Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pszewczyk
New Contributor

Automatic blocking IP to prevent Fortigate web interface login page

Hi,

 

Last few days I started to see new activity on my WAN link - many login attempts on HTTPS interfaces of my Fortigates. In majority they come from IP: 185.253.160.140 but not exclusevily. My question is how to automatically block these attempts, i.e. to ban certain IP from viewing login page of Forti after few unsuccessfull login trials.

 

I have few Fortigates with soft not older than 6.2.15.

 

Piotr 

16 REPLIES 16
AFT
New Contributor II

These are all standard best practices and have been implemented on all of our customers' firewalls.  Again, the port number makes no difference to a bot.  Our typical block list contains 88 elements, (38 class C or greater ranges in the US - mostly data centers in Dallas, TX) and 50 country codes.  These are applied to WAN1, WAN2, and the SSLVPN port in the form of local-policy-in rules.  Still we see attempts continue.  The answer here is an auto-ban element is needed.  Its surprising that a security appliance needs this much tweaking (and even more) to not be picked at.

AEK
Honored Contributor II

Hi AFT

You can set failed login attempts from any source and block-time as well.

This can block other attempts from the attacker's IP for a very log time (for a maximum of 70 years if needed).

 

Here is for SSL VPN access:

config vpn ssl settings 
  set login-attempt-limit x (defalt=2)
  set login-block-time x (default=60, max=86400)

 

Here is for WebUI admin login:

config system global 
  admin-lockout-threshold x (defult=3)
  admin-lockout-duration x (default=60, max=2147483647)

 

You can also ban the IP automatically instead of block period, as explained in the below tech tip.

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-to-Ban-IP-using-event-handler-auto...

AEK
AEK
Bjay_Prakash_Ghising

Hi @AFT @AEK 

 

As far as I know,

 

Banning IP addresses won't affect the administrative access to the GUI login page. Instead, it simply blocks services passing through the FortiGate. To enforce administrative restrictions, you must configure a local-in policy or set up trusted hosts.


If you wish to automate this capability, you must establish specific criteria to trigger the automation. References for creating your criteria can be found in the following articles:

 

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-and-append-addresses-into-address-g...


- https://community.fortinet.com/t5/Support-Forum/Automation-SSL-VPN-login-fail-event-gt-Ban-IP/m-p/26...

 

Without such automated settings, it's unlikely that any security appliance will automatically block IPs attempting to access your publicly hosted services. Blocking administrative access without validation checks is not feasible.


Think of it, how would a security appliance block the IPs in such a case?


Security appliances need to perform validation checks, such as C&C, P2P botnet, IP Reputation, Compromised hosts, and Threat level, for effective blocking or allowing of connections. Even for those detections to work, IPs need to pass through the Firewall policy.


Configuring best practices is one way to limit threats. However, for total blocking of GUI administrative access on FortiGate, you need to automate IP blocking in the local-in policy.


When configuring such settings globally, consider false positive attempts as well.

 

config vpn ssl settings
    set login-attempt-limit x (default=2)
    set login-block-time x (default=60, max=86400)

 

config system global
    admin-lockout-threshold x (default=3)
    admin-lockout-duration x (default=60, max=2147483647)

 


I hope this information is helpful.

 

 

Kind Regards,
Bijay Prakash Ghising

Ghising
Ghising
Bjay_Prakash_Ghising
Contributor

I apologize for the inconvenience caused by my repeated replies.

 

It seems there might be a limit or a bug in the system, as my responses were not visible. The response numbers are increasing, but replies to the most recent post are not displaying.

 

I'm unsure whether this response has been successfully posted. If anyone sees this response, please report the bug to the admin.

1.png

 2.png

 

Thank you in advance for your assistance.

 

Ghising
Ghising
Bjay_Prakash_Ghising

Hi @AFT  @AEK 


As far as I know,


Banning IP addresses won't affect the administrative access to the GUI login page. Instead, it simply blocks services passing through the FortiGate.


To enforce administrative restrictions, you must configure a local-in policy or set up trusted hosts.


If you wish to automate such a capability, you must establish specific criteria to trigger the automation. You can take a reference from the below articles and create your criteria(Trigger)

 

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-and-append-addresses-into-address-g...


- https://community.fortinet.com/t5/Support-Forum/Automation-SSL-VPN-login-fail-event-gt-Ban-IP/m-p/26...

Without such automated settings, it's unlikely that any security appliance will automatically block IPs attempting to access your publicly hosted services. Blocking administrative access without validation checks is not feasible.


Think of it, how would a security appliance block the IPs in such a case?


Security appliances need to perform validation checks, such as C&C, P2P botnet, IP Reputation, Compromised hosts, and Threat level, for effective blocking or allowing of connections. Even for those detections to work, IPs need to pass through the Firewall policy.


Configuring best practices is one way to limit threats. However, for total blocking of GUI administrative access on FortiGate, you need to automate IP blocking in the local-in policy.


When configuring such settings globally, consider false positive attempts as well.

 

config vpn ssl settings
   set login-attempt-limit x (default=2)
   set login-block-time x (default=60, max=86400)

 

config system global
   admin-lockout-threshold x (default=3)
   admin-lockout-duration x (default=60, max=2147483647)


I hope this information is helpful.

 

Kind Regards,
Bijay Prakash Ghising

Ghising
Ghising
Bjay_Prakash_Ghising

Hi, I think the image file response was uploaded successfully. So, I have captured my last response here as it was not visible earlier.

1.png

 

 

 

Ghising
Ghising
AFT

If you add your address object that contains each of your banned IP or Geo locations and apply the address object to your local-in-policy, banning IP addresses do work (as long as the attacker doesn't change IPs).  Here is what I use on WAN1, WAN2, and the SSLVPN port (you must define a address object that contains your SSLVPN port for this to work.  I use the name "SSLVPN-Port" in the example below:

!

 

config firewall local-in-policy

edit 1
set intf wan1
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable
next

edit 2
set intf wan2
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable
next

edit 3
set intf "wan1"
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "SSLVPN-Port"
set service-negate disable
set schedule "always"
set status enable
next

!

Labels
Top Kudoed Authors