| Description | This article explains how to harden security when finding multiple unauthorized users trying to access SSL VPN web mode. |
| Scope | FortiGate. |
| Solution |
Sometimes, it is possible to see unknown or unauthorized users have connected via SSL VPN web mode, even if there is no SSL VPN web mode enabled on the SSL VPN setting.
All the unknown or unauthorized users are showing 0 bytes of data:
When checking on the FortiGate VPN event, it shows the 'SSL user failed to logged in' event. date=2023-03-18 time=14:30:43 id=7211770051609755653 itime="2023-03-18 14:31:03" euid=1039 epid=3 dsteuid=3 dstepid=3 logver=700100450 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="test" remip=10.212.134.12 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_permission_denied" eventtime=1679121043611327535 tz="+0800" devid="FGVM04TMxxxxxxx" vd="root" dtime="2023-03-18 14:30:43" itime_t=1679121063 devname=" FGVM04TMxxxxxxx "
Actually, those unauthorized users never log in to SSL VPN successfully. However, it shows that someone over the Internet is trying to access the SSL VPN web mode.
If SSL VPN web mode is used, remove the SSL VPN login portal by referring: to: Technical Tip: How to prevent the SSL-VPN web login portal from displaying when SSL-VPN web mode is ....
Furthermore, it is possible to block those unauthorized users' WAN IPs with local in the policy which prevents them from trying to access SSL VPN via FortiClient.
To configure a local-in policy using the CLI:
config firewall {local-in-policy | local-in-policy6} edit <policy_number> set intf <interface> set srcaddr <source_address> [source_address] ... set dstaddr <destination_address> [destination_address] ... set action {accept | deny} set service <service_name> [service_name] ... set schedule <schedule_name> next end |
