FortiSIEM Discussions
gwaihir
New Contributor III

How to detect SSL-VPN connections without token with FortiSIEM?

Hello Community

 

I'm trying to create a rule in FortiSIEM to detect successful ssl-vpn connections without token, the logs that I get from Syslog are:

 

FortiGate-event-two-f-auth-code-sendto
FortiGate-ssl-vpn-user-tunnel-up
FortiGate-event-auth-logon

 

What could be the best approach to create this rule or there are some other options to achieve this?

 

Regards.

3 REPLIES 3
Secusaurus
Contributor II

Hello @gwaihir,

 

I suppose you see these events one after each other. So the first method which comes to my mind is to create two subpatterns in the rule, one for each of the events and define the connection as "NOT FOLLOWED BY". They both should include the username and probably remote ip to connect the patterns.

 

Second thought is looking at the FortiAuthenticator instead of FortiGate which could also have a detailed log about how the authentication was processed (with or without token).

 

Third idea would be to have a user list (e.g. discover via LDAP) for all the users that have a token or do not have a token and just use a rule for a vpn logon for either one or the other user group.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
gwaihir
New Contributor III

Hello @Secusaurus thank you for reply.

 

1. The events logs are not followed on FSIEM, each fortigate uses syslogs to sends a lot so they arrive between ips, generic, ipsec .... 

2. I'm not using FAC for MFA, I just using the local users on Fortigate with tokens on email.

3. If I use a local database of users to validate, this will not detect a login without token when the ssl-vpn get exploited from some future bug.

 

 

Regards.

 

 

Secusaurus

Hello @gwaihir,

 

Thanks for the input. I've looked up the logs created for one of our customers on FSM. Unfortunately, I agree, this is not very clear here. If it does not send out push notifications (as in your case), you cannot see if it's using MFA at all.

I can see very clear logs for that on a FAC, but not on a FortiGate if that's the only device.

You might want to try to use the "AND" operator for these two subpatterns. This will look for the one event (tunnel up), find more than one for a user in the time frame and then requires the rule to find the other event (fortitoken push) on the other pattern in the same time frame. Connecting the user, remote ip and reporting device should link these logs properly.

 

Regarding your concerns about (3): I am not quite sure if the ssl vulnerability enabled users to logon without tokens. I would assume that there needs to be a config change before that which would have caused an incident hours or days before this user logs on.

Also note, that SSL-VPN is not recommended anymore on FortiGates and you should consider moving to ZTNA or IPSec (there is a IPSec over TCP/443 option starting in v7.4, which is mature already - it's just that the FortiClient for that is not finished yet).

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"