Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FractalSphere
New Contributor II

Blocking by region and stopping attempted logins

I have many corporate Fortinet firewalls in play, but finally just went and bought one for myself (a 60e, great for home internet and labs) so am posting with my personal acct - and am seeing the following weird issue.  

 

I have created an address group blocking a number of countries (Russia and China primarily, seeing attempted connectoin attempts from various IP's).

 

While I do 'allow' SSH on wan1, the administrator super_admin and my acct profile_admin are only allowed from certain IP ranges (my inside subnets and the VPN DHCP range I hand out when I connect to my own network from outside) so that's already fairly locked down.

I am seeing logs denying 'admin' by blocked IP because it falls outside trustedhosts range, but if the bots try any other account (that does NOT exist on the Fortinet) it allows the connection to try passwords and then of course fails because there's no such account. 

 

I have created a deny policy referencing the regions and put wan1/wan1 as the from/to because this isn't hitting a VIP, it's just SSH attempts to wan1. 

Screenshot from 2024-03-12 17-19-34.png

Screenshot from 2024-03-12 17-07-11.png
yes, despite being policy #7, it's ordered to the top of the list so it's the first policy processed when traffic hits wan1

Screenshot from 2024-03-12 17-18-45.png

What I was hoping would happen here is that the policy would deny even the attempted connection from source IP's that match the regions and my address group BEFORE allowing the SSH connection and attempting authentication.  I have tested this from another static IP that I added to the group and the hitcount does not increase (show matching logs shows nothing hitting the policy at all)

What's happening here where a bad acct can attempt to log in from a region blocked IP but a known acct filters based on the trustedhosts?

 

These are slow attempts, maybe a few to up to a dozen a day, so definitely not killing my bandwidth, stressing the firewall, or causing any disruptions, but I would still want to deny ANY connections from those regions.

 

Looking for advice and guidance here. 

 

Thanks!

1 Solution
hbac

Hi @FractalSphere,

 

Do you have trusted hosts configured for all admin accounts? You can use local-in-policy to block incoming connections to the FortiGate. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/363127/local-in-policy

 

Regards, 

View solution in original post

10 REPLIES 10
FractalSphere
New Contributor II

Those are both good reads, but neither applies to my issue - here check it out

 

The first one talks about restricting SSLVPN access against certain regions, which I hadn't employed before but isn't the issue here.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...


The second one talks about applying region blocking to VIP traffic into a server, which is a smart move if you're defining regions like this.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-allowing-sslvpn-access-from-sp...


My issue is that there's various ssh connection attempts happening directly to my firewall, the Fortinet 60e, and only known accounts are being blocked against my trustedhosts lists. Unknown accounts, despite the policy blanket denying regions, are being allowed to try multiple login attempts with no IP filtering.  That's the goal, to filter against any connection attempts against those regions directly ssh'ing into my firewall.

 

 

FractalSphere
New Contributor II

Here, see how the 'admin' acct is being actively blocked because of "blocked IP" but other non-existent accts aren't being blocked by region. They're just allowed to connect and attempt the login regardless. 

Oddly enough this hasn't come up at work at all where we have strict allow lists and appliances are behind AWS security groups, or field sites are often times behind some other forward device with allow lists. I'm seeing this at home because I'm on consumer internet and there's bots out there doing slow trolls of the public subnets. 

 

Screenshot from 2024-03-13 08-26-39.png

ametkola
Staff
Staff

Hi,

 

Please check the documentation related to the SSH and Telnet restriction : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSH-and-telnet-from-FortiGate-...

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

 

Regards,

ametkola
Staff
Staff

Hi,

 

Let me add also how to block by region >> https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

 

In your case the firewall policy is create from Wan to Wan , can you please change from Wan to Lan ?

 

Regards,

 

FractalSphere

Unfortunately, that does not apply.  It's the same link as posted above in the first reply.

It references applying region blocking to a VIP so you limit inbound traffic that is able to hit an inside resource. That's not the case here, I am seeing attacks directly against the firewall itself, and need to apply the region blocking against wan1's SSH port.  Again, only known accounts are being filtered against the trustedhosts lists, unknown accounts, despite the attempted block, are being allowed to test credentials.

 

The other link you posted is limiting using the firewall as a jump-point to SSH to other devices.  

 

How do we apply a policy that blocks against these filters BEFORE even allowing the SSH session to begin?  Should I define an address object as wan1 on the destination portion of the policy?

 

hbac

Hi @FractalSphere,

 

Do you have trusted hosts configured for all admin accounts? You can use local-in-policy to block incoming connections to the FortiGate. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/363127/local-in-policy

 

Regards, 

FractalSphere
New Contributor II

Yes as stated, I do have trustedhosts configured for admin accts.

 

Local-in policies was the right answer, apparently!  Thanks!  :) 

 

I got a local-in policy that appears to be working as intended by applying the following block via the CLI!  

config firewall local-in-policy
edit 10
set intf "wan1"
set srcaddr "External-blocked IPs by geography"
set dstaddr "all"
set action deny
set service "ALL"
set schedule "always"
set comments "test local-in"
next
end

 

I will be looking into logging of this I suppose and getting some stats on how often those regions attempt connections, but for now my other static IP I'm testing against just hangs and denies the connections for both known and unknown accts. 

 

FractalSphere

FYI I enabled some logging (will likely tweak this as I go) from this reference

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-traffic-logs-tab-shows-no-results/ta...

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors