Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
maplesyrup
New Contributor

Setting up Automation Stitch for SSL VPN Login failed

Hi

We have a case where we need to block IP of SSL VPN login fail for an amount of attempts within like 5-10minutes repeated attempts using automation stitch.
We already have the FortiAnalyzer and Fortigate Setup. The only problem we have is that the FortiAnalyzer is giving the wrong value in the $remip variable in the FortiGate Event Handler
An example of IP 192.168.1.1 becomes 192.168.1.1,,
With two commas in which the FortiGate CLI does not accept

What possible solution will be able to be done to get the IP without commas or sanitize the string in the CLI script?
Or make sure that FortiAnalyzer is giving the correct IP format?

4 REPLIES 4
AEK
SuperUser
SuperUser

AEK
maplesyrup
New Contributor

Hi,
This is only limiting the duration of each attempt. Our desired goal is to permanently block these IP if they violate our conditions, and manually validate if they are coming from a valid IP user.

FortiAnalyzer is already able to fetch the remote IP. And Fortigate is able to get that using EventHandler, the IP just need to be properly formatted.

Ozkan
New Contributor

Hi maplesyrup,

How did you manage to block the IP address that made, for example, 3 incorrect attempts at a certain interval, using automation stitching? I found an automation configuration as follows, but it blocks the IP on the first incorrect attempt.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-SSL-VPN-failed-logins-with-an-automa...

 

pminarik
Staff
Staff

Sounds like a bug in FortiAnalyzer. Have you reported it?

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors