I'm trying to automate an action in Fabric to avoid Brute Force
All SSLVPN logins failed I want to block, but after 3 attempts failed, for avoid legimitate login (wrong passwords).
My config is running well, I need to improve the action the 3 attempts.
Look the CLI action below. It's working.
config vdom
edit root
config firewall address
edit SSLVPN-Block-%%log.remip%%
set color 6
set subnet %%log.remip%%/32
end
config firewall addrgrp
edit "SSLVPN-Block-Group"
append member SSLVPN-Block-%%log.remip%%
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @Elbu3no ,
If you have a FortiAnalyzer you can use an event handler as a trigger.
Event handler offers options like at least after 3 events seen.
You can review this document for Use an event handler as a trigger.
Hi @ozkanaltas, thanks for your answer.
It doesn't work from the fabric, because once the user gets the password wrong, they are already blocked, on the first atttempt.
I'd need to give 3 attempts, and block after these 3 errors.
It's possible?
Hi @Elbu3no ,
in your scenario, you use a trigger on Fortigate.
But, in the scenario with FortiAnalyzer, the trigger is FortiAnalyzer. Fortianalyzer can wait for the same event to occur 3 times. This event will trigger Fortigate after repeating it 3 times.
Hi @ozkanaltas
Thanks for your answer and your support.
Do you have any tutorial or documentation about that?
I never did this process. Could you help me?
Thanks a lot.
Lhuan
Hello @Elbu3no ,
You can review this document. How to create an event handler on FortiAnalyzer.
Also, you can review this document. How can you use an event handler as a trigger.
Hi @ozkanaltas.
I've created the event handler and linked it with Fortigate.
Thanks a lot for documentations. It helped me a lot.
Now, I'm facing another issue, the action is not happening in fortigate. I have some screenshots about the process.
In the fortianalyzer I have events in Fortigate I don't have any trigger.
Hello @Elbu3no ,
Can you try to enable this setting?
Created on 03-25-2024 06:41 AM Edited on 03-25-2024 06:50 AM
Hello @ozkanaltas
Yes, I've tried it, and I don't have action on Fortigate, only logs.
Does it have any CLI script to verify the logs between Analyzer and Fortigate? I mean, I want to see that the analyzer is sending the logs to Fortigate, do a troubleshooting.
Hi @Elbu3no ,
even if your script worked, it would not help prevent the connections.
Luckily you don't need to do such things as SSL VPN daemon has brute force protection already built-in. You can configure it with the below two commands:
config vpn ssl settings
set login-attempt-limit #SSL-VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
set login-block-time # Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
end
You can also allow/block connections from specific countries either from the SSL VPN daemon itself or via local-in firewall policy. Examples are below:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.