| Description |
This article describes how to block login attempts to SSL VPN originating from TOR nodes, anonymous VPN, or known malicious servers using Internet Service objects in a local-in policy. |
| Scope | FortiGate v7.4.4+ |
| Solution |
After FortiOS 7.4.4+, Internet Service objects can be used as the source in a local-in policy.
Check the port being used for SSL VPN. This can be found in the web GUI under VPN -> SSL-VPN Settings -> Connection Settings then checking the value of the ‘Listen on Port’ field. On the CLI this can be found with the command 'show full vpn ssl settings | grep port'.
Configure a custom service for SSL VPN. On the web GUI, this can be configured under Policy & Objects -> Services -> Create New. Configure the TCP and UDP port for SSL VPN. In this example port 10443.
On the CLI:
config firewall service custom edit "SSLVPN" set tcp-portrange 10443 set udp-portrange 10443 next end
For more about configuring a custom service, see Configuring a 'Custom Service' in FortiOS
Configure an address object for the listening interface for SSL VPN. This can be found in the web GUI under VPN -> SSL-VPN Settings -> Connection Settings and checking the interface in the ‘Listen on Interface(s)’ field. In the CLI, this can be found with the following command:
show full vpn ssl settings | grep interface
Configure an address object for the listening interface. This can be configured in the web GUI under Policy & Objects -> Addresses -> Create New. In this example, port1 and the IP address 10.9.10.250/32.
In the CLI:
config firewall address edit "port1-addr" set associated-interface "port1" set subnet 10.9.10.250 255.255.255.255 next end
For more about creating firewall address objects, see Address objects.
The local-in policy can only be configured on the CLI. The 'internet-service-src' needs to be enabled to use the 'internet-service-src-name' setting where Internet service objects can be defined as the source of the traffic. To block TOR nodes and Anonymous VPN connections, and Malicious Servers the 'Tor-Relay.Node', 'Tor-Exit.Node', 'VPN-Anonymous.VPN', and 'Malicious-Malicious.Server' Internet Service objects need to be used.
Two local-in policies need to be configured. The default action is 'deny' in a local-policy, so the second policy must have the action configured to 'accept'. The first policy will block traffic where the source addresses match the Internet Service objects 'Tor-Relay.Node', 'Tor-Exit.Node', and 'VPN-Anonymous.VPN'. The second policy will allow all other traffic.
config firewall local-in-policy edit 1 set intf "port1" <- Listening interface for SSL VPN. set dstaddr "port1-addr" <- Firewall address object configured for the IP of the listening interface. set internet-service-src enable <- Must be enabled to configure 'internet-service-src-name'. set internet-service-src-name "Tor-Relay.Node" "Tor-Exit.Node" "VPN-Anonymous.VPN" "Malicious-Malicious.Server" set service "SSLVPN" <- Custom service object configured for the SSL VPN port. set schedule "always" next edit 2 set intf "port1" set srcaddr "all" set dstaddr "port1-addr" set action accept set service "SSLVPN" set schedule "always" next end
This can be combined with geo-block as well. For instructions on how to use geography addresses to restrict SSL VPN, see Restricting SSL VPN connectivity from certain countries using firewall geography addresses.
For more information about the Internet Services used in this article, see the following ISDB references on FortiGuard Labs: https://www.fortiguard.com/encyclopedia/isdb/2818243 https://www.fortiguard.com/encyclopedia/isdb/2818238 |
