Hi,
Last few days I started to see new activity on my WAN link - many login attempts on HTTPS interfaces of my Fortigates. In majority they come from IP: 185.253.160.140 but not exclusevily. My question is how to automatically block these attempts, i.e. to ban certain IP from viewing login page of Forti after few unsuccessfull login trials.
I have few Fortigates with soft not older than 6.2.15.
Piotr
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Here are some ideas to make your SSL VPN more secure:
These are all standard best practices and have been implemented on all of our customers' firewalls. Again, the port number makes no difference to a bot. Our typical block list contains 88 elements, (38 class C or greater ranges in the US - mostly data centers in Dallas, TX) and 50 country codes. These are applied to WAN1, WAN2, and the SSLVPN port in the form of local-policy-in rules. Still we see attempts continue. The answer here is an auto-ban element is needed. Its surprising that a security appliance needs this much tweaking (and even more) to not be picked at.
Hi AFT
You can set failed login attempts from any source and block-time as well.
This can block other attempts from the attacker's IP for a very log time (for a maximum of 70 years if needed).
Here is for SSL VPN access:
config vpn ssl settings
set login-attempt-limit x (defalt=2)
set login-block-time x (default=60, max=86400)
Here is for WebUI admin login:
config system global
admin-lockout-threshold x (defult=3)
admin-lockout-duration x (default=60, max=2147483647)
You can also ban the IP automatically instead of block period, as explained in the below tech tip.
As far as I know,
Banning IP addresses won't affect the administrative access to the GUI login page. Instead, it simply blocks services passing through the FortiGate. To enforce administrative restrictions, you must configure a local-in policy or set up trusted hosts.
If you wish to automate this capability, you must establish specific criteria to trigger the automation. References for creating your criteria can be found in the following articles:
Without such automated settings, it's unlikely that any security appliance will automatically block IPs attempting to access your publicly hosted services. Blocking administrative access without validation checks is not feasible.
Think of it, how would a security appliance block the IPs in such a case?
Security appliances need to perform validation checks, such as C&C, P2P botnet, IP Reputation, Compromised hosts, and Threat level, for effective blocking or allowing of connections. Even for those detections to work, IPs need to pass through the Firewall policy.
Configuring best practices is one way to limit threats. However, for total blocking of GUI administrative access on FortiGate, you need to automate IP blocking in the local-in policy.
When configuring such settings globally, consider false positive attempts as well.
config vpn ssl settings
set login-attempt-limit x (default=2)
set login-block-time x (default=60, max=86400)
config system global
admin-lockout-threshold x (default=3)
admin-lockout-duration x (default=60, max=2147483647)
I hope this information is helpful.
Kind Regards,
Bijay Prakash Ghising
I apologize for the inconvenience caused by my repeated replies.
It seems there might be a limit or a bug in the system, as my responses were not visible. The response numbers are increasing, but replies to the most recent post are not displaying.
I'm unsure whether this response has been successfully posted. If anyone sees this response, please report the bug to the admin.
Thank you in advance for your assistance.
Created on 01-30-2024 12:33 PM
As far as I know,
Banning IP addresses won't affect the administrative access to the GUI login page. Instead, it simply blocks services passing through the FortiGate.
To enforce administrative restrictions, you must configure a local-in policy or set up trusted hosts.
If you wish to automate such a capability, you must establish specific criteria to trigger the automation. You can take a reference from the below articles and create your criteria(Trigger)
Without such automated settings, it's unlikely that any security appliance will automatically block IPs attempting to access your publicly hosted services. Blocking administrative access without validation checks is not feasible.
Think of it, how would a security appliance block the IPs in such a case?
Security appliances need to perform validation checks, such as C&C, P2P botnet, IP Reputation, Compromised hosts, and Threat level, for effective blocking or allowing of connections. Even for those detections to work, IPs need to pass through the Firewall policy.
Configuring best practices is one way to limit threats. However, for total blocking of GUI administrative access on FortiGate, you need to automate IP blocking in the local-in policy.
When configuring such settings globally, consider false positive attempts as well.
config vpn ssl settings
set login-attempt-limit x (default=2)
set login-block-time x (default=60, max=86400)
config system global
admin-lockout-threshold x (default=3)
admin-lockout-duration x (default=60, max=2147483647)
I hope this information is helpful.
Kind Regards,
Bijay Prakash Ghising
Created on 01-30-2024 12:35 PM Edited on 01-30-2024 12:41 PM
Hi, I think the image file response was uploaded successfully. So, I have captured my last response here as it was not visible earlier.
If you add your address object that contains each of your banned IP or Geo locations and apply the address object to your local-in-policy, banning IP addresses do work (as long as the attacker doesn't change IPs). Here is what I use on WAN1, WAN2, and the SSLVPN port (you must define a address object that contains your SSLVPN port for this to work. I use the name "SSLVPN-Port" in the example below:
!
config firewall local-in-policy
edit 1
set intf wan1
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable
next
edit 2
set intf wan2
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable
next
edit 3
set intf "wan1"
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "SSLVPN-Port"
set service-negate disable
set schedule "always"
set status enable
next
!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.