Step 2: Using ISDB object in firewall policy.

 

In the source address field, select the ISDB objects with source negate enabled for the allowed policy.

 

Step 2.1: Configure the FortiGate SSL VPN to listen on a loopback interface.

 

Configure a loopback interface with a /32 IP address that is not in use, as shown in the below screenshot.

 

svkamleshkumar_2-1723929265539.png

 

Step 2.2: Listing SSL VPN on the loopback interface instead of the WAN. This setting has to be changed on VPN-> SSL-VPN Settings

 

svkamleshkumar_3-1723929265542.png

 

Step 2.3: Create a virtual IP address object using a loopback interface. To configure the VIP, set up the 'SSL VPN VIP' as shown in the screenshot below:

 

svkamleshkumar_4-1723929265547.png

 

  • ‘50.50.50.50’ is the public IP of the WAN1 interface in this scenario where SSL VPN listens, with an external port of ‘10443’.
  • ‘10.254.1.1’ is the IP address of the loopback interface.

 

Step 2.4: Create a firewall policy from WAN to loopback using a VIP for the SSL VPN port. The GUI method to configure the firewall policy is as follows:

 

  • To configure the 'Negate' option for source and destination addresses in firewall policies, go to System -> Feature Visibility -> enable 'Policy Advanced Options’.

 

svkamleshkumar_5-1723929265554.png

 

Any further attempts from IP addresses belonging to these ISDB objects will be blocked by the firewall policy, and this will reflect in the VPN event logs as the failed SSL VPN attempt will be reduced.

Note:

Additional restrictions on SSL VPN login attempts based on geographical IP address objects can also be configured in combination with this method. Follow the steps below link:

Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...

FortiGate does not have a feature to block traffic based on ISP name. For example, it is not possible to block a particular ISP’s IP ranges by specifying the ISP name. However, it can obtain the ISP's IP range: create an address object, and specify it in a local-in-policy.

 

To create a local-in-policy:

  • Create an address group for malicious IPs.

 

  1. Go to Policy & Objects -> Address -> Create New.
  2. Add the IP address that has been identified for repeated failed login attempts.
  3. Alternatively, create an address group for easier management.

 

  • Configure a Local-in Policy to block the addresses

 

  1. Go to Network -> Interfaces and note the interface where SSL VPN is listening (e.g. wan1).
  2. Run the following CLI commands to block the addresses:

 

config firewall local-in-policy

   edit 1

     set intf "wan1"

     set srcaddr "Malicious IP Group"  # (or the ISB object)

     set dstaddr "all"

     set service "SSLVPN_PORT"  # (e.g. SSL-VPN, TCP/443, etc...))

     set schedule "always"

     set action deny

     set status enable

   next

end
6919
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.