Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kush_Patel
Staff
Staff

Created on ‎08-22-2023 07:13 AM Edited on ‎12-01-2024 09:56 PM By Community Manager

Article Id 269785

Technical Tip: Prevent Malicious IP addresses from accessing SSL VPN with brute-force attacks on FortiGate

Description This article describes how to prevent malicious actors from using brute-force attacks on the FortiGate to access SSL VPN.
Scope FortiGate.
Solution

The utilization of the TOR network by attackers offers an elevated level of anonymity, which frequently drives them to heavily rely on brute-force attacks from within this network. By employing ISDB objects, the FortiGate can be configured to block SSLVPN login attempts from known databases of IP addresses, for example: VPN-Anonymous.VPN, Tor-Relay.Node, Tor-Exit.Node, Malicious-Malicious.Server.

In v7.6.0+, there is the option to configure a local-in policy via the GUI. ISDB objects are also directly selectable within the local-in policy (starting with v7.6.1).

 

Screenshot (351).png

Below v7.6.1, ISDB objects are only selectable within Firewall Policies.

 

Pre Requisite:

Ensure that the FortiGate is set to use the 'full' version of the Internet Service DataBase:

 

config sys global

    set internet-service-database full

end

execute update-now

 

It is required for the SSL VPN to instead listen in on a loopback, so a Firewall Policy is needed to reach the VPN.

 

  1. Create a loopback interface with a dummy IP address that will not be reachable:

 

Loopbackinterface.png

 

  1. Create a service for a TCP port that will be used to listen for SSL VPN connections:

 

service.png

 

  1. Create a VIP to forward the traffic from WAN to the loopback interface as follows (here, 0.0.0.0 is an example WAN IP):

 

vip.png

 

  1. Configure SSL VPN to listen on the loopback interface and port 14144 as follows:

 

sslvpn.png

 

  1. Configure firewall policies to block the traffic coming from TOR IPs but allow access to valid users as follows:

 

firewall_policy.png

 

The following ISDB objects can be added to the blocked list:

  • VPN-Anonymous.VPN
  • Tor-Relay.Node
  • Tor-Exit.Node
  • Malicious-Malicious.Server

 

Further, to check if any of the IPs from which the login attempts are originating belong to known databases (ISDB), follow this process:

 

Navigate to Log & Report -> System Events -> VPN Events and add a column for 'Remote IP'. Apply the filter 'SSL user failed to log in' under Message. The IPs listed under 'Remote IP' can be cross-referenced with existing ISDB databases on the CLI: 

 

'diagnose internet-service match root <Remote IP> 255.255.255.255'

 

This will show if the 'Remote IP' is part of any known databases.

 

Note:

when using 'all' as the destination, the traffic may sometimes fail to match and subsequently get allowed, so it is recommended to enable the 'match-vip' option using the CLI as follows:

 

config firewall policy

edit "8"

set match-vip enable

end

 

The match-vip option is disabled by default until v7.2.3. In versions after v7.2.3, the option is enabled by default.

Alternatively, try selecting the specific VIP as the destination to match the policy:

 

policywithvip.png

 

Related articles:

Technical Tip: Virtual IP (VIP) port forwarding configuration

Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination

SSL VPN security best practices 
Labels:
8465
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.