FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 224096

This article how to process when there is brute force attack on SSL-VPN login attempts with random users/unknown users and how to protect from SSL-VPN brute-force logins.

Attacker is trying to use dynamic IP address and random admin user account to login via SSL-VPN.

Scope FortiGate.

In this situation, process as below:


1) Use strong passwords for all accounts:

This includes password rules like in this example:


- Passwords must have a minimum length of 12 characters.

- Passwords must contain numbers.

- Passwords must contain special characters.

- Passwords must contain upper '-' and lowercase letters.

- Passwords must have an age below 8 weeks.


2) Implement Two-factor authentication for all accounts:

Two-factor authentication prevents an attacker from being able to log in to an account only with a username and password.

With the third factor, the attacker needs access to additional information like the smartphone (in case of push token) or a 6-digit number (in case of mobile or hardware Tokens).


Related document:


3) Ensure, that admin users have no access to the SSL-VPN portal.

It is recommended to differentiate user accounts that are allowed to access VPN solutions and administrative accounts that are only allowed to access the administrative interfaces. 


4) Change the listening Port for the SSL-VPN portal.

Using another port is an easy but effective measurement if an attacker is only probing the default port of an application.

Do not forget to change the port on all VPN clients too. Otherwise, the connection will break.


Related document:


5) Limit the count of failed login attempts until the user is banned.

There is a KB article regarding the implementation of a login limit for SSL-VPN:


6) Restrict the source IP address area.

If users only need access to the SSL-VPN portal from a specific source address or range, it is possible to limit the allowed source addresses to those addresses nd  also restrict users based on country or geography addresses.


There is a KB article that explains everything (note the last part too):