To block the invalid login attempts on IPsec dialup tunnel, check for VPN events with result = XAUTH failure:

If there are multiple XAUTH failure events for unknown IP addresses, an automation stitch can be configured to further block these attempts.

1. Create an address Group to store all the blacklisted IPs for blocking: go to Policy & Objects -> Addresses and create a new address group.

To configure this in the CLI, run the following:

config firewall addrgrp
   edit VPN_Failed_Login
end

2. Create the automation trigger.

Go to Security Fabric -> Automation -> Trigger -> Create new.

To ensure the correct event is parsed, field filters can be used to narrow down the logs to only XAUTH failures, as 'Negotiate IPsec phase 1' is a generic event log that could be generated in multiple different scenarios.

To configure this in the CLI, run the following:

config system automation-trigger
    edit "ipsec_xauth_failure"

  set event-type event-log

  set logid 37121

      config fields

          edit 1

              set name "result"

              set value "XAUTH authentication failed"

          next

       end

      next

     end

3. Create the automation action: go to Security Fabric -> Automation -> Action -> Create new and select CLI script.

Set up an automation action with the following CLI script to add the remote IP to a blacklist group.

To configure this in the CLI:

config system automation-action

    edit "Block remote IP"

        set action-type cli-script

        set script "config firewall address

            edit IP-Block-%%log.remip%%

                set color 6

                set subnet %%log.remip%%/32

            end

            config firewall addrgrp

                edit VPN_Failed_Login

                    append member IP-Block-%%log.remip%%

                end"

            set accprofile "super_admin"

        next

    end

Note:

If the FortiGate has multi-VDOM enabled, the script also needs to specify the VDOM that the Address Group and IPsec are located in.

4. Create the automation stitch.

Go to Security Fabric -> Automation -> Stitch -> Create new. Select the trigger and action that were created in the previous steps.

To configure this in the CLI:

config system automation-stitch

    edit "Block IPsec malicious IP"

        set trigger "ipsec_xauth_failure"

            config actions

                edit 1

                    set action "Block remote IP"

                    set required enable

                next

            end

        next

    end

5. Create the local-in-policy.

The local-in policy (which filters incoming traffic destined for the FortiGate itself) denies traffic sourced from the specified Address Group.

config firewall local-in-policy

     edit 1

         set intf <wan Listening interface> <----- The interface under IPSec VPN settings.
               set srcaddr " VPN_Failed_Login"
         set srcaddr-negate disable
         set dstaddr "all"
         set dstaddr-negate disable
         set action deny
         set service "IKE"
         set service-negate disable
         set schedule "always"
         set status enable

      next

end

Note:

If the connection is from a legitimate user who entered the wrong password, the user's IP will need to be manually removed from the group in order to allow them to reconnect.