Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Created on ‎05-12-2024 11:40 PM Edited on ‎11-21-2024 09:50 AM By Moderator

Article Id 314443

Technical Tip: Enhance SSL VPN Security by blocking offenders' IP addresses using FortiAnalyzer Event Handler and Automation Stitch

Description

 

This article describes how to leverage FortiAnalyzer event handlers and FortiGate automation capabilities to block remote IP addresses that are probing the SSL VPN via authentication attempts.

 

Scope

 

FortiGate v7.0.X, v7.2.X, v7.4.X and FortiAnalyzer v7.4.X.

 

Solution

 

Topology:

 

12.jpg
Prerequisites:

 

  • FortiAnalyzer logging must be enabled in FortiGate,
  • Connectivity between FortiGate and FortiAnalyzer should be up as shown below.


1.jpg

 

  • The options 'Allow access to Fortigate Rest API' and 'Verify Fortianalyzer Certificate' must be enabled as shown again below. FortiAnalyzer will only send an event notification using a REST API inside the OFTP tunnel to the FortiGate that generated the log.

 

KB-Edit.png

 

Configure an Event Handler in FortiAnalyzer to detect multiple failed SSL VPN attempts from an IP address:

  • Navigate to Incident & Events -> Handlers -> Basic Handlers and select 'Create New'.


2.jpg

 

  • Configure an Event Handler as shown below:

 

3.jpg

    4.jpg

In this example, the event handler activates upon detection of a VPN event log, indicating the 'ssl-login-fail' action, with events grouped by Remote IP (i.e., the initiating IP address for SSL VPN connections). It specifically triggers when there are two SSL VPN failed login attempts from an IP address within a one-minute timeframe. Make sure to enable the option 'Automation Stitch'.


Configuring an Automation Stitch on FortiGate:

  • Create a New Automation Trigger for the FortiAnalyzer Event Handler:


5.jpg

     6.jpg

 

  • Configure a FortiAnalyzer Event Handler Trigger as shown below (FortiGate will display the Event Handlers configured in FortiAnalyzer):

 

7.jpg

  • Configure a CLI Script. Navigate to Security Fabric -> Automation -> Action, then select 'Create New' -> CLI Script:

          

1-kb.jpg

  • If the firewall has VDOM enabled, use the following CLI script:

Automation_stitch.png

 

Configure an Automation Stitch with the previously created components:

  • Navigate under Security Fabric -> Automation -> Stitch and select 'Create New'.


9.jpg

 


 Create a Local-In Policy to block SSL VPN attempts as shown below:
 
11.jpg

If there are any local-in policies already configured, make sure to move this policy to the top of the list using the command 'move <policy_id> before <policy_id>' (example: move 2 before 1).  

1618
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.