There are scenarios where a bad actor wants to brute-force an IPsec VPN over the default ports of IKE (500 and 4500 UDP ports). The FortiGate and the IKE protocol have their own methods to protect against a bad actor attempting to connect or perform a brute-force attack. However, there will be a lot of logs generated by failed attempts, leading to false positives when trying to troubleshoot an issue of IPsec communication, or generating logs that could delay proper troubleshooting.

Important Note:

This guide is meant to block the first failed attempt, meaning that if a user fails to log in because of wrong credentials one time, the public IP used for connection from that user will be permanently blocked until the administrator of the FortiGate manually goes to the address group and deletes the entry with the public IP of the user.

Step 1: Create an Address Group:

To do this in the GUI:

• Navigate to Policy & Objects -> Addresses, then select Create New -> Address Group.

• Set a Name for the new Address Group object. As a reference and example, the  Address Group will be named 'IPsec_Failed_Login'. After that, select OK.

Step 2: Creating the Automation Stitch (Stitch, Trigger, and Action).

• Navigate to Security Fabric -> Automation -> Stitch, then select Create New.

• Specify a name for the new Automation Stitch. In this example, the ' IPsec_VPN_Block ' will be used for the name of the Automation Stitch.

• Next, select Add Trigger, then select the Create button in the top-right of the slide-out menu. Select FortiOS Event Log.

• Specify a name (in this example, 'IPsec_error'), then select the Event field and add the 'IPsec ESP', 'IPsec phase 1 error', and 'Negotiate IPsec  Phase 1' log entry (The IDs should be 37131, 37124, and 37121). 

• Select OK to complete the Trigger creation, then select the new Trigger and select Apply.
  
  
• In the same Automation Stitch, select Add Action, then select Create, followed by selecting the CLI Script action.

Specify a name (in this example, 'IPsec_error'), then enter the following in the Script section:

config firewall address

    edit IPsec-Block-%%log.remip%%

        set color 10

        set subnet %%log.remip%%/32

end

config firewall addrgrp

    edit IPsec_Failed_Login

    append member IPsec-Block-%%log.remip%%

end

Specify an Administrator profile of a super_admin, then select OK, followed by Apply (to set the Action in the Stitch) and OK (to finalize the configuration for the Automation Stitch). 

Note: As this solution will add all IPs that generate a failed login event to the IP address group that is blocked, legitimate users who accidentally enter the wrong password will also be added to this group. It will need to manually take the IPs out of the address group created before to allow the users to reconnect.

As a final step to block those IPs, it will be necessary to create a Local-In Policy with the Address Group in the Source Address field created before (In this example, 'IPsec_Failed_Login' address group).

The Local-in policy should be like this:

config firewall local-in-policy

    edit 1

        set intf "port1"

        set srcaddr "IPsec_Failed_Login"

        set dstaddr "all"

        set service "IKE"

        set schedule "always"

    next

end

Note: The reference to the service 'IKE' is important because it contains the ports UDP/500 and UDP/4500, which are the default ones. If it is required to customize these ports, it will be necessary to create another service group with the ports at the TCP or UDP level used for the IPsec VPN.

After these configurations, the address group will be auto-filled with the public IPs of the devices trying to brute force the IPsec VPN access.