Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fabio
Contributor

Guide Tecnical Tip - How to block persistent attempts SSL VPN connections but not known users

Hello everyone,

I would like to share with you this my mini guide that I created for own purpose: block unwanted and malicious attempts to connect to our SSL VPN permanently.
Through "Automation" I created a Stitch that get Logs of failed attempts to access the SSL VPN and create an IP Address Group that would be invoked by a Local Policy that deny connections to the SSL VPN.
This system blocks the source IP on the first attempt, and here there was the problem for known users who might run into this automation.
I created a second Stitch that within it invokes a Trigger with a Filter Field on the "known" username ; this creates another IP Address Group that is then invoked by a Local Policy that allows traffic.

Below is my configuration:

These are all the Automations:

Screenshot 2024-04-06 alle 10.52.00.png

First Automation to Block UNKnow User:

Screenshot 2024-04-06 alle 10.54.33.png

The Trigger ( the trigger that takes the Logs )  :

Screenshot 2024-04-06 alle 10.55.16.png

The Action (that create and append the IP in Address Group) :

Screenshot 2024-04-06 alle 10.59.35.png

N.B.: it's a vdom - root

end
config vdom
edit root
config firewall address
edit %%log.remip%%
set color 6
set subnet %%log.remip%%/32
end
config firewall addrgrp
edit AUTOBLK_GRP
append member %%log.remip%%
end

 

Below is the configuration of the Automation that creates another group but with a Trigger that specifies the user that will be hung in this group and allowed with the other Local Policy.

Screenshot 2024-04-06 alle 11.05.06.png

the Second Group Permit:

Screenshot 2024-04-06 alle 11.06.28.png

end
config vdom
edit root
config firewall address
edit %%log.remip%%
set color 6
set subnet %%log.remip%%/32
end
config firewall addrgrp
edit AUTOPERMIT_GRP
append member %%log.remip%%
end

 

For more users you have to create more Stitch because you cannot add users in the previous Stitch because Filter Fields have the consequence with AND and not with OR

 

config firewall local-in-policy
edit 1

   set intf "VLAN_7"
   set srcaddr "AUTOPERMIT_GRP"
   set dstaddr “SSL_VPN_ADDR”
   set action accept
   set service "HTTPS"
   set schedule "always"
 next

edit 2
    set intf "VLAN_7"
    set srcaddr "AUTOBLK_GRP"
    set dstaddr “SSL_VPN_ADDR”
    set service "HTTPS"
    set schedule "always"
 next
end

 

I hope you enjoyed the guide and if you have ideas on how to avoid creating more Automation to add more users it would be helpful to know. 

 

Enjoy

Fabio

Fabio
Fabio
1 REPLY 1
mpeddalla
Staff
Staff

Hello @Fabio ,

Thank you for sharing.

 

Best regards,

Manasa.

Manasa
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors