Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pszewczyk
New Contributor

Automatic blocking IP to prevent Fortigate web interface login page

Hi,

 

Last few days I started to see new activity on my WAN link - many login attempts on HTTPS interfaces of my Fortigates. In majority they come from IP: 185.253.160.140 but not exclusevily. My question is how to automatically block these attempts, i.e. to ban certain IP from viewing login page of Forti after few unsuccessfull login trials.

 

I have few Fortigates with soft not older than 6.2.15.

 

Piotr 

17 REPLIES 17
Bjay_Prakash_Ghising
Contributor

 

Hi pszewczyk

 

Apply the given command to the CLI Script of the action field.

diagnose user banned-ip add src4 %%srcip%% 0 admin

 

If that doesn't resolve then create a group and append it to the local-in policy. 

To Create and append addresses to the group, you can find the attached link.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-and-append-addresses-into-address-g...

 

https://community.fortinet.com/t5/Support-Forum/Automation-SSL-VPN-login-fail-event-gt-Ban-IP/m-p/26...

 

Hope that helps, 

 

Kind Regards, 

Bijay Prakash Ghising

 

Ghising
Ghising
Ckden

Fortigate FGT60E
Would you happen to know why the ip address does not add to list? 
I can add one manually.
I see a delete result happening for some reason. I have no idea where to look for this auto delete. 
 
General

Last Access Time12:07:12
VDOMroot
Log DescriptionAutoscript stop automatically

Event

Messagescript autod.75 stopped automatically

 


General 

Last Access Time12:07:12
VDOMroot
Log DescriptionAutoscript delete result

Action

Action

delete_result

Event

User Interfaceautod
MessageUser delete the result of script autod.75 from autod
hazim
Staff
Staff

Hi pszewczyk,

 

Based on my understanding you want to block any specific IP to your FortiGate interface. You can create a local-in policy to block specific IPs reaching your FortiGate interface. You may refer to the KB below for more information:-

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/363127/local-in-policies

 

Best Regards,

Hazim

Hazim
Emma02
New Contributor II

To automatically block IP addresses and prevent unauthorized access to the Fortigate web interface login page, you can implement a security policy using the built-in features of the Fortigate. Here's a concise solution:

Log in to your Fortigate web interface.
Go to "Security Profiles" and create a new "DoS Policy".
Set "DoS Policy Type" to "HTTP Login Protection".
Configure "HTTP Login Protection Settings" to specify the number of allowed login attempts and the duration of the block.
Apply the policy to your WAN-facing interface.


For more detailed instructions and further assistance, visit Fortinet's official website at https://www.fortinet.com/support./devops training https://www.fortinet.com/support./

 

I hope this will help you.

Emma Wilson
Emma Wilson
saneeshpv_FTNT

Hi,

 

Firstly, its not a best security practice to allow HTTPS/SSH on the WAN interface of FortiGate. So I would recommend you to disable HTTPS/HTTP/SSH and other Services on the WAN Interface. 

 

Even after disabling the service on the WAN interface and you still see some traffic reaching your WAN and effecting the system performance, you may apply other recommendations mentioned here.

 

Best Regards,

 

AFT
New Contributor II

What about the SSL VPN web interface?  You can't disable that on the WAN interface when it's required to establish remote connections.  pszewczyk is correct, FortiGate needs to include a way to auto-ban bad login attempts over long periods of time...say 3 from the same IP in 24 hours.

AFT
New Contributor II

I am using local-in-polices and have three interfaces to protect, WAN1, WAN2, and the SSLVPN port.  (SSLVPN isn't really an interface but needs to be called out specifically from what I have seen.)  I still see bots attempting to log in at a very slow rate.  I am looking a way to auto-ban bad login attempts over long periods of time...say 3 attempts from the same IP in 24 hours.

AEK
SuperUser
SuperUser

I think disabling web access (and any other admin access) on WAN interface is not only a good security practice but a must practice. I also usually see some companies disable even ping, which makes sens since sanner bots usually start by pinging your IP before scanning ports.

For SSL VPN I think it is good security practice to use non standard high port, cause most scanner bots never go above one or few thousand first ports.

AEK
AEK
AFT
New Contributor II

Bots don't care about the port number.  We run the port in the 10K range and it gets probed a lot, daily.  The SSLVPN login page is a HTTP based page.  The point here is that you cannot disable the web GUI page for SSLVPN so even if you remove HTTP(S) and SSH management on the WAN interfaces, you still have an open HTTP(S) page published to the world regardless of the port number.  Check your System Events and filter it by VPN event.  If you have SSLVPN configured, it will be an eye opener for you. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors