- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Automation] SSL VPN login fail event -> Ban IP
Hi All
I would like to leverage the automation in security fabric to ban IP's that are trying to connect with the username "administrator". I've made a trigger with the event "SSL VPN login fail" with the field filter user:administrator:
I've then created an IP Ban Action, that looks like this:
The problem is, I can't stich the trigger with the action to create an automation stitch. When I go to select the Action, it doesn't appear in the list:
Does anyone know what I do wrong and how I could achieve banning an IP, if there is a connection attempt with a certain user name?
Thank you.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Purple,
Thank you for the query!
I understand you want to block an IP from where when a user connects to SSLVPN using administrator username and password you want to block the IP.
After testing your scenario in the lab, I could see IP-Ban action cannot be used with SSL VPN login fail trigger.
IP-Ban action is for the comprimised host trigger, I am here attaching the article:
>> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-the-automation-stitches/ta-p/1957...
+ Please let us know if you have any further queries!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tthrilok
thank you for your response and the link. Hmm that's too bad.
Do you know how I could block the IP's that try to connect with the user administrator in a automated manner? Of course I could write scripts that parse these events and create objects that I put in a rule that denies the traffic, but that would create so many unnecessary objects, that I would like to avoid that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see you can call IP-BAN action along with FortiAnalyzer event-handler as trigger. I have not tested this, but can you try creating an even-handler on your FortiAnalyzer for VPN login failures and then use that in FGT stitch?
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Created on ‎05-08-2023 06:33 AM Edited on ‎05-08-2023 06:36 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Suraj
thank you for your suggestion. Unfortunately we don't have the FortiAnalyzer, so that isn't an option for me.
I've done it in a (suboptimal) way.
I download the events that contain the message "SSL user failed to logged in" from the fortigate logs and then run this python script. This prints the commands that I can run on the firewall to ban the IP's indefinitely.
vpn_events_file_path = "/mnt/c/temp/vpn_events.log"
list = []
def find_between(s, first, last):
try:
start = s.index(first) + len(first)
end = s.index (last, start)
return s[start:end]
except ValueError:
return " "
with open(vpn_events_file_path, "r") as events:
lines = events.readlines()
for line in lines:
if ('user="administrator"' in line):
remip = find_between(line,'remip=',' user')
if (not remip in list):
list.append (remip)
for item in list:
ban_config = 'diagnose user quarantine add src4 ' + item + ' indefinite admin'
print (ban_config)
I'll probably do this manually every day until I either implement a FortiAnalyzer or find a better way to do it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can use Local In Policy to achieve it.
I created stitch automation on SSL VPN Failed Login event.
I used the following script:
config firewall address
edit %%log.remip%%
set color 6
set subnet %%log.remip%%/32
end
config firewall addrgrp
edit AUTOBLK_GRP
set member %%log.remip%%
end
The object AUTOBLK_GRP should be created before.
The local In policy should be:
firewall # config firewall local-in-policy
firewall (local-in-policy) # edit 1
firewall (1) # get
policyid : 1
uuid : XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
intf : wan1
srcaddr : "AUTOBLK_GRP"
srcaddr-negate : disable
dstaddr : "all"
dstaddr-negate : disable
action : deny
service : "ALL"
service-negate : disable
schedule : always
status : enable
comments :
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use
"append member %%log.remip"
instead of
"set member %%log.remip"
as the latter will overwrite any existing addresses so that the address group will only ever contain 1 address.
Besides, the address group does not have to exist beforehand.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mikael,
I was working on same solution, but the script is not getting the remote IP as the debug shows
Do you have any idea?
Thank you!
Created on ‎04-05-2024 09:12 AM Edited on ‎04-05-2024 09:13 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the configuration I was looking for to prevent SSL VPN login attempts from not retrying and thus put them in a kind of infinite quarantine.
But with the ability to remove from the address group the ip that should by mistake go on the black list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi PurpleShirt
Please apply the given script on the Action Filed of CLI to ban SSL VPN IPs.
diagnose user banned-ip add src4 %%remip%% 0 admin
Hope that helps,
Kind Regards,
Bijay Prakash Ghising
