Created on 08-16-2023 11:42 PM Edited on 08-16-2023 11:48 PM By Anthony_E
Description | This article describes that suspected VPN breach when the legitimate user did not try to login Forticlient or try to access the SSL web portal, however, still getting SSL failed user alert logs as below: Message meets Alert condition The following critical firewall event was detected: SSL VPN login fail. date=2022-12-29 time=09:36:07 devname=FG100E_TAKEMOTO devid=FG100E4Q17015334 eventtime=1672286767552373161 tz="+0530" logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=185.66.15.47 user="Userl" group="N/A" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in" |
Scope | FortiGate. |
Solution |
From GUI, at the bottom of the table in the 'SSL-VPN Settings' where the Authentication/Portal Mapping is configured, there is an option for 'All Other Users/Groups' It is possible to disallow access to the SSL-VPN for groups that were not explicitly allowed in the group.
config vpn ssl web portal edit "no-access" set tunnel-mode disable set ipv6-tunnel-mode disable set web-mode disable set allow-user-access ping set limit-user-logins enable set forticlient-download disable next end
config vpn ssl settings set default-portal "no-access" end
Using another port is an easy but effective measurement if an attacker is only probing the default port of an application. Do not forget to change the port on all VPN clients too. Otherwise, the connection will break.
Other methods to restrict SSL VPN connectivity:
|