Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yadsingh
New Contributor

Understanding sslvpn logs

We are recently experiencing high number of dos attack on our sslpvn. I am sure that they are using web mode to try and brute force us. However, I am unable to point that out using ssl-login-fail messages as when I have tried failing authentication on purpose using my ssl vpn client it showed tunnel type: web. 

 

Is there any way I can tell if the sslvpn user has been using web based browser to brute force or or an sslvpn client looking at historical logs. 

3 REPLIES 3
ozkanaltas
Valued Contributor II

Hello @yadsingh ,

 

You can search "Tunnel Type : ssl-web" in logs. 

 

image.png

 

P.S. 

 

Sorry for the misdirection.

 

Fortigate writes the same logs for both tries. 

 

In this case, if don't use a web portal you can close the portal. In this way, you can learn tries where did to come.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
hbac
Staff
Staff

Hi @yadsingh,

 

I'm afraid you will see the same logs for web mode and client mode. However, most of the brute force attacks are automated using web mode. You can following these articles to completely disable web mode: 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-SSL-VPN-Web-Mode-or-Tunnel-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-prevent-the-SSL-VPN-web-login-porta...

 

Regards, 

dbu
Staff
Staff

Another way to understand more from live situation is to run the below debugs : 

diag debug app fnbamd -1

diag debug app sslvpn -1

diag console timestamp enable
diag debug enable

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors