FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff
Article Id 314443
Description

 

This article describes how to leverage FortiAnalyzer event handlers and FortiGate automation capabilities to block remote IP addresses that are probing the SSL VPN via authentication attempts.

 

Scope

 

FortiGate v7.0.X, v7.2.X, v7.4.X and FortiAnalyzer v7.4.X.

 

Solution

 

Topology:

 

12.jpg
Prerequisites:

 

  • FortiAnalyzer logging must be enabled in FortiGate,
  • Connectivity between FortiGate and FortiAnalyzer should be up as shown below.


1.jpg

 

  • The options 'Allow access to Fortigate Rest API' and 'Verify Fortianalyzer Certificate' must be enabled as shown again below. FortiAnalyzer will only send an event notification using a REST API inside the OFTP tunnel to the FortiGate that generated the log.

 

KB-Edit.png

 

Configure an Event Handler in FortiAnalyzer to detect multiple failed SSL VPN attempts from an IP address:

  • Navigate to Incident & Events -> Handlers -> Basic Handlers and select 'Create New'.


2.jpg

 

  • Configure an Event Handler as shown below:

 

3.jpg

    4.jpg

In this example, the event handler activates upon detection of a VPN event log, indicating the 'ssl-login-fail' action, with events grouped by Remote IP (i.e., the initiating IP address for SSL VPN connections). It specifically triggers when there are two SSL VPN failed login attempts from an IP address within a one-minute timeframe. Make sure to enable the option 'Automation Stitch'.


Configuring an Automation Stitch on FortiGate:

  • Create a New Automation Trigger for the FortiAnalyzer Event Handler:


5.jpg

     6.jpg

 

  • Configure a FortiAnalyzer Event Handler Trigger as shown below (FortiGate will display the Event Handlers configured in FortiAnalyzer):

 

7.jpg

  • Configure a CLI Script. Navigate to Security Fabric -> Automation -> Action, then select 'Create New' -> CLI Script:

          

1-kb.jpg

  • If the firewall has VDOM enabled, use the following CLI script:

Automation_stitch.png

 

Configure an Automation Stitch with the previously created components:

  • Navigate under Security Fabric -> Automation -> Stitch and select 'Create New'.


9.jpg

 


 Create a Local-In Policy to block SSL VPN attempts as shown below:
 
11.jpg

If there are any local-in policies already configured, make sure to move this policy to the top of the list using the command 'move <policy_id> before <policy_id>' (example: move 2 before 1).  

 

Note:

The address group has a limit of 600 IPs, the group needs to be manually swapped with a new group once it is full. If the attack persistence is higher, further measures need to be taken.
Maximum Values Table

 

If needed, another automation stitch can be configured to add a new Address group weekly and to use that for adding new block entries (example below).

This stitch will keep running until it is disabled (it can be disabled at a set date in the future with a third automation stitch).

The frequency can be changed as needed. When required, a manual run of the automation stitch can be executed by 'right-clicking' on this automation stitch (on the FortiGate GUI) and selecting 'Test Automation Stitch'. 

If there are multiple WAN interfaces and hence multiple local-in policies, ensure that the automation action includes a modification to the required local-in policies. Make sure to correct the local-in-policy ID as needed per the configuration on the FortiGate.

If the FortiGate is VDOM enabled, ensure to modify the automation-action CLI scripts accordingly.

 

config system automation-stitch

        edit "update addrgrp"
            set trigger "weekly"

                config actions

                    edit 1

                        set action "update_addrgrp"

                        set required enable

                next

            end
        next
    end

 

config system automation-trigger
    edit "weekly"

        set trigger-type scheduled

        set trigger-frequency weekly

        set trigger-weekday sunday

        set trigger-hour 2

        set trigger-minute 55
    next
end

 

config system automation-action
    edit "update_addrgrp"

        set action-type cli-script

        set script "config firewall addrgrp
edit VPN_Failed_Login_%%date%%

set color 6
end
config firewall local-in-policy
edit 1
append srcaddr VPN_Failed_Login_%%date%%
end


config system automation-action
edit "BAN-SSLVPN-IP"
set action-type cli-script
set script "end
config firewall address
edit SSLVPN-Block-%%log.srcip%%
set color 6
set subnet %%log.srcip%%/32
end
config firewall addrgrp
edit VPN_Failed_Login_%%date%%
append member SSLVPN-Block-%%log.srcip%%
end"
set accprofile "super_admin"
next
end"
        set accprofile "super_admin"
    next
end

 

How to check the IP addresses which are blocked on the FortiGate as follows:

  • Navigate under Policy & Object -> Addresses -> Address Group -> VPN_Failed_Login.
 
 
 

Failed_login.PNG