Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fabio
Contributor

Created on ‎04-06-2024 02:16 AM Edited on ‎04-10-2024 09:24 AM

Guide Tecnical Tip - How to block persistent attempts SSL VPN connections but not known users

Hello everyone,

I would like to share with you this my mini guide that I created for own purpose: block unwanted and malicious attempts to connect to our SSL VPN permanently.
Through "Automation" I created a Stitch that get Logs of failed attempts to access the SSL VPN and create an IP Address Group that would be invoked by a Local Policy that deny connections to the SSL VPN.
This system blocks the source IP on the first attempt, and here there was the problem for known users who might run into this automation.
I created a second Stitch that within it invokes a Trigger with a Filter Field on the "known" username ; this creates another IP Address Group that is then invoked by a Local Policy that allows traffic.

Below is my configuration:

These are all the Automations:

Screenshot 2024-04-06 alle 10.52.00.png

First Automation to Block UNKnow User:

Screenshot 2024-04-06 alle 10.54.33.png

The Trigger ( the trigger that takes the Logs )  :

Screenshot 2024-04-06 alle 10.55.16.png

The Action (that create and append the IP in Address Group) :

Screenshot 2024-04-06 alle 10.59.35.png

N.B.: it's a vdom - root

end
config vdom
edit root
config firewall address
edit %%log.remip%%
set color 6
set subnet %%log.remip%%/32
end
config firewall addrgrp
edit AUTOBLK_GRP
append member %%log.remip%%
end

 

Below is the configuration of the Automation that creates another group but with a Trigger that specifies the user that will be hung in this group and allowed with the other Local Policy.

Screenshot 2024-04-06 alle 11.05.06.png

the Second Group Permit:

Screenshot 2024-04-06 alle 11.06.28.png

end
config vdom
edit root
config firewall address
edit %%log.remip%%
set color 6
set subnet %%log.remip%%/32
end
config firewall addrgrp
edit AUTOPERMIT_GRP
append member %%log.remip%%
end

 

For more users you have to create more Stitch because you cannot add users in the previous Stitch because Filter Fields have the consequence with AND and not with OR

 

config firewall local-in-policy
edit 1

   set intf "VLAN_7"
   set srcaddr "AUTOPERMIT_GRP"
   set dstaddr “SSL_VPN_ADDR”
   set action accept
   set service "HTTPS"
   set schedule "always"
 next

edit 2
    set intf "VLAN_7"
    set srcaddr "AUTOBLK_GRP"
    set dstaddr “SSL_VPN_ADDR”
    set service "HTTPS"
    set schedule "always"
 next
end

 

I hope you enjoyed the guide and if you have ideas on how to avoid creating more Automation to add more users it would be helpful to know. 

 

Enjoy

Fabio

Fabio
Fabio
Labels:
270
1 REPLY 1
mpeddalla
Staff
Staff

Created on ‎04-06-2024 05:04 AM

Hello @Fabio ,

Thank you for sharing.

 

Best regards,

Manasa.

242
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.