SSL-VPN services may experience multiple unauthorized access, trying to exploit its vulnerability.
Even if specified users are restricted, addresses, country to access the SSL-VPN services, attackers are still sending brute-force attacks.
By default, it is filtered by the FortiGate and see 'ssl-login-fail' on VPN event logs.
This is because attackers are still able to access the SSL-VPN login prompt.
This unauthorized access is denied by FortiGate, but SSL-VPN brute force will still be visible attempt on the VPN events logs.
To apply local-in policy on the SSL-VPN Listening External Interface(s) to add security and limit unauthorized attempts on SSL VPN services.
1) Create a firewall address on the specific IP, subnets, country to restrict access on the SSL-VPN.
In this example we are going to block a specific subnet.
# config firewall address
edit "Restricted_IP"
set uuid 4b2be272-153f-51ed-b8ef-9687643c13e0
set subnet 10.10.10.0 255.255.255.0
next
end
2) Create a local-in policy and apply the created firewall address to restrict.
# config firewall local-in-policy
edit 1
set uuid ff5fa2f0-1540-51ed-a15b-187cd2340827
set intf "port1"
set srcaddr "Restricted_IP"
set dstaddr "all"
set service "ALL"
set schedule "always"
set comments "restrict_test"
next
end
Once the local-in policy is applied the attacker under specified subnet will no longer able to reach the SSL-VPN even login prompt.
Sample Output:
Note:
Local-in policy is only available from CLI. To enable the local in policy go to System -> Feature Visibility under the Additional Features section.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.