| Description |
This article describes how to make an Automation stitch that monitors and adds remote IP addresses associated with failed SSL VPN logins to a permanent block list. |
| Scope | FortiGate, SSL VPN. |
| Solution |
The FortiGate already has tools (enabled by default) that allow it to block a given source IP address if it fails to log in to the SSL VPN successfully within a configurable time window. For more information on these tools/timers, see the following KB article: Technical Tip: SSL VPN timers explanation and SSL-VPN Login Attempt Limit (aka 'Lockout').
The above timers will only block a given offending source IP for a temporary period, after which the offending IP address may attempt to log in again (and possibly re-trigger the lockout). To make a permanent block list (i.e., an offender is put on the list and must be manually removed), it is possible to use an Automation Stitch that monitors for SSL VPN log events and auto-updates an Address Group list with a list of blocked addresses.
Warning: Following the implementation below, a user's IP address will get blocked from SSLVPN access after a single failed attempt to log in to SSL VPN.
This method will result in permanent bans for a given Source IP address unless an admin manually intervenes. Monitor the number of Firewall address objects on FortiGate and make sure it is not exceeding the maximum value of firewall. address. More information on the Maximum Value Table Per FortiGate Mode and FortiOS version can be found at Maximum Values Table
Alternative Approaches:
Step 1: Create an Address Group: To do this in the GUI:
To do this in the CLI:
config firewall addrgrp edit VPN_Failed_Login end
Step 2: Creating the Automation Stitch (Stitch, Trigger, and Action).
In the same Automation Stitch, select Add Action, then select Create, followed by selecting the CLI Script action. Specify the name ('BAN-SSLVPN-IP' is used in this example), then enter the following in the Script section:
config firewall address edit SSLVPN-Block-%%log.remip%% set color 6 set subnet %%log.remip%%/32 end
config firewall addrgrp edit VPN_Failed_Login append member SSLVPN-Block-%%log.remip%% end
Note 1: The above script, when paired with the FortiOS Event Log action, extracts the logged remote IP address and creates an Address Object for it, followed by adding the Address object to the Address Group. Blocked IP addresses are added as individual firewall address objects and then grouped into the address group.
Note 2: The maximum number of members added to the address group is dependent on the version and model. In the example below, the maximum value for the firewall.addrgrp:member table is 600, and if the FortiGate receives several failed SSL VPN connections above 600, it creates the address object, but it cannot be added to the address group. A workaround to add another automation stitch that dynamically updates the existing automation stitch is added to the end of this document.
To check the table size, see the Maximum Values Table.
Specify an Administrator profile of a super_admin (or another profile that has permission to create and modify Address objects/groups), then select OK, followed by Apply (to set the Action in the Stitch) and OK (to finalize the configuration for the Automation Stitch). If using a custom accprofile, make sure to add 'fwgrp read-write' to the list of allowed permissions.
Note regarding VDOMs: If the FortiGate has multi-VDOM enabled then the script needs to also specify the VDOM that the Address Group and SSL VPN are located in. In that case, add the following to the top of the script:
config vdom edit <vdom> [rest of the script follows]
Example CLI config: 'set script' has a somewhat unusual output where the body of the script does not follow the typical indenting scheme of the FortiOS CLI.
config system automation-action edit 'BAN-SSLVPN-IP' set action-type cli-script edit root <----- Adjust the VDOM name according to SSLVPN VDOM configuration, for example, root. config firewall addrgrp set accprofile "super_admin" next end
A complete Automation Stitch will look like this:
Note: As this solution will add all IPs that generate a failed login event to the IP address group that is blocked, legitimate users who accidentally enter the wrong password will also be added to this group. To automatically remove their IP address if they have a successful login after a failed login within a pre-defined window of time, a second stitch will be triggered to remove their IP address from the blocked IP address group. Critically, the delay set for the blocking stitch must match the delay for the unblocking stitch.
config system automation-trigger edit 'SSL_Login_Success' set event-type event-log next end
config system automation-action edit 'Remove-SSLVPN-IP' set action-type cli-script set script 'config firewall addrgrp edit VPN_Failed_Login <----- This must be the same group name where malicious IPs are added. See 'Step 3' above.
unselect member SSLVPN-Block-%%log.remip%% <----- This must be the same address name syntax. See 'Step 3' above.
end
config firewall address
delete SSLVPN-Block-%%log.remip%% <------ This must be the same address name syntax. See "Step 3" above.
end'
set accprofile 'super_admin'
next
end
config system automation-stitch edit 'SSL_VPN_Login_Unblock' set trigger 'SSL_Login_Success' edit 1 set action 'Remove-SSLVPN-IP' next end next end
Use the Address Group (e.g. 'VPN_Failed_Login' in the earlier examples) to block incoming SSL VPN connections. There are two methods available to do this:
Method 1: Set source-address and source-address-negate in SSL VPN settings.
