Description |
This article describes how to make an Automation stitch that monitors and adds remote IP addresses associated with failed SSL VPN logins to a permanent block list. |
Scope | FortiGate, SSL VPN. |
Solution |
The FortiGate does already have tools (enabled by default) that allow it to block a given source IP address if it fails to login to the SSL-VPN successfully within a configurable time window. For more information on these tools/timers, see the following KB article: Technical Tip: SSL VPN timers explanation and SSL-VPN Login Attempt Limit (aka 'Lockout').
With that being said, the above timers will only block a given offending source IP for a temporary period of time, after which the offending IP address may attempt to log in again (and possibly re-trigger the lockout). To make a permanent block list (i.e. an offender is put on the list and must be manually removed), you can use an Automation Stitch that monitors for SSL-VPN log events and auto-updates an Address Group list with a list of blocked addresses.
Warning: This method will result in permanent bans for a given Source IP address unless an admin manually intervenes. It is recommended to adjust the SSL-VPN lockout settings so that normal users are not likely to be caught in this permanent ban (e.g. increase login-attempt-limit so that it takes more failed attempts before a ban is triggered).
Creating an Address Group for Blocked Source IP Addresses
To do this in the GUI:
To do this in the CLI:
config firewall addrgrp edit VPN_Failed_Login end
Creating the Automation Stitch (Part 1: Stitch and Trigger).
Creating the Automation Stitch (Part 2: Action and finish Stitch).
5. In the same Automation Stitch, select Add Action, then select Create, followed by selecting CLI Script. 6. Specify the name ('BAN-SSLVPN-IP' is used in this example), then enter the following in the Script section:
config firewall address edit SSLVPN-Block-%%log.remip%% set color 6 set subnet %%log.remip%%/32 end
config firewall addrgrp edit VPN_Failed_Login append member %%log.remip%% end
Note: The above script, when paired with the FortiOS Event Log action, extracts the logged remote IP address and creates an Address Object for it, followed by adding the Address object to the Address Group.
7. Specify an Administrator profile of super_admin (or another profile that has permission to create and modify Address objects/groups), then select OK, followed by Apply (to set the Action in the Stitch) and OK (to finalize the configuration for the Automation Stitch).
Note: If the FortiGate has multi-VDOM enabled then the script needs to also specify the VDOM that the Address Group and SSL-VPN are located in. In that case, add the following to the top of the script:
config vdom edit <vdom> [rest of the script follows]
A complete Automation Stitch will look like this:
Use the Address Group to block incoming SSL-VPN connections (two methods available):
Method 1: Set source-address and source-address-negate in SSL-VPN settings.
This method sets the Address Group in the SSL-VPN settings for the source-address filter, then it pairs with set source-address-negate enable config option. This results in the SSL-VPN matching all incoming Source IP addresses that are not in the Address Group:
config vpn ssl settings set source-address "SSLVPN-Block-Group" set source-address-negate enable end
Method 2: Create a Deny Local-In Policy with the Address Group in the Source Address field.
This method results in the creation of a local-in policy (which filters incoming traffic destined for the FortiGate itself) that denies traffic sourced from the specified Address Group. This can be useful if more flexible rules are needed compared to Method 1 (i.e. blocking/allowing SSL-VPN traffic using multiple different sets of addresses):
config firewall local-in-policy edit 1 set intf <SSL VPN Listening interface> <----- The source-interface under SSL VPN settings. next end
The Result: When a potential attacker fails to log in multiple times (with the failure count based on login-attempt-limit), a log entry will be generated. This triggers the Automation Stitch, resulting in an Address Object being created for the individual remote IP associated with the failed login.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.