We are recently experiencing high number of dos attack on our sslpvn. I am sure that they are using web mode to try and brute force us. However, I am unable to point that out using ssl-login-fail messages as when I have tried failing authentication on purpose using my ssl vpn client it showed tunnel type: web.
Is there any way I can tell if the sslvpn user has been using web based browser to brute force or or an sslvpn client looking at historical logs.
Hello @yadsingh ,
You can search "Tunnel Type : ssl-web" in logs.
P.S.
Sorry for the misdirection.
Fortigate writes the same logs for both tries.
In this case, if don't use a web portal you can close the portal. In this way, you can learn tries where did to come.
Hi @yadsingh,
I'm afraid you will see the same logs for web mode and client mode. However, most of the brute force attacks are automated using web mode. You can following these articles to completely disable web mode:
Regards,
Another way to understand more from live situation is to run the below debugs :
diag debug app fnbamd -1
diag debug app sslvpn -1
diag console timestamp enable
diag debug enable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.