Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pszewczyk
New Contributor

Created on ‎07-26-2023 01:29 AM

Automatic blocking IP to prevent Fortigate web interface login page

Hi,

 

Last few days I started to see new activity on my WAN link - many login attempts on HTTPS interfaces of my Fortigates. In majority they come from IP: 185.253.160.140 but not exclusevily. My question is how to automatically block these attempts, i.e. to ban certain IP from viewing login page of Forti after few unsuccessfull login trials.

 

I have few Fortigates with soft not older than 6.2.15.

 

Piotr 

Labels:
1514
0 Kudos
4 REPLIES 4
Bjay_Prakash_Ghising
New Contributor III

Created on ‎07-26-2023 01:46 AM Edited on ‎07-28-2023 11:40 PM

 

Hi pszewczyk

 

Apply the given command to the CLI Script of the action field.

diagnose user banned-ip add src4 %%srcip%% 0 admin

 

If that doesn't resolve then create a group and append it to the local-in policy. 

To Create and append addresses to the group, you can find the attached link.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-and-append-addresses-into-address-g...

 

https://community.fortinet.com/t5/Support-Forum/Automation-SSL-VPN-login-fail-event-gt-Ban-IP/m-p/26...

 

Hope that helps, 

 

Kind Regards, 

Bijay Prakash Ghising

 

Ghising
1503
0 Kudos
hazim
Staff
Staff

Created on ‎08-02-2023 12:05 AM

Hi pszewczyk,

 

Based on my understanding you want to block any specific IP to your FortiGate interface. You can create a local-in policy to block specific IPs reaching your FortiGate interface. You may refer to the KB below for more information:-

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/363127/local-in-policies

 

Best Regards,

Hazim

Hazim
1404
0 Kudos
Emma02
New Contributor II

Created on ‎08-02-2023 12:35 AM

To automatically block IP addresses and prevent unauthorized access to the Fortigate web interface login page, you can implement a security policy using the built-in features of the Fortigate. Here's a concise solution:

Log in to your Fortigate web interface.
Go to "Security Profiles" and create a new "DoS Policy".
Set "DoS Policy Type" to "HTTP Login Protection".
Configure "HTTP Login Protection Settings" to specify the number of allowed login attempts and the duration of the block.
Apply the policy to your WAN-facing interface.


For more detailed instructions and further assistance, visit Fortinet's official website at https://www.fortinet.com/support./devops training https://www.fortinet.com/support./

 

I hope this will help you.

Emma Wilson
1397
0 Kudos
saneeshpv_FTNT
Staff
Staff

Created on ‎08-02-2023 12:40 AM

Hi,

 

Firstly, its not a best security practice to allow HTTPS/SSH on the WAN interface of FortiGate. So I would recommend you to disable HTTPS/HTTP/SSH and other Services on the WAN Interface. 

 

Even after disabling the service on the WAN interface and you still see some traffic reaching your WAN and effecting the system performance, you may apply other recommendations mentioned here.

 

Best Regards,

 

1391
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.