Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fortiben1
New Contributor II

Created on ‎11-28-2024 09:56 AM

SSL VPN failed login

Hey People! 

 

I would like to raise a concern I have a little knowledge in firewall role. Just wanna regarding on the SSL failed Login. our client want to block the IP address of unknown and random credentials found on VPN event logs. We already block those IP using the deny policy (example we already add the 80.94.95.x) but upon checking the VPN event logs the still existing on the logs. Am I doing it wrong? or is not possible to block the IP using local policy is it possible to minimize this load of logs?. our client said they are already disabled the SSL VPN because they are using IPSEC 

 

1233333.png555.png

the first image is the firewall object

the second is from VPN event logs 

Thank you (Version 7.2.8)

Labels:
294
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎11-28-2024 10:36 AM

Hi Ben

Your client did the right choice to use IPsec, because SSL VPN is not recommended anymore, for security reason.

Regarding your requirement to block the IP addresses, I think it is not efficient to do as you described, but a more efficient way is to set a block period after 3 attempts, and to restrict VPN access with GeoIP. You may for example allow your country only.

AEK
AEK
283
Fortiben1
New Contributor II
In response to AEK

Created on ‎11-28-2024 10:52 AM

Hi sir AEK, 

Thank you for your answer :). will recommend to restrict VPN access with GeoIP. Just can't validate  right now about the restriction on geoip because I have a limited view on the firewall. 
but why the IP still showing on logs even we already made a deny policy. 

266
0 Kudos
calink
Staff
Staff

Created on ‎11-28-2024 10:40 AM

You can set up an automation stitch. See the following article for more details:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-lo... 

279
Fortiben1
New Contributor II
In response to calink

Created on ‎11-28-2024 10:52 AM

Thank you Sir calink! 
I will check on this and might recommend :) 

264
0 Kudos
sjoshi
Staff
Staff

Created on ‎11-28-2024 11:16 AM

Hi,

 

You can setup local in policy and block those IP ranges.

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy

Let us know if this helps.
Salon Raj Joshi
257
Fortiben1
New Contributor II
In response to sjoshi

Created on ‎11-28-2024 01:20 PM

Hi Sir, 

Thank you for this insight. I will recommend this also. ang will place the IP add. that has malicious IP add from SSL failed login.

195
0 Kudos
Renante_Era
Staff
Staff

Created on ‎11-28-2024 01:46 PM

You can create a group then block that group via local-in-policy. You can automate the entry of IP address/32 in that group using automation stitch as shown below. However, I don't recommend that since it might lead to false positive -- what I mean is that a legit user might not be able to login which means that you need to manually remove the legit user's public IP address from that group.
How to automatically block the malicious ... - Fortinet Community
Screenshot 2024-11-28 164400.png

 

181
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.