Setting up Automation Stitch for SSL VPN Login failed

maplesyrup · ‎03-20-2024

Hi

We have a case where we need to block IP of SSL VPN login fail for an amount of attempts within like 5-10minutes repeated attempts using automation stitch.
We already have the FortiAnalyzer and Fortigate Setup. The only problem we have is that the FortiAnalyzer is giving the wrong value in the $remip variable in the FortiGate Event Handler
An example of IP 192.168.1.1 becomes 192.168.1.1,,
With two commas in which the FortiGate CLI does not accept

What possible solution will be able to be done to get the IP without commas or sanitize the string in the CLI script?
Or make sure that FortiAnalyzer is giving the correct IP format?

AEK · ‎03-20-2024

Hi

You don't need automation stitch for that.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-bl...

AEK

maplesyrup · ‎03-20-2024

Hi,
This is only limiting the duration of each attempt. Our desired goal is to permanently block these IP if they violate our conditions, and manually validate if they are coming from a valid IP user.

FortiAnalyzer is already able to fetch the remote IP. And Fortigate is able to get that using EventHandler, the IP just need to be properly formatted.

Ozkan · ‎07-03-2024

Hi maplesyrup,

How did you manage to block the IP address that made, for example, 3 incorrect attempts at a certain interval, using automation stitching? I found an automation configuration as follows, but it blocks the IP on the first incorrect attempt.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-SSL-VPN-failed-logins-with-an-automa...

pminarik · ‎07-03-2024

Sounds like a bug in FortiAnalyzer. Have you reported it?

[ corrections always welcome ]

Setting up Automation Stitch for SSL VPN Login failed

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website