Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rvillaroman
Staff
Staff

Created on ‎08-09-2022 11:48 PM Edited on ‎10-16-2024 11:40 PM By Moderator

Article Id 220413

Technical Tip: Restrict unauthorized access on the SSL VPN service

Description

 

This article describes that SSL VPN services may experience multiple unauthorized access, trying to exploit its vulnerability.

Even if specified users are restricted, addresses, and countries to access the SSL VPN services, attackers are still sending brute-force attacks.

 

By default, it is filtered by FortiGate and sees 'ssl-login-fail' on VPN event logs.

This is because attackers can still access the SSL VPN login prompt.

 

rvillaroman_0-1660113287378.png

 

FortiGate denies this unauthorized access, but SSL VPN brute force will still be a visible attempt on the VPN events logs.

 

rvillaroman_1-1660113304103.png

Scope

 

FortiGate.

 

Solution

 

To apply a local-in policy on the SSL VPN Listening External Interface(s) to add security and limit unauthorized attempts on SSL VPN services.

 

  1. Create a firewall address on the specific IP, subnets, and country to restrict access to the SSL VPN.

 

In this example, a specific subnet will be blocked.

 

config firewall address

    edit "Restricted_IP"

        set subnet 10.10.10.0 255.255.255.0

    next

end

 

  1. Create a local-in policy and apply the created firewall address to restrict.

 

config firewall local-in-policy

    edit 1

        set intf "port1"

        set srcaddr "Restricted_IP"

        set dstaddr "all"

        set service "ALL"

        set schedule "always"

        set comments "restrict_test"

    next

end

 

Once the local-in policy is applied the attacker under the specified subnet will no longer be able to reach the SSL VPN even the login prompt.

 

Sample Output:

 

rvillaroman_3-1660113447079.png

 

Note:
From v7.2.4 and v7.4.0 onwards, external threat feed is now supported to be used as source or destination addresses for local-in policies. A list of restricted IP addresses and subnets can be updated in a threat feed which can then be used as srcaddr object in the local-in policy for blocking SSL VPN access from unauthorized source IPs. 

 

Guide: External Threat Feed for local-in policies.

 

It is possible to have GUI visibility for this feature when it is enabled under System -> Feature Visibility -> Additional Features -> Local In Policy.

While local-in policies can only be configured via the CLI in earlier versions, starting from v7.6.0, they can be configured directly through the GUI.


Local-in-policy-.PNG

9296
Submit Article Idea
Comments
janonuevo
Staff
Staff
‎08-12-2022 12:23 AM

Wow! It worked!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.