Hi Community,
I am trying to create an automation stitch to create an object and added it to a Deny group when somebody try access VPN SSL with admin or root user.
For this I created a Handler at FortiAnalyzer to alert when detects this users attempt
So I created this Stitch
Everything works, but when I debug we can see that the variable %%remip%% is not working
I also tryed including commands "config vdom edit vdom" but neither works.
Any idea?
Thank you in advance!
does it not work with %%log.remip%% ?
no, then I tried with %%log.remip%% and its the same
Hi @JairCandia,
Please refer to this article for more information https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-SSL-VPN-Failed-Logins-with-an-automa...
Regards,
Minh
This is helpful, but with what @JsairCandia is trying to do, it doesn't appear that you can have multiple usernames in the filter for the failed login events.
Created on 12-06-2023 09:15 AM Edited on 12-06-2023 09:17 AM
Thats right, I want to block multiple user with only one Stitch.
From a FortiOS Event Log its possible ( I have it working now) but I need to create a new Stitch for every user.
The issue might be the involvement of FortiAnalyzer.
The KB shared by Minh demonstrates that %%log.remip%% works when both the log and stitch are on FortiGate; in your case, the log is sent to FortiAnalyzer, which has an event handler to then trigger an automation stitch, instead of the FortiGate detecting the log itself (including all its fields and values) and triggering the stitch.
I believe because it is up to FortiAnalyzer to trigger the stitch, it is not aware of the %%remip%% or %%log.remip%% variable in the stitch, and thus the remote IP is never shared with the FortiGate. The FortiGate on the other hand is not aware of the log, as the stitch is triggered by the Event Handler, not an actual log message.
I'm not certain if variables CAN be used when having FortiAnalyzer trigger the automation stitch, instead of a log message on FortiGate itself.
Hi Debbie,
Thank you for your thoughts. Sounds like thats the reason, but I dont know then why we have the FortiAnalyzer Event Handler trigger option. =S
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.