| Description |
This article describes how to unblock IP addresses from the SSL VPN blocklist which is caused by multiple failed login attempts. When SSL VPN users exceed 'login-attempt-limit', FortiGate will temporarily put the user's IP address in the SSLVPN Blocklist for a period specified by 'login-block-time' command under 'config vpn ssl setting' as shown below.
config vpn ssl setting end
In this example, the SSL VPN user will be locked out for 60 seconds if that user enters the wrong credentials twice.
FortiClient will show this error message: 'SSLVPN connection is down: Too many bad login attempts. Please try again in a few minutes.' and debug outputs on the FortiGate will show the following messages:
[2811:root:4d]fsv_blocklist_check:65 locked: rowid=1,host=192.168.10.2 [2811:root:4d]req: /remote/logincheck |
| Scope | FortiOS 7.2.6 and above, 7.4.1 and above, 7.6.x. |
| Solution |
It is possible to use ‘diagnose vpn ssl blocklist’ command to list/remove IP addresses from the SSL VPN blocklist.
diagnose vpn ssl blocklist ? list List SSL-VPN blocklist count Print counts of SSL-VPN blocklist del Del SSL-VPN blocklist
The output shows one IP address (192.168.10.2) in the block list.
To view the block IP address on the FortiGate GUI, add the monitor 'Top Failed Authentication' under the Dashboard.
Once the monitor is added, it will show the failed login attempts on the firewall. Login type column is useful to determine the type of login attempt being made. For an SSL VPN blocked user list, view the event by login by typing 'SSL-VPN'. This monitor can only be used to view the failed attempts and the user can be unblocked with the CLI.
To remove 192.168.10.2 from the blocklist, run the following command:
diagnose vpn ssl blocklist del 192.168.10.2
After that, 192.168.10.2 was removed from the block list.
Related articles: Technical Tip: How to limit SSL VPN login attempts and block duration |
