I have a Fortigate 100E.
We have a Windows Remote Desktop Server that allows users to externally connect via RDP. The server has a mapped external IP address via NAT.
Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.
Thank you.
Hello
ITHRBruce wrote:I have a Fortigate 100E.
We have a Windows Remote Desktop Server that allows users to externally connect via RDP.
Not a good practice; try to take your users to establish VPNs tunnels to your 100E, and once authenticated, rdp to the windows server. SSLVPN is really straightforward to implement.
If you cannot the original IP in your logs, probably you're natting your external (all) -> internal (vip) firewall policy. That is a configuration error; please run to fix that, because if so, your server is at risk.The server has a mapped external IP address via NAT.
Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.
Try to implement vpn tunnels in order to replace this approach.
regards
/ Abel
I too agree in NEVER opening up RDP to the outside world. If you cannot help it, then I would suggest locking it down by 'source' IP. Also ensure you have an IPS profile assigned to the policy. In the IPS Profile, you can set the action for certain signature(s) to "quarantine" which will quarantine the offending IP address for a period of time that you select.
As for seeing the IP addresses that are hitting the Firewall or a VIP, I would suggest to take a look at either FortiAnalyzer, FortiCloud (there are two flavors, free which stores logs for 7 days, and a paid that will store for 1 year), or Syslog (e.g. Kiwi Syslog, Sylog-NG, etc).
In addition to this, ensure that the Windows RDP server and the Fortigate are using the same time source (e.g. NTP) which the Fortigate CAN give to the rest of the internal network(s) under the 'Settings' tabs. This will ensure that when you look at the logs in Windows (e.g. login failure) that you can cross reference it on the FortiAnalyzer/FortiCloud/Syslog. You also need to make sure your logging is set to 'All Sessions" not just "Security Events". The former gives you ALL connections while the latter will ONLY log traffic that has been blocked. Assuming you are allowing RDP traffic as you stated, unless you have 'All Sessions' you would NEVER see the IP addresses.
Hope this helps.
Thank you for this, I will check the logging and NTP settings. This is all very useful, I appreciate the time you took to put it together for me.
Hi,
From the Windows logs, I can see the IP address of successful login attempts on my server, but not unsuccessful ones.
I am using Forticloud, and have been through it, but cannot find where I can view all incoming external IP addresses. I'm not sure if I have missed it. Would you know where I should be looking?
Thank you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.