Hi!
We are using MFA for SSL VPN. I can see now that bad actors are using our internal users name to try login to SSL VPN. They use proxy addresses from US. UK, Germany etc so blocking of geographic location is not possible as its not coming from some problematic countries.
I have see couple of posts that people are using some external connectors to block IP addresses based on its reputation.
If someone can point me to a documentation of how to setup some external connector and which service is best to buy for IP reputation.
How many of you such solution and if there are cons to it?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
is there anything common for those attackers IPs? Like coming from VPN/Anonymizers/etc ?
If there is then you could address it with Fortigate ISDBs more effectively/targeted as opposed to general threat feeds.
Regards to external feeds, technically Fortigate works excellently with them, but as to their effectiveness ... I haven't watched them closely, but when used for clients, seemed to me more of psychological help - to calm a bit admins that they have something in place. I don't recall anything being blocked by them. But of course it will differ based on the quality of those feeds. I can't comment on specific ones as haven't formed an opinion on them.
ANd there are no cons to using them as FGTs of last few years don't add any visible load on using those feeds.
Specifically in the context of SSL VPN - you can use external feeds in Local-in policies, but starting with 7.2.4 only, or you can use them in regular Security rules, provided you move SSL VPN to listen on Loopback/internal (not WAN) interface. You cannot use feeds directly in VPN SSL Settings even today, yet.
How to configure: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/9463/threat-feeds
You can enable automatic blocking of IP addresses that are trying brute force logins.
config vpn ssl settings
set login-attempt-limit 2 <--number of bad login attempts
set login-block-time 60 <--length of time in seconds to block IP for (up to 24 hours)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.