Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Elbu3no
New Contributor II

Automation - SSLVPN Block IPs

I'm trying to automate an action in Fabric to avoid Brute Force
All SSLVPN logins failed I want to block, but after 3 attempts failed, for avoid legimitate login (wrong passwords).

My config is running well, I need to improve the action the 3 attempts.

Look the CLI action below. It's working.

config vdom
edit root

config firewall address
edit SSLVPN-Block-%%log.remip%%
set color 6
set subnet %%log.remip%%/32
end

config firewall addrgrp
edit "SSLVPN-Block-Group"
append member SSLVPN-Block-%%log.remip%%
end

9 REPLIES 9
ozkanaltas
Valued Contributor III

Hello @Elbu3no ,

 

If you have a FortiAnalyzer you can use an event handler as a trigger.

 

Event handler offers options like at least after 3 events seen.

 

You can review this document for Use an event handler as a trigger. 

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/176287/fortianalyzer-event-h...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Elbu3no
New Contributor II

Hi @ozkanaltas, thanks for your answer.

It doesn't work from the fabric, because once the user gets the password wrong, they are already blocked, on the first atttempt.
I'd need to give 3 attempts, and block after these 3 errors.
It's possible?

ozkanaltas
Valued Contributor III

Hi @Elbu3no ,

 

in your scenario, you use a trigger on Fortigate.

 

But, in the scenario with FortiAnalyzer, the trigger is FortiAnalyzer. Fortianalyzer can wait for the same event to occur 3 times. This event will trigger Fortigate after repeating it 3 times.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Elbu3no
New Contributor II

Hi @ozkanaltas 

Thanks for your answer and your support.
Do you have any tutorial or documentation about that?
I never did this process. Could you help me?

Thanks a lot.
Lhuan

ozkanaltas
Valued Contributor III

Hello @Elbu3no ,

 

You can review this document. How to create an event handler on FortiAnalyzer.

 

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/348606/creating-a-custom...

 

Also, you can review this document. How can you use an event handler as a trigger.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/176287/fortianalyzer-event-h...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Elbu3no
New Contributor II

Hi @ozkanaltas.

I've created the event handler and linked it with Fortigate.
Thanks a lot for documentations. It helped me a lot.

 

Now, I'm facing another issue, the action is not happening in fortigate. I have some screenshots about the process.
In the fortianalyzer I have events in Fortigate I don't have any trigger.6.png5.png4.png3.png2.png1.png

ozkanaltas
Valued Contributor III

Hello @Elbu3no ,

 

Can you try to enable this setting?

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Elbu3no
New Contributor II

Hello @ozkanaltas 

Yes, I've tried it, and I don't have action on Fortigate, only logs.

Does it have any CLI script to verify the logs between Analyzer and Fortigate? I mean, I want to see that the analyzer is sending the logs to Fortigate, do a troubleshooting.

 

25032.png2503.png

bpozdena_FTNT

Hi @Elbu3no ,

even if your script worked, it would not help prevent the connections.

 

Luckily you don't need to do such things as SSL VPN daemon has brute force protection already built-in. You can configure it with the below two commands:

 

config vpn ssl settings
set login-attempt-limit    #SSL-VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
set login-block-time       # Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
end

 

You can also allow/block connections from specific countries either from the SSL VPN daemon itself or via local-in firewall policy. Examples are below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-Geolocations-for-SSL-VPN-and-mana...

HTH,
Boris
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors