Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sam653
New Contributor

Created on ‎10-16-2024 02:17 PM

SSLVPN failed user login attempts constantly been seen

Hello,

 

I am seeing constant alerts on my Fortigate under sslvpn events "sslvpn login failed"

 

This is not coming from the authorized users. Is there anything that can be done on it.

 

 

Thanks

Labels:
1192
0 Kudos
1 Solution
sprashant
Staff
Staff

Created on ‎10-16-2024 02:18 PM

Hello @sam653 

 

You can refer to following resource:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-...

 

This will walk you over the steps to strengthen the SSL VPN

Sprashant

View solution in original post

1189
5 REPLIES 5
sprashant
Staff
Staff

Created on ‎10-16-2024 02:18 PM

Hello @sam653 

 

You can refer to following resource:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-...

 

This will walk you over the steps to strengthen the SSL VPN

Sprashant
1190
hjhajj
Staff
Staff

Created on ‎10-16-2024 02:24 PM

Hello @sam653 

In  addition to the  above  given  document, Kindly also refer to the following document which explains how to secure and limit an SSL VPN unknown user login

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-secure-and-limit-an-SSL-VPN-unknown...

Thanks and Regards,
Harmandeep Kaur Jhajj

 

1178
0 Kudos
Sgagan
Staff
Staff

Created on ‎10-16-2024 02:38 PM

Greetings @sam653 

You can also configure an automation stitch in order to permanently block failed login attempts:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-lo...

GD
1168
0 Kudos
vbandha
Staff
Staff

Created on ‎10-17-2024 02:17 PM

Hello @sam653 

One other option to block these attempts is via local in policy.

 

With local in policy the attempt is blocked before any processing is done by fortigate so this will not generate any logs. 

Here is an article with more information on this:

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/363127/local-in-policies

 

You can use geo location address object in source if the attempts are coming from specific countries:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

 

Regards,

Varun

1050
0 Kudos
FortiArt
Staff
Staff

Created on ‎10-17-2024 02:28 PM

Try to use ZTNA rather than sslvpn as this is more secure as per:

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration

 

Hope this help

1045
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.