FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rvillaroman
Staff
Staff
Article Id 220413
Description

 

SSL-VPN services may experience multiple unauthorized access, trying to exploit its vulnerability.

Even if specified users are restricted, addresses, country to access the SSL-VPN services, attackers are still sending brute-force attacks.

 

By default, it is filtered by the FortiGate and see 'ssl-login-fail' on VPN event logs.

This is because attackers are still able to access the SSL-VPN login prompt.

 

rvillaroman_0-1660113287378.png

 

This unauthorized access is denied by FortiGate, but SSL-VPN brute force will still be visible attempt on the VPN events logs.

rvillaroman_1-1660113304103.png

 

Solution

 

To apply local-in policy on the SSL-VPN Listening External Interface(s) to add security and limit unauthorized attempts on SSL VPN services.

 

1) Create a firewall address on the specific IP, subnets, country to restrict access on the SSL-VPN.

 

In this example we are going to block a specific subnet.

 

# config firewall address

    edit "Restricted_IP"

        set uuid 4b2be272-153f-51ed-b8ef-9687643c13e0

        set subnet 10.10.10.0 255.255.255.0

    next

end

 

2) Create a local-in policy and apply the created firewall address to restrict.

 

# config firewall local-in-policy

    edit 1

        set uuid ff5fa2f0-1540-51ed-a15b-187cd2340827

        set intf "port1"

        set srcaddr "Restricted_IP"

        set dstaddr "all"

        set service "ALL"

        set schedule "always"

        set comments "restrict_test"

    next

end

 

Once the local-in policy is applied the attacker under specified subnet will no longer able to reach the SSL-VPN even login prompt.

 

Sample Output:

 

rvillaroman_3-1660113447079.png

 

Note:

Local-in policy is only available from CLI. To enable the local in policy go to System -> Feature Visibility under the Additional Features section.

Comments
janonuevo
Staff
Staff

Wow! It worked!