Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yadsingh
New Contributor

Created on ‎04-27-2024 05:47 AM

Understanding sslvpn logs

We are recently experiencing high number of dos attack on our sslpvn. I am sure that they are using web mode to try and brute force us. However, I am unable to point that out using ssl-login-fail messages as when I have tried failing authentication on purpose using my ssl vpn client it showed tunnel type: web. 

 

Is there any way I can tell if the sslvpn user has been using web based browser to brute force or or an sslvpn client looking at historical logs. 

Labels:
664
0 Kudos
3 REPLIES 3
ozkanaltas
Valued Contributor III

Created on ‎04-27-2024 06:05 AM Edited on ‎04-27-2024 06:15 AM

Hello @yadsingh ,

 

You can search "Tunnel Type : ssl-web" in logs. 

 

image.png

 

P.S. 

 

Sorry for the misdirection.

 

Fortigate writes the same logs for both tries. 

 

In this case, if don't use a web portal you can close the portal. In this way, you can learn tries where did to come.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
655
0 Kudos
hbac
Staff
Staff

Created on ‎04-27-2024 07:49 AM

Hi @yadsingh,

 

I'm afraid you will see the same logs for web mode and client mode. However, most of the brute force attacks are automated using web mode. You can following these articles to completely disable web mode: 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-SSL-VPN-Web-Mode-or-Tunnel-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-prevent-the-SSL-VPN-web-login-porta...

 

Regards, 

625
0 Kudos
dbu
Staff
Staff

Created on ‎04-27-2024 11:18 AM

Another way to understand more from live situation is to run the below debugs : 

diag debug app fnbamd -1

diag debug app sslvpn -1

diag console timestamp enable
diag debug enable

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
601
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.