- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSLVPN failed user login attempts constantly been seen
Hello,
I am seeing constant alerts on my Fortigate under sslvpn events "sslvpn login failed"
This is not coming from the authorized users. Is there anything that can be done on it.
Thanks
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @sam653
You can refer to following resource:
This will walk you over the steps to strengthen the SSL VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @sam653
You can refer to following resource:
This will walk you over the steps to strengthen the SSL VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @sam653
In addition to the above given document, Kindly also refer to the following document which explains how to secure and limit an SSL VPN unknown user login
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-secure-and-limit-an-SSL-VPN-unknown...
Thanks and Regards,
Harmandeep Kaur Jhajj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings @sam653
You can also configure an automation stitch in order to permanently block failed login attempts:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-lo...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @sam653
One other option to block these attempts is via local in policy.
With local in policy the attempt is blocked before any processing is done by fortigate so this will not generate any logs.
Here is an article with more information on this:
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/363127/local-in-policies
You can use geo location address object in source if the attempts are coming from specific countries:
Regards,
Varun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to use ZTNA rather than sslvpn as this is more secure as per:
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration
Hope this help
