Description
SSL-VPN services may experience multiple unauthorized access, trying to exploit its vulnerability.
Even if specified users are restricted, addresses, country to access the SSL-VPN services, attackers are still sending brute-force attacks.
By default, it is filtered by the FortiGate and see 'ssl-login-fail' on VPN event logs.
This is because attackers are still able to access the SSL-VPN login prompt.
This unauthorized access is denied by FortiGate, but SSL-VPN brute force will still be visible attempt on the VPN events logs.
Scope
FortiGate.
Solution
To apply a local-in policy on the SSL VPN Listening External Interface(s) to add security and limit unauthorized attempts on SSL VPN services.
- Create a firewall address on the specific IP, subnets, and country to restrict access to the SSL VPN.
In this example, a specific subnet will be blocked.
config firewall address
edit "Restricted_IP"
set subnet 10.10.10.0 255.255.255.0
next
end
- Create a local-in policy and apply the created firewall address to restrict.
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "Restricted_IP"
set dstaddr "all"
set service "ALL"
set schedule "always"
set comments "restrict_test"
next
end
Once the local-in policy is applied the attacker under the specified subnet will no longer be able to reach the SSL VPN even the login prompt.
Sample Output:
Note:
Local-in policy is only available from CLI. To enable the local policy go to System -> Feature Visibility under the Additional Features section.
