Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rg2017
New Contributor III

SSL-VPN Connection Attempts

Hello. I'm seeing a number of connection attempts with various non-existent user accounts from countries outside of the US. Is anyone else seeing such connection attempts? This hasn't happened in a quite a long time. I had previously configured VPN to only allow connections from USA based IP addresses using the geo list provided by Fortinet. I'm not sure why all of a sudden these foreign IP addresses are able to attempt connections. Can someone offer  some insight? Thank you.

7 REPLIES 7
seshuganesh
Staff
Staff

Hi Team,

 

Any user can access your VPN because it will be globally accessible. They might try to login with different different usernames since they are not sure about your credentials.

In order to overcome this please configure two local in policy, first local in policy is to allow traffic from specific GEO location and second local in policy is to block from all other locations:

Note: Please create local in policy service for SSL VPN port or it may result in blocking wan access of the firewall.

 

You can use this article for the same:

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/363127/local-in-policies

 

rg2017
New Contributor III

Thank you. As I mentioned in my post, I have SSL-VPN limited to US IP addresses. I know that's not perfect, but it should prevent some from attempting connections. As far as users not knowing their credentials, that doesn't apply here. The attempted connections are from users like test, admin, guest, etc. It's not my users trying to log in from foreign IP addresses with those accounts. We are a very small organization and our remote users do not travel internationally. We have less than 10 people using VPN.

gfleming

You can try using a non-standard port instead of 443 for SSL VPN. This would reduce the bots scanning for open services and finding your SSL VPN running. This will also likely break SSL VPN at some places where ports are blocked. 

 

Really the best you can do is what you've done already and just live with it. This is what happens when you open up services to the internet. Just ensure you have sound password policies in place and 2FA if you're really concerned. 

 

 

Cheers,
Graham
ede_pfau
Esteemed Contributor III

Just to chime in:

You already protect your FGT by a local-in geo-based policy. That is good, though recently not good enough. Most likely your WAN address got some attention from a botnet, using US based bots. In this case, the geo filter will not suppress these attempts.

 

This kind of relentless attacks is very well known, in any location across the world. Holds for SSLVPN as well as IPsec VPN.

 

What you could do is to re-write the local-in policy to only allow access from your own, few addresses. That is, you exchange the geo-based address group with an address group of the WAN addresses for your co-workers. This will work 100% only if they use static addresses.

 

Apart from that, I don't think that you could do much to keep your logs clean. 2FA is adding another level of security, and quite easy to set up with a FGT/FortiClient. Shifting the VPN port will only temporarily help - the bad ones now know that you run a VPN gateway, once it vanishes a port scan will reveal the new shifted port quickly.

Lastly, you could use certificates instead of passwords. While this would probably be harder to break, it will not reduce the amount of logs, and certs need attention (lifetime, distribution).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
keruk
New Contributor

Yagadoudou
New Contributor II

Hello,

 

You can use a Local-in-Policy : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Scheduled-SSL-VPN-connectivity-via-Local-i...

 

Or more simple, you can negate your configuration, example in 7.2.5 :

image.png

 
Or with CLI only for older version :
 

#config vpn ssl settings

     set source-address "Block_Country"

     set source-address-negate enable

end

mle2802
Staff
Staff

Hi there, 
For this, we can use GEO address with local-in policy to achieve this. Please refer to this KBs for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa...

Labels
Top Kudoed Authors