Created on
‎08-22-2023
07:13 AM
Edited on
‎02-03-2025
12:35 AM
By
Anthony_E
Description | This article describes how to prevent malicious actors from using brute-force attacks on the FortiGate to access SSL VPN. |
Scope | FortiGate. |
Solution |
The utilization of the TOR network by attackers offers an elevated level of anonymity, which frequently drives to heavily rely on brute-force attacks from within this network. By employing ISDB objects, the FortiGate can be configured to block SSLVPN login attempts from known databases of IP addresses, for example: VPN-Anonymous.VPN, Tor-Relay.Node, Tor-Exit.Node, Malicious-Malicious.Server. In v7.6.0+, there is the option to configure a local-in policy via the GUI.
ISDB objects can be directly applied as source address in the local-in policy (starting with v7.4.4 onwards). Below v7.4.4, ISDB objects can be applied as source only within Firewall Policies. Below documents show further information regarding this feature: ISDB as source address in Local-in policy KB article explaining ISDB as source address in Local-in policy
Pre Requisite: Ensure that the FortiGate is set to use the 'full' version of the Internet Service DataBase:
config sys global set internet-service-database full end execute update-now
It is required for the SSL VPN to instead listen in on a loopback, so a Firewall Policy is needed to reach the VPN.
The following ISDB objects can be added to the blocked list:
Further, to check if any of the IPs from which the login attempts are originating belong to known databases (ISDB), follow this process:
Navigate to Log & Report -> System Events -> VPN Events and add a column for 'Remote IP'. Apply the filter 'SSL user failed to log in' under Message. The IPs listed under 'Remote IP' can be cross-referenced with existing ISDB databases on the CLI:
diagnose internet-service match root <Remote IP> 255.255.255.255
This will show if the 'Remote IP' is part of any known databases.
Note: When using 'all' as the destination, the traffic may sometimes fail to match and subsequently get allowed, so it is recommended to enable the 'match-vip' option using the CLI as follows:
config firewall policy edit "8" set match-vip enable end
The match-vip option is disabled by default until v7.2.3. In versions after v7.2.3, the option is enabled by default. The 'set match-vip' option is only available if the policy action is set to 'deny'. Alternatively, try selecting the specific VIP as the destination to match the policy:
Related documents: Technical Tip: Virtual IP (VIP) port forwarding configuration Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.