Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cnote12
New Contributor

SSLVPN bad logins are increasing and with office username

Hi!

We are using MFA for SSL VPN. I can see now that bad actors are using our internal users name to try login to SSL VPN. They use proxy addresses from US. UK, Germany etc so blocking of geographic location is not possible as its not coming from some problematic countries.

I have see couple of posts that people are using some external connectors to block IP addresses based on its reputation.

If someone can point me to a documentation of how to setup some external connector and which service is best to buy for IP reputation.

How many of you such solution and if there are cons to it?

 

Thanks

10.0.0.0.1 192.168.1.254
2 REPLIES 2
Yurisk
Valued Contributor

Hi, 

is there anything common for those attackers IPs? Like coming from VPN/Anonymizers/etc ?

If there is then you could address it with Fortigate ISDBs more effectively/targeted as opposed to general threat feeds.

 

Regards to external feeds, technically Fortigate works excellently with them, but as to their effectiveness ... I haven't watched them closely, but when used for clients, seemed to me more of psychological help - to calm a bit admins that they have something in place. I don't recall anything being blocked by them. But of course it will differ based on the quality of those feeds. I can't comment on specific ones as haven't formed an opinion on them.

ANd there are no cons to using them as FGTs of last few years don't add any visible load on using those feeds. 

Specifically in the context of SSL VPN - you can use external feeds in Local-in policies, but starting with 7.2.4 only, or you can use them in regular Security rules, provided you move SSL VPN to listen on Loopback/internal (not WAN) interface. You cannot use feeds directly in VPN SSL Settings even today, yet.

 

How to configure: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/9463/threat-feeds 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
gfleming
Staff
Staff

You can enable automatic blocking of IP addresses that are trying brute force logins.

 

config vpn ssl settings
  set login-attempt-limit 2 <--number of bad login attempts
  set login-block-time 60 <--length of time in seconds to block IP for (up to 24 hours)
Cheers,
Graham
Labels
Top Kudoed Authors