Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nevan
Staff
Staff

Created on ‎07-27-2024 11:01 PM

Article Id 328485

Technical Tip: IOC as External resource to restrict random user login in SSL VPN

Description This article describes how to use IOC as an External resource in FortiGate to restrict random users' login from the internet to SSL VPN.
Scope FortiOS, FortiGate.
Solution
The SSL VPN in FortiGate opens the way for internet-connected users from remote to connect with a private network over the VPN. In most cases, if the users do not want to change the default portal configuration (Ex. Public IP, web port, etc.) for the web-based access, there will be face random unexpected users who do not have valid access rights, trying to access from internet.
This event can be checked from the SSL VPN event log with the message 'SSL user failed to logged in'. 

capture-3.PNG

 

To reduce these login attempts and restrict the random users from having an IOC setup where the server will make a list of the suspicious or invalid source IP addresses, it can be used as an external resource in FortiGate. These learned IPs from IOC will be added to the resource database in FortiOS and can be used for restriction rules. Here is the procedure to configure the external resources.
 
capture-2.PNG

 

CLI:
 
config system external-resource
    edit "<ext-resource-name>"
        set type address
        set username "LEN"
        set password ENC ****
        set resource "http://x.x.x.x:80/"
        set source-ip x.x.x.x
    next
end

It has to be done to negate the resource list from SSL VPN settings so that only the addresses that do not match this list will be allowed.

config vpn ssl setting
    set source-address "<ext-resource-name>"
    set source-address-negate enable <--
end

Also, it can be done with the local-in-policy by following way and the default action of the policy will be enforced as deny.
 
config firewall local-in-policy
    edit 1
        set intf "ssl.root"
        set srcaddr "<ext-resource-name>" <--
        set dstaddr "<add>"
        set service "10443"
        set schedule "always"
    next
end
 
Note: It is always recommended to change the default listening port for the SSL VPN and use a custom port instead of 10443.

Related Articles:
Technical Tip: Getting alert logs frequently on FortiGate for 'SSL failed users' from the unknown pu...
Technical Tip: Block SSL VPN failed logins with an automation stitch

 

Labels:
1006
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.