- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Improve SSL VPN Security / Reduce SSL Login Fail M...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Improve SSL VPN Security / Reduce SSL Login Fail Messages
I have read many helpful posts concerning SSL VPN security and different approaches that can be used to improve security. So far we have unique usernames, strong unique passwords, and geo filtering from the SSL-VPN Settings / Restrict access to specific hosts field, security measures in place. Most firewalls are running FortiOS 7.2.7 or 6.2.16.
We see a lot of messages that say:
The following critical firewall event was detected: SSL VPN login fail.
I would like to improve security and would like to have a much shorter list of SSL VPN login fail messages to review. The shorter list would help us to verify if attempts are being made using actual SSL VPN users on the firewall (more likely to be able to log in) or of a bad actor is simply guessing random usernames (unlikely to be successful in logging in).
Does using geo filtering in a local in policy work the same way that it works on the SSL-VPN Settings / Restrict access to specific hosts field? In other words, do both, when violated, still trigger an SSL VPN login fail event message?
If two-factor authentication were used via User Definition, would an attempted login that is within the allowed geo area(s), and fails due to an incorrect password, or failure of the user to enter the correct two-factor authentication, still also trigger the SSL VPN login fail event message?
I would be interested to know too what in your opinion is the next best security improvement that we should consider? My hesitation in utilizing two-factor authentication has been the time to setup, the impact on the end user, and the cost.
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SecurityPlus
Before answering you question, let me ask you something. Any reason why not use IPSec instead of SSL-VPN for the users with FortiClient?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only reason might be lack of experience with it. I have used it from FortiGate to FortiGate with good success. Have hardly used it for a user to connect from a PC to the firewall. Is this recommend in lieu of SSL VPN?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @SecurityPlus ,
The following critical firewall event was detected: SSL VPN login fail.
You may get this error when a user is trying to connect to the device using the wrong password or non-existing username on your SSLVPN group mapping and authentication.
As SSLVPN is publicly available, some malicious users are trying to brute-force your connection by using a generic username and password. That is why strong password encryption is a must.
To narrow down the list of geo-locations that can access your connection, on the SSL-VPN Settings, you could set only the allowed country on 'Limit access to specific hosts'.
On the allowed geo-location, if you are still seeing some unathorized attempt, you could restrict the access using local-in policy and block their IP or subnet.
As it may be too tedious to list the subnet one-by-one, you could make an automation stitch to block the IP of the user that failed to login to the VPN.
Note:
This will block legitimate users as well if the login attempt fails. It will be necessary to manually remove each user's public IP from this address object to allow them to connect to the VPN again.
Furthermore, as you are getting the notification "SSL VPN login fail", it means that the Fortigate is denying this unwanted connection and it is the expected behaviour. Using two-factor authentication is recommended as it provides another layer of protection.
rvillaroman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks rvillaroman. If 'Limit access to specific hosts' and/or use a local-in policy, will connection attempts that violate these criteria show up in the VPN login fail logs or will these be denied before the log records the failure.
Created on 06-10-2024 08:41 PM Edited on 06-10-2024 08:43 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the IP or geo-location of the malicious users is not part of the allowed country or IP on 'Limit access to specific hosts', it will not log as "VPN login fail logs," but their access will be denied. This is the same on the local-in-policy.
rvillaroman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. This appears to be a very good solution in the cases that we know the IP address(s) of those that will connect to the firewall.
Where users are traveling, we will need to take further steps as we won't know the host IP addresses. We already use Geo filtering, but it appears that there are still a lot of login attempts in spite of the limited territory restriction. Would two-factor authentication be the next improvement recommended? Or is IPSec a better option?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could recommend using geo-filtering to narrow down the brute-force attempts.
Then create an automation to block the unauthorized IP from connecting to your SSLVPN.
Just remove it from the address group if it has been verified that a legitimate user has been blocked by the automation. With these steps, you don't need to know the IPs that need to be blocked, as they will be blocked automatically.
Using two-factor authentication is another layer of security, but if your problem is that you do not want to see the "SSL VPN login fail," it cannot help to limit the unauthorized attempt, but to add protection that these unathorized users will not succeed in connecting to your SSLVPN even if they have the correct username or user's password.
On IPSEC dial-up remote access, it will ask for a preshared key to establish a VPN connection aside from the user's credentials. However, since it has a preshared key, you might see some logs of "vpn-fail" attempts due to a PSK mismatch from the malicious users.
rvillaroman
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- What da heck is going on... 183 Views
- Intune MSI deployed FortiClient requires end... 346 Views
- Persistent One Way Audio Issues, no... 581 Views
- FortiGate logs collection and parsing issues 425 Views
Labels
-
FortiGate
7,099 -
FortiClient
1,399 -
5.2
801 -
5.4
639 -
FortiManager
615 -
FortiAnalyzer
449 -
6.0
416 -
FortiAP
373 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
288 -
FortiMail
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
124 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
100 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
Fortivoice
44 -
FortiEDR
43 -
FortiDNS
38 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiAuthenticator
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
Interface
17 -
VDOM
17 -
Routing
15 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
FortiCASB
12 -
NAT
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
OSPF
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
FortiPAM
5 -
Automation
5 -
trunk
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Port policy
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
Intrusion prevention
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DLP sensor
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
Netflow
2 -
FortiInsight
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Fabric connector
2 -
Multicast policy
1 -
4.0MR1
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1053 | |
| 870 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.