Hello. I'm seeing a number of connection attempts with various non-existent user accounts from countries outside of the US. Is anyone else seeing such connection attempts? This hasn't happened in a quite a long time. I had previously configured VPN to only allow connections from USA based IP addresses using the geo list provided by Fortinet. I'm not sure why all of a sudden these foreign IP addresses are able to attempt connections. Can someone offer some insight? Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Team,
Any user can access your VPN because it will be globally accessible. They might try to login with different different usernames since they are not sure about your credentials.
In order to overcome this please configure two local in policy, first local in policy is to allow traffic from specific GEO location and second local in policy is to block from all other locations:
Note: Please create local in policy service for SSL VPN port or it may result in blocking wan access of the firewall.
You can use this article for the same:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/363127/local-in-policies
Thank you. As I mentioned in my post, I have SSL-VPN limited to US IP addresses. I know that's not perfect, but it should prevent some from attempting connections. As far as users not knowing their credentials, that doesn't apply here. The attempted connections are from users like test, admin, guest, etc. It's not my users trying to log in from foreign IP addresses with those accounts. We are a very small organization and our remote users do not travel internationally. We have less than 10 people using VPN.
You can try using a non-standard port instead of 443 for SSL VPN. This would reduce the bots scanning for open services and finding your SSL VPN running. This will also likely break SSL VPN at some places where ports are blocked.
Really the best you can do is what you've done already and just live with it. This is what happens when you open up services to the internet. Just ensure you have sound password policies in place and 2FA if you're really concerned.
Just to chime in:
You already protect your FGT by a local-in geo-based policy. That is good, though recently not good enough. Most likely your WAN address got some attention from a botnet, using US based bots. In this case, the geo filter will not suppress these attempts.
This kind of relentless attacks is very well known, in any location across the world. Holds for SSLVPN as well as IPsec VPN.
What you could do is to re-write the local-in policy to only allow access from your own, few addresses. That is, you exchange the geo-based address group with an address group of the WAN addresses for your co-workers. This will work 100% only if they use static addresses.
Apart from that, I don't think that you could do much to keep your logs clean. 2FA is adding another level of security, and quite easy to set up with a FGT/FortiClient. Shifting the VPN port will only temporarily help - the bad ones now know that you run a VPN gateway, once it vanishes a port scan will reveal the new shifted port quickly.
Lastly, you could use certificates instead of passwords. While this would probably be harder to break, it will not reduce the amount of logs, and certs need attention (lifetime, distribution).
Here is good guide https://yurisk.info/2023/03/21/fortigate-vpn-ssl-hardening-guide/
Hello,
You can use a Local-in-Policy : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Scheduled-SSL-VPN-connectivity-via-Local-i...
Or more simple, you can negate your configuration, example in 7.2.5 :
#config vpn ssl settings
set source-address "Block_Country"
set source-address-negate enable
end
Hi there,
For this, we can use GEO address with local-in policy to achieve this. Please refer to this KBs for more information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.