- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Automatic blocking IP to prevent Fortigate web int...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Automatic blocking IP to prevent Fortigate web interface login page
Hi,
Last few days I started to see new activity on my WAN link - many login attempts on HTTPS interfaces of my Fortigates. In majority they come from IP: 185.253.160.140 but not exclusevily. My question is how to automatically block these attempts, i.e. to ban certain IP from viewing login page of Forti after few unsuccessfull login trials.
I have few Fortigates with soft not older than 6.2.15.
Piotr
Labels:
- Labels:
-
FortiGate
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pszewczyk
Apply the given command to the CLI Script of the action field.
diagnose user banned-ip add src4 %%srcip%% 0 admin
If that doesn't resolve then create a group and append it to the local-in policy.
To Create and append addresses to the group, you can find the attached link.
Hope that helps,
Kind Regards,
Bijay Prakash Ghising
Ghising
Ghising
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pszewczyk,
Based on my understanding you want to block any specific IP to your FortiGate interface. You can create a local-in policy to block specific IPs reaching your FortiGate interface. You may refer to the KB below for more information:-
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/363127/local-in-policies
Best Regards,
Hazim
Hazim
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To automatically block IP addresses and prevent unauthorized access to the Fortigate web interface login page, you can implement a security policy using the built-in features of the Fortigate. Here's a concise solution:
Log in to your Fortigate web interface.
Go to "Security Profiles" and create a new "DoS Policy".
Set "DoS Policy Type" to "HTTP Login Protection".
Configure "HTTP Login Protection Settings" to specify the number of allowed login attempts and the duration of the block.
Apply the policy to your WAN-facing interface.
For more detailed instructions and further assistance, visit Fortinet's official website at https://www.fortinet.com/support./devops training https://www.fortinet.com/support./
I hope this will help you.
Emma Wilson
Emma Wilson
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Firstly, its not a best security practice to allow HTTPS/SSH on the WAN interface of FortiGate. So I would recommend you to disable HTTPS/HTTP/SSH and other Services on the WAN Interface.
Even after disabling the service on the WAN interface and you still see some traffic reaching your WAN and effecting the system performance, you may apply other recommendations mentioned here.
Best Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about the SSL VPN web interface? You can't disable that on the WAN interface when it's required to establish remote connections. pszewczyk is correct, FortiGate needs to include a way to auto-ban bad login attempts over long periods of time...say 3 from the same IP in 24 hours.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using local-in-polices and have three interfaces to protect, WAN1, WAN2, and the SSLVPN port. (SSLVPN isn't really an interface but needs to be called out specifically from what I have seen.) I still see bots attempting to log in at a very slow rate. I am looking a way to auto-ban bad login attempts over long periods of time...say 3 attempts from the same IP in 24 hours.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think disabling web access (and any other admin access) on WAN interface is not only a good security practice but a must practice. I also usually see some companies disable even ping, which makes sens since sanner bots usually start by pinging your IP before scanning ports.
For SSL VPN I think it is good security practice to use non standard high port, cause most scanner bots never go above one or few thousand first ports.
AEK
AEK
Created on 01-29-2024 11:48 AM Edited on 01-29-2024 11:49 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bots don't care about the port number. We run the port in the 10K range and it gets probed a lot, daily. The SSLVPN login page is a HTTP based page. The point here is that you cannot disable the web GUI page for SSLVPN so even if you remove HTTP(S) and SSH management on the WAN interfaces, you still have an open HTTP(S) page published to the world regardless of the port number. Check your System Events and filter it by VPN event. If you have SSLVPN configured, it will be an eye opener for you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are some ideas to make your SSL VPN more secure:
- Enable MFA
- Disable Web mode
- Use high non standard port
- Give access to the minimum required resources
- Keep your FG patched
- Restrict access by IP or GeoIP if possible
AEK
AEK
Related Posts
Labels
-
FortiGate
6,716 -
FortiClient
1,337 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
342 -
FortiClient EMS
273 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
61 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.