Hey People!
I would like to raise a concern I have a little knowledge in firewall role. Just wanna regarding on the SSL failed Login. our client want to block the IP address of unknown and random credentials found on VPN event logs. We already block those IP using the deny policy (example we already add the 80.94.95.x) but upon checking the VPN event logs the still existing on the logs. Am I doing it wrong? or is not possible to block the IP using local policy is it possible to minimize this load of logs?. our client said they are already disabled the SSL VPN because they are using IPSEC
the first image is the firewall object
the second is from VPN event logs
Thank you (Version 7.2.8)
Hi Ben
Your client did the right choice to use IPsec, because SSL VPN is not recommended anymore, for security reason.
Regarding your requirement to block the IP addresses, I think it is not efficient to do as you described, but a more efficient way is to set a block period after 3 attempts, and to restrict VPN access with GeoIP. You may for example allow your country only.
Hi sir AEK,
Thank you for your answer :). will recommend to restrict VPN access with GeoIP. Just can't validate right now about the restriction on geoip because I have a limited view on the firewall.
but why the IP still showing on logs even we already made a deny policy.
You can set up an automation stitch. See the following article for more details:
Thank you Sir calink!
I will check on this and might recommend :)
Hi,
You can setup local in policy and block those IP ranges.
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy
Hi Sir,
Thank you for this insight. I will recommend this also. ang will place the IP add. that has malicious IP add from SSL failed login.
You can create a group then block that group via local-in-policy. You can automate the entry of IP address/32 in that group using automation stitch as shown below. However, I don't recommend that since it might lead to false positive -- what I mean is that a legit user might not be able to login which means that you need to manually remove the legit user's public IP address from that group.
How to automatically block the malicious ... - Fortinet Community
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.