I've an active VPN site-to-site tunnel between the headquarters and the branch office. I noticed in the logs, that since one week every day (more or less at the same time) someone makes one attempt to connect to the VPN on FGT at HQ and a moment later to the branch FGT.
Every time from similar IP addresses eg.:
I would like to ask you, is there any way to block specified IP address or group of addresses (blacklist) to prevent the connection with my devices? (The Control Panel isn't available from the Internet).
And the key question: how the intruder knew that I started a VPN site-to-site connection? How found out our HQ and Branch IP address?
I'm seeing these attempts all the time, from the beginning of the year on. Hopefully, all PSKs are hard enough to crack, or I'll have to start using certs.
BTW, how is using certificates different from using (long, random) PSKs? Both (I guess) are exchanged as hashes, I can make both equally long and random - any insights for a dummy?
What you can do is create local-in policies, blocking access from that subnet altogether (22.214.171.124/24 or /21...). Local-in only affects traffic to the FGT (mgmt, IPsec, SSLVPN, DNS, NTP,..) not traffic aimed at the network behind it. If brute force blocking is too much, an IPS sensor or AppControl would be effective. Alas, UTM is not supported in local-in policies (feature request!).
I've contacted Shadow Server about the issues and they've notified me that end users can opt out of their scanning "service" by having the IP addresses in question whitelisted. This would, however, provide your IP addresses on a public whitelist (which may not be in your best interest).
I've attempted to create firewall rules to block those scan attempts (and stop the alert logging related to those scans), but the rules that I've created don't seem to be working (I still receive notices regarding those scans, as if the VPN IPSec connection is being allowed even though a pretty general policy/rule is being created to try to block those connection attempts).
If anyone has any recommendations of what type of policy can be created to try to block these attempts, I'd love to hear the details. The policy that I've created essentially attempts to prohibit connections from "any" source interface from the source IP block shown above (126.96.36.199/17) to "any" destination interface and "any" address on "All" protocols. I'm not sure how much more generalized I can get with that policy?
I used these commands to create a policy on the wan port.
config firewall local-in-policy
set intf "port1"
set srcaddr "Blocked VPN"
set dstaddr "Wan IP"
set service "ALL"
set schedule "always"
"Blocked VPN" is an IP group of the offending addresses. I chose to use my wan facing IP/32 as the destination since the attackers are hitting my IP first. If you have more than one wan IP you will need more than one identical policy.
This is similar to applying Access Group rules to ports in Cisco routers but much simpler.
Is the only VPN connection between your HQ and the branch office, or do you allow dialup-clients to connect?
If you only have the VPN between two static IPs perhaps you could set up a local-in-policy on each FortiGate for each wan port, to allow UDP/500 and UDP/4500 only from those IPs, with a later local-in-policy for each wan port to deny UDP/500 and UDP/4500 for all IPs.
I'm seeing the same VPN attempts myself and am considering implementing this sort of local-in-policy since I don't need to support dialup-clients.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.