Created on 08-22-2023 07:13 AM Edited on 08-22-2023 07:37 AM By Stephen_G
Description | This article describes how to prevent malicious actors from using brute-force attacks on the FortiGate to access SSL-VPN. |
Scope | FortiGate. |
Solution |
The utilization of the TOR network by attackers offers an elevated level of anonymity, which frequently drives them to heavily rely on brute-force attacks from within this network. It is important to note that this method can be effectively applied when the SSL-VPN is exclusively set up to listen on the Loopback interface.
Neither the VPN Settings nor the Local-in Policy currently support the inclusion of ISDB addresses. By employing ISDB objects for Tor Exit Nodes, Relays, and VPN Anonymizers, these elements can be integrated into a firewall policy placed above the SSL-VPN rule to effectively deter attackers.
First, create a loopback interface with a dummy IP address which will not be reachable:
Next, create a service for a TCP port which will be used to listen for SSL-VPN connections:
Create a VIP to forward the traffic from WAN to the loopback interface as follows:
Configure SSL-VPN to listen on the loopback interface and port 14144 as follows:
Configure firewall policies to block the traffic coming from TOR IPs but to allow access to valid users as follows:
There will not be an option to add the VIP as a destination in the firewall policy with ISDB as a source. (In this case: Policy ID:8, 'Block TOR'.)
Optionally, enable the 'match-vip' option using the CLI as follows:
config firewall policy edit "8" set match-vip enable end
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.