Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff

Created on ‎02-28-2024 10:09 PM Edited on ‎02-28-2024 10:11 PM By Community Manager

Article Id 301958

Technical Tip: Quarantine the IP for failed SSL VPN login using an automation stitch

Description This article describes how to quarantine the IP address that failed to login to SSL VPN using an automation stitch
Scope FortiGate 
Solution
  1. Create an automation stitch: Navigate to Security Fabric -> Automation -> Create New -> supply the name 'SSL_VPN_Login_Block'.
    Select Add Trigger -> Create -> FortiOS Event Log -> supply the name 'QuarantineSSLVPN-FailedIP' -> open the FortiOS Event Log: Search and add 'SSL VPN login fail' -> select Ok -> select Apply.


trigger-sslfail.jpg

  1. Select Add Action -> Create -> CLI Script -> Supply the name 'QuarantineIP' -> Enter the script below -> Select Administrator profile as 'super_admin' -> select Ok -> select Apply -> select Ok

diagnose user quarantine add src4 %%log.remip%% 9504000 admin  <----- This will block IP for 110 days.


script.jpg

Note:

Once the IP is quarantined, with one failed attempt it will add the IP address to the banned list. it will be necessary to manually remove the IP address from the list to unban it.
1106
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.