This article explains why the SSL VPN authentication failure logs with tunnel-type web still happen after removing the SSL VPN authentication page as per the article below:
Technical Tip: How to prevent the SSL VPN web login portal from displaying when SSL VPN web mode is ...
FortiGate.
Every authentication failure on the FortiGate will be categorized as web for the tunnel type even if the attempt came from a FortiClient.
Log for failed FortiClient authentication:
Log for failed Web Mode authentication:
Log for successful FortiClient authentication:
Log for successful Web mode authentication:
This is due to FortiClient identifying itself to be accessing the tunnel mode after the authentication attempt and as a result, FortiGate cannot detect tunnel mode versus web mode on authentication failure:
Successful FortiClient authentication debugs:
[15510:root:a]sslvpn_authenticate_user:183 authenticate user: [test-fct]
[15510:root:a]sslvpn_authenticate_user:197 create fam state
[15510:root:a][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[15510:root:a]group_desc[0].grpname = test
[15510:root:a][fam_auth_send_req_internal:438] FNBAM opt = 0X200420
[15510:root:a]fam_auth_send_req_internal:514 fnbam_auth return: 0
[15510:root:a][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):
[15510:root:a]Received: auth_rsp_data.grp_list[0] = 2
[15510:root:a]fam_auth_send_req_internal:563 found node test:0:, valid:1, auth:0
[15510:root:a]Validated: auth_rsp_data.grp_list[0] = test
[15510:root:a][fam_auth_send_req_internal:652] The user test-fct is authenticated.
[15510:root:a]fam_do_cb:666 fnbamd return auth success.
…. (omitted for brevity)
[15511:root:a]normal tunnel2 request received.<----- Tunnel mode initiated.
[15511:root:a]sslvpn_tunnel2_handler,166, fct_uuid = 86D85EDFFC3E422F8619956B74CE508E<----- Identifying the FortiClient.
[15511:root:a]sslvpn_tunnel2_handler,174, Calling tunnel2 DESKTOP-8PB5B98.
Failed FortiClient authentication debugs:
[15514:root:a]sslvpn_authenticate_user:183 authenticate user: [fct-failed]
[15514:root:a]sslvpn_authenticate_user:197 create fam state
[15514:root:a][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[15514:root:a]group_desc[0].grpname = test
[15514:root:a][fam_auth_send_req_internal:438] FNBAM opt = 0X200421
[15514:root:a]fam_auth_send_req_internal:514 fnbam_auth return: 1
[15514:root:a][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):
[15514:root:a]Received: auth_rsp_data.grp_list[0] = 0
[15514:root:a]fam_auth_send_req:1007 task finished with 1
[15514:root:a]login_failed:392 user[fct-failed],auth_type=1 failed [sslvpn_login_permission_denied]
[15514:root:0]dump_one_blocklist:94 status=1;host=172.17.98.14;fails=1;logintime=1721862179
…… (end here, no further debugs)
Therefore, after hiding the SSL VPN login page (on v 7.4.1 and below) or disabling it globally (v7.4.2 and above), it is expected to see every failed authentication for SSL VPN flagged with 'tunnel Type ssl-web'. The log does not mean an authentication attempt is being pushed through the SSL VPN login page.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.