Description
This article describes that SSL VPN services may experience multiple unauthorized access, trying to exploit its vulnerability.
Even if specified users are restricted, addresses, and countries to access the SSL VPN services, attackers are still sending brute-force attacks.
By default, it is filtered by FortiGate and sees 'ssl-login-fail' on VPN event logs.
This is because attackers can still access the SSL VPN login prompt.
FortiGate denies this unauthorized access, but SSL-VPN brute force will still be a visible attempt on the VPN events logs.
Scope
FortiGate.
Solution
To apply a local-in policy on the SSL VPN Listening External Interface(s) to add security and limit unauthorized attempts on SSL VPN services.
- Create a firewall address on the specific IP, subnets, and country to restrict access to the SSL VPN.
In this example, a specific subnet will be blocked.
config firewall address
edit "Restricted_IP"
set subnet 10.10.10.0 255.255.255.0
next
end
- Create a local-in policy and apply the created firewall address to restrict.
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "Restricted_IP"
set dstaddr "all"
set service "ALL"
set schedule "always"
set comments "restrict_test"
next
end
Once the local-in policy is applied the attacker under the specified subnet will no longer be able to reach the SSL VPN even the login prompt.
Sample Output:
Note:
It is possible to have GUI visibility for this feature when it is enabled under System -> Feature Visibility -> Additional Features -> Local In Policy.
While local-in policies can only be configured via the CLI in earlier versions, starting from v7.6.0, they can be configured directly through the GUI.
