Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jrpayne
New Contributor

Created on ‎12-23-2024 06:06 AM

SSL VPN Loopback Address

Hello All, 

I am trying to gather as much information as I can prior to making a change to my firewall. I was attempting last week to create an automation stitch. This would place IP addresses associated with SSL VPN brute force attempts, onto a blocked IP address list. I found that this apparently cant be done if your SSL VPN is bound to your WAN interface. I began researching this but cant find a clear answer as to why this is required. I would also like to make sure I understand all of the steps involved in doing this as well as any implications it might have on functionality (pro or con). From what I can tell, it is a matter of creating the interface, assigning some random IP to the interface then creating a VIP that forwards traffic incoming on the SSL VPN IP and port,  to the loopback interface. Are you required to change the actual policies that permit the traffic since the interface is addressed as sslvpnroot and not as an IP? Any information/assistance is greatly appreciated.

Labels:
769
0 Kudos
3 REPLIES 3
Renante_Era
Staff
Staff

Created on ‎12-23-2024 01:29 PM

Try this solution instead How to permanently block SSL VPN failed l... - Fortinet Community

BSCS, BCIS, MIT
738
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎12-23-2024 11:41 PM

Moving VPN SSL from WAN to Loopback:

  • Create Loopback interface with internal IP
  • Change SSL VPN Settings to listen on this Loopback interface
  • Create VIP portforwarding for SSL VPN port 
  • Create policy WAN -> Loopback allowing SSL VPN port by using the created VIP
  • Create policy from ssl.root (if not present already) to LAN/DMZ as needed to allow VPN clients access to resources.

 

Adding failed logins to the block list in a rule - @Renante_Era already mentioned how, BUT - important to understand that Automation Stitches do NOT have the ability to count number of failed attempts, so using such stitch will block SSL VPN user on their first failed attempt, which is IMO kinda bad service to your users and more work to you on releasing users who did mistake on 1st login.

 

Yuri Slobodyanyuk
Yuri Slobodyanyuk
706
0 Kudos
jrpayne
New Contributor

Created on ‎12-31-2024 05:55 AM

Thank you all very much for your replies. I think I am going to have to start looking for another way to do remote access. I appreciate your time and help!!

638
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.