This article describes how to leverage FortiAnalyzer event handlers and FortiGate automation capabilities to block remote IP addresses that are probing the SSL VPN via authentication attempts.
FortiGate v7.0.X, v7.2.X, v7.4.X and FortiAnalyzer v7.4.X.
Solution
Topology:
Prerequisites:
Configure an Event Handler in FortiAnalyzer to detect multiple failed SSL VPN attempts from an IP address:
In this example, the event handler activates upon detection of a VPN event log, indicating the 'ssl-login-fail' action, with events grouped by Remote IP (i.e., the initiating IP address for SSL VPN connections). It specifically triggers when there are two SSL VPN failed login attempts from an IP address within a one-minute timeframe. Make sure to enable the option 'Automation Stitch'.
Configuring an Automation Stitch on FortiGate:
Configure an Automation Stitch with the previously created components:
Create a Local-In Policy to block SSL VPN attempts as shown below:
If there are any local-in policies already configured, make sure to move this policy to the top of the list using the command 'move <policy_id> before <policy_id>' (example: move 2 before 1).
Note:
The address group has a limit of 600 IPs, the group needs to be manually swapped with a new group once it is full. If the attack persistence is higher, further measures need to be taken.
Maximum Values Table
If needed, another automation stitch can be configured to add a new Address group weekly and to use that for adding new block entries (example below).
This stitch will keep running until it is disabled (it can be disabled at a set date in the future with a third automation stitch).
The frequency can be changed as needed. When required, a manual run of the automation stitch can be executed by 'right-clicking' on this automation stitch (on the FortiGate GUI) and selecting 'Test Automation Stitch'.
If there are multiple WAN interfaces and hence multiple local-in policies, ensure that the automation action includes a modification to the required local-in policies. Make sure to correct the local-in-policy ID as needed per the configuration on the FortiGate.
If the FortiGate is VDOM enabled, ensure to modify the automation-action CLI scripts accordingly.
config system automation-stitch
edit "update addrgrp"
set trigger "weekly"
config actions
edit 1
set action "update_addrgrp"
set required enable
next
end
next
end
config system automation-trigger
edit "weekly"
set trigger-type scheduled
set trigger-frequency weekly
set trigger-weekday sunday
set trigger-hour 2
set trigger-minute 55
next
end
config system automation-action
edit "update_addrgrp"
set action-type cli-script
set script "config firewall addrgrp
edit VPN_Failed_Login_%%date%%
set color 6
end
config firewall local-in-policy
edit 1
append srcaddr VPN_Failed_Login_%%date%%
end
config system automation-action
edit "BAN-SSLVPN-IP"
set action-type cli-script
set script "end
config firewall address
edit SSLVPN-Block-%%log.srcip%%
set color 6
set subnet %%log.srcip%%/32
end
config firewall addrgrp
edit VPN_Failed_Login_%%date%%
append member SSLVPN-Block-%%log.srcip%%
end"
set accprofile "super_admin"
next
end"
set accprofile "super_admin"
next
end
How to check the IP addresses which are blocked on the FortiGate as follows:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.