Hey everyone, I have a customer who is constantly being attacked on our SSL VPN interface. I enabled block policies after 3 failed attempts and they get blocked for 6 months. It worked well for a little while but now they are using spoofing to change their IP every attempt. So rendering my blocking useless. I wouldn't care so much but I am constantly getting failed login attempt alerts emails now. Super annoying. I've gotten 5 since I've started writing this. Anyway, anyone see any way that I could stop this from happening? I would like to keep the logging on as its useful for me but I am thinking about just turning it off completely as this point.
Just to say that we have been experiencing the same for more than one month. Dozens alerts each hour. It's really annoying.
Francesco
Hi BK_Bianko/jinto26,
Thank you for contacting Fortinet Forum
I think this might resolve your problem, Please check the below document
Restrict access to the SSLVPN service from expected country https://kb.fortinet.com/kb/documentLink.do?externalID=FD48235#:~:text=Go%20to%20VPN%20%2D%3E%20SSL%2....
Along with the limitation of the connections from abroad, you might follow this KB https://kb.fortinet.com/kb/documentLink.do?externalID=FD48714 and configure SSLVPN login limits along with the blocking duration of incorrectly entered credentials.
To hide FortiGate login page using local-in-policy https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-hide-FortiGate-login-page-using-loc...
Thanks
Sasikumar.S
Restrict access to the SSLVPN service from expected country worked like a charm. Can't believe I didn't think of that. Thanks!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.