This method sets the Address Group in the SSL VPN settings for the source-address filter, then it pairs with the set source-address-negate enable config option. This results in the SSL VPN allowing all incoming Source IP addresses except for those in the Address Group:
config vpn ssl settings set source-address 'VPN_Failed_Login' set source-address-negate enable end
Make sure to add an initial dummy address into the 'VPN_Failed_Login' address group as it will not work if it has zero entries.
Method 2: Create a Deny Local-In Policy with the Address Group in the Source Address field.
This method results in the creation of a local-in policy (which filters incoming traffic destined for the FortiGate itself) that denies traffic sourced from the specified Address Group. This can be useful if more flexible rules are needed compared to Method 1 (i.e., blocking/allowing SSL VPN traffic using multiple different sets of addresses):
config firewall local-in-policy edit 1 set intf <SSL_VPN_Listening_interface> <-- The source-interface under SSL VPN settings. next end
The Result: This stitch will add the user's source IP to the blocked Address Group after the first connection failure, so if that connection is legitimate, then it may be necessary to manually remove the entry from the Address Group so that the user can connect again. See the following KB article to remove a legitimate remote IP from the blocked address group: Troubleshooting Tip: How to remove an IP from the SSL VPN 'block failed SSLVPN login autostitch'
Adding Additional Address Groups Automatically: Given that Address Groups are limited to 600 members, it may be necessary to have additional Address Groups created if a large blocklist is being maintained. One option is to create a third automation stitch, which handles the automatic creation of Address Groups every week.
This stitch will keep running until it is disabled (either manually or using another automation stitch with a schedule) and the frequency can be changed as needed. When required, a manual run of the automation stitch can be executed by right-clicking on this automation stitch in the FortiGate GUI and selecting 'Test Automation Stitch'.
If there are multiple WAN interfaces and hence multiple local-in policies, ensure that the automation action includes a modification to the required local-in policies. Make sure to correct the local-in-policy ID as needed per the configuration on the FortiGate, and if VDOMs are enabled, then modify the scripts accordingly (see 'Note regarding VDOMs' above).
config system automation-trigger edit 'weekly' set trigger-type scheduled set trigger-frequency weekly set trigger-weekday sunday set trigger-hour 2 set trigger-minute 55 next end
config system automation-action edit 'update_addrgrp' set action-type cli-script set script "config firewall addrgrp edit VPN_Failed_Login_%%date%% set color 6 set accprofile "super_admin" next end
In VDOM mode above script:
config system automation-action
config system automation-stitch edit "update addrgrp" config actions edit 1 set action "update_addrgrp" set required enable next end
CLI Reference only if there is no VDOM in configuration :
config firewall addrgrp edit VPN_Failed_Login end
config system automation-action edit "BAN-SSLVPN-IP" set action-type cli-script set script "config firewall address edit SSLVPN-Block-%%log.remip%% set color 6 set subnet %%log.remip%%/32 end config firewall addrgrp edit VPN_Failed_Login append member SSLVPN-Block-%%log.remip%% end" set accprofile "super_admin" next end
config system automation-trigger edit "SSL_Login_Fail" set event-type event-log set logid 39426 next end
config system automation-stitch edit "SSL_VPN_Login_Block" set trigger "SSL_Login_Fail" config actions edit 1 set action "BAN-SSLVPN-IP" set required enable next end next end
config firewall local-in-policy edit 4 <----- Choose the right local-in-policy number if other local-in-policies are available. set intf "wan1" <----- Choose the right Interface. set srcaddr "VPN_Failed_Login" set srcaddr-negate disable set dstaddr "all" set dstaddr-negate disable set action deny set service "ALL" set service-negate disable set schedule "always" set status enable next end
When configuring SSL VPN ban actions, ensure the correct local-in-policy index is used, as well as the correct WAN interface if there is more than one.
Note: Starting from v7.6.3, SSL VPN tunnel mode is not available, and SSL VPN web mode will be called 'Agentless VPN': SSL VPN tunnel mode replaced with IPsec VPN
Migrate SSL VPN to IPsec VPN: SSL VPN full tunnel for remote user
Related documents: SSL VPN security best practices Restrict unauthorized access on the SSL VPN service Restricting SSL VPN connectivity from certain countries using firewall geography addresses How to block SSL VPN Connection from a certain source IP Address Technical Tip: How to receive an alert email when SSL VPN user login successfully Technical Tip: Configure an automation stitch to get an email alert for SSL VPN login failures Technical Tip: How to limit SSL VPN login attempts and block duration |
