I have read many helpful posts concerning SSL VPN security and different approaches that can be used to improve security. So far we have unique usernames, strong unique passwords, and geo filtering from the SSL-VPN Settings / Restrict access to specific hosts field, security measures in place. Most firewalls are running FortiOS 7.2.7 or 6.2.16.
We see a lot of messages that say:
The following critical firewall event was detected: SSL VPN login fail.
I would like to improve security and would like to have a much shorter list of SSL VPN login fail messages to review. The shorter list would help us to verify if attempts are being made using actual SSL VPN users on the firewall (more likely to be able to log in) or of a bad actor is simply guessing random usernames (unlikely to be successful in logging in).
Does using geo filtering in a local in policy work the same way that it works on the SSL-VPN Settings / Restrict access to specific hosts field? In other words, do both, when violated, still trigger an SSL VPN login fail event message?
If two-factor authentication were used via User Definition, would an attempted login that is within the allowed geo area(s), and fails due to an incorrect password, or failure of the user to enter the correct two-factor authentication, still also trigger the SSL VPN login fail event message?
I would be interested to know too what in your opinion is the next best security improvement that we should consider? My hesitation in utilizing two-factor authentication has been the time to setup, the impact on the end user, and the cost.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi SecurityPlus
Before answering you question, let me ask you something. Any reason why not use IPSec instead of SSL-VPN for the users with FortiClient?
The only reason might be lack of experience with it. I have used it from FortiGate to FortiGate with good success. Have hardly used it for a user to connect from a PC to the firewall. Is this recommend in lieu of SSL VPN?
Hi @SecurityPlus ,
The following critical firewall event was detected: SSL VPN login fail.
You may get this error when a user is trying to connect to the device using the wrong password or non-existing username on your SSLVPN group mapping and authentication.
As SSLVPN is publicly available, some malicious users are trying to brute-force your connection by using a generic username and password. That is why strong password encryption is a must.
To narrow down the list of geo-locations that can access your connection, on the SSL-VPN Settings, you could set only the allowed country on 'Limit access to specific hosts'.
On the allowed geo-location, if you are still seeing some unathorized attempt, you could restrict the access using local-in policy and block their IP or subnet.
As it may be too tedious to list the subnet one-by-one, you could make an automation stitch to block the IP of the user that failed to login to the VPN.
Note:
This will block legitimate users as well if the login attempt fails. It will be necessary to manually remove each user's public IP from this address object to allow them to connect to the VPN again.
Furthermore, as you are getting the notification "SSL VPN login fail", it means that the Fortigate is denying this unwanted connection and it is the expected behaviour. Using two-factor authentication is recommended as it provides another layer of protection.
Thanks rvillaroman. If 'Limit access to specific hosts' and/or use a local-in policy, will connection attempts that violate these criteria show up in the VPN login fail logs or will these be denied before the log records the failure.
Created on 06-10-2024 08:41 PM Edited on 06-10-2024 08:43 PM
If the IP or geo-location of the malicious users is not part of the allowed country or IP on 'Limit access to specific hosts', it will not log as "VPN login fail logs," but their access will be denied. This is the same on the local-in-policy.
Thanks. This appears to be a very good solution in the cases that we know the IP address(s) of those that will connect to the firewall.
Where users are traveling, we will need to take further steps as we won't know the host IP addresses. We already use Geo filtering, but it appears that there are still a lot of login attempts in spite of the limited territory restriction. Would two-factor authentication be the next improvement recommended? Or is IPSec a better option?
I could recommend using geo-filtering to narrow down the brute-force attempts.
Then create an automation to block the unauthorized IP from connecting to your SSLVPN.
Just remove it from the address group if it has been verified that a legitimate user has been blocked by the automation. With these steps, you don't need to know the IPs that need to be blocked, as they will be blocked automatically.
Using two-factor authentication is another layer of security, but if your problem is that you do not want to see the "SSL VPN login fail," it cannot help to limit the unauthorized attempt, but to add protection that these unathorized users will not succeed in connecting to your SSLVPN even if they have the correct username or user's password.
On IPSEC dial-up remote access, it will ask for a preshared key to establish a VPN connection aside from the user's credentials. However, since it has a preshared key, you might see some logs of "vpn-fail" attempts due to a PSK mismatch from the malicious users.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.