Description
SSL-VPN services may experience multiple unauthorized access, trying to exploit its vulnerability.
Even if specified users are restricted, addresses, country to access the SSL-VPN services, attackers are still sending brute-force attacks.
By default, it is filtered by the FortiGate and see 'ssl-login-fail' on VPN event logs.
This is because attackers are still able to access the SSL-VPN login prompt.
This unauthorized access is denied by FortiGate, but SSL-VPN brute force will still be visible attempt on the VPN events logs.
Solution
To apply local-in policy on the SSL-VPN Listening External Interface(s) to add security and limit unauthorized attempts on SSL VPN services.
1) Create a firewall address on the specific IP, subnets, country to restrict access on the SSL-VPN.
In this example we are going to block a specific subnet.
# config firewall address
edit "Restricted_IP"
set uuid 4b2be272-153f-51ed-b8ef-9687643c13e0
set subnet 10.10.10.0 255.255.255.0
next
end
2) Create a local-in policy and apply the created firewall address to restrict.
# config firewall local-in-policy
edit 1
set uuid ff5fa2f0-1540-51ed-a15b-187cd2340827
set intf "port1"
set srcaddr "Restricted_IP"
set dstaddr "all"
set service "ALL"
set schedule "always"
set comments "restrict_test"
next
end
Once the local-in policy is applied the attacker under specified subnet will no longer able to reach the SSL-VPN even login prompt.
Sample Output:
Note:
Local-in policy is only available from CLI. To enable the local in policy go to System -> Feature Visibility under the Additional Features section.
