FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdibaee
Staff
Staff
Article Id 328096
Description

 

This article explains why the SSL VPN authentication failure logs with tunnel-type web still happen after removing the SSL VPN authentication page as per the article below: 
Technical Tip: How to prevent the SSL VPN web login portal from displaying when SSL VPN web mode is ...

 

 

Scope

 

FortiGate.

 

Solution

 

Every authentication failure on the FortiGate will be categorized as web for the tunnel type even if the attempt came from a FortiClient.

Log for failed FortiClient authentication: 

 

1.png

 

Log for failed Web Mode authentication: 

 

2.png

 

Log for successful FortiClient authentication: 

 

3.png

 

Log for successful Web mode authentication: 

 

4.png

 

This is due to FortiClient identifying itself to be accessing the tunnel mode after the authentication attempt and as a result, FortiGate cannot detect tunnel mode versus web mode on authentication failure: 

 

Successful FortiClient authentication debugs: 

 

[15510:root:a]sslvpn_authenticate_user:183 authenticate user: [test-fct] 

[15510:root:a]sslvpn_authenticate_user:197 create fam state 

[15510:root:a][fam_auth_send_req_internal:426] Groups sent to FNBAM: 

[15510:root:a]group_desc[0].grpname = test  

[15510:root:a][fam_auth_send_req_internal:438] FNBAM opt = 0X200420 

[15510:root:a]fam_auth_send_req_internal:514 fnbam_auth return: 0 

[15510:root:a][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1): 

[15510:root:a]Received: auth_rsp_data.grp_list[0] = 2  

[15510:root:a]fam_auth_send_req_internal:563 found node test:0:, valid:1, auth:0 

[15510:root:a]Validated: auth_rsp_data.grp_list[0] = test  

[15510:root:a][fam_auth_send_req_internal:652] The user test-fct is authenticated. 

[15510:root:a]fam_do_cb:666 fnbamd return auth success. 

…. (omitted for brevity) 

[15511:root:a]normal tunnel2 request received.<----- Tunnel mode initiated.

[15511:root:a]sslvpn_tunnel2_handler,166, fct_uuid = 86D85EDFFC3E422F8619956B74CE508E<----- Identifying the FortiClient.

[15511:root:a]sslvpn_tunnel2_handler,174, Calling tunnel2 DESKTOP-8PB5B98. 

 

Failed FortiClient authentication debugs:

 

[15514:root:a]sslvpn_authenticate_user:183 authenticate user: [fct-failed] 

[15514:root:a]sslvpn_authenticate_user:197 create fam state 

[15514:root:a][fam_auth_send_req_internal:426] Groups sent to FNBAM: 

[15514:root:a]group_desc[0].grpname = test  

[15514:root:a][fam_auth_send_req_internal:438] FNBAM opt = 0X200421 

[15514:root:a]fam_auth_send_req_internal:514 fnbam_auth return: 1 

[15514:root:a][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1): 

[15514:root:a]Received: auth_rsp_data.grp_list[0] = 0  

[15514:root:a]fam_auth_send_req:1007 task finished with 1 

[15514:root:a]login_failed:392 user[fct-failed],auth_type=1 failed [sslvpn_login_permission_denied] 

[15514:root:0]dump_one_blocklist:94 status=1;host=172.17.98.14;fails=1;logintime=1721862179 

…… (end here, no further debugs) 

 

Therefore, after hiding the SSL VPN login page (on v 7.4.1 and below) or disabling it globally (v7.4.2 and above), it is expected to see every failed authentication for SSL VPN flagged with 'tunnel Type ssl-web'. The log does not mean an authentication attempt is being pushed through the SSL VPN login page. 

Contributors