Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fortiben1
New Contributor II

SSL VPN failed login

Hey People! 

 

I would like to raise a concern I have a little knowledge in firewall role. Just wanna regarding on the SSL failed Login. our client want to block the IP address of unknown and random credentials found on VPN event logs. We already block those IP using the deny policy (example we already add the 80.94.95.x) but upon checking the VPN event logs the still existing on the logs. Am I doing it wrong? or is not possible to block the IP using local policy is it possible to minimize this load of logs?. our client said they are already disabled the SSL VPN because they are using IPSEC 

 

1233333.png555.png

the first image is the firewall object

the second is from VPN event logs 

Thank you (Version 7.2.8)

7 REPLIES 7
AEK
SuperUser
SuperUser

Hi Ben

Your client did the right choice to use IPsec, because SSL VPN is not recommended anymore, for security reason.

Regarding your requirement to block the IP addresses, I think it is not efficient to do as you described, but a more efficient way is to set a block period after 3 attempts, and to restrict VPN access with GeoIP. You may for example allow your country only.

AEK
AEK
Fortiben1
New Contributor II

Hi sir AEK, 

Thank you for your answer :). will recommend to restrict VPN access with GeoIP. Just can't validate  right now about the restriction on geoip because I have a limited view on the firewall. 
but why the IP still showing on logs even we already made a deny policy. 

calink
Staff
Staff

You can set up an automation stitch. See the following article for more details:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-lo... 

Fortiben1
New Contributor II

Thank you Sir calink! 
I will check on this and might recommend :) 

sjoshi
Staff
Staff

Hi,

 

You can setup local in policy and block those IP ranges.

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy

Let us know if this helps.
Salon Raj Joshi
Fortiben1
New Contributor II

Hi Sir, 

Thank you for this insight. I will recommend this also. ang will place the IP add. that has malicious IP add from SSL failed login.

Renante_Era
Staff
Staff

You can create a group then block that group via local-in-policy. You can automate the entry of IP address/32 in that group using automation stitch as shown below. However, I don't recommend that since it might lead to false positive -- what I mean is that a legit user might not be able to login which means that you need to manually remove the legit user's public IP address from that group.
How to automatically block the malicious ... - Fortinet Community
Screenshot 2024-11-28 164400.png

 

BSCS, BCIS, MIT
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors