Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jay_Libove
Contributor

auto-block repeated VPN login failures?

This seems to be something which should be related to the FortiOS VPN services, even if it might be implemented by the IPS capability. I say this because it would be the FortiGate protecting itself, not functioning as a gateway security appliance to protect something else. Sometimes I see login failure patterns like this: Message meets Alert condition date=2013-11-28 time=11:21:07 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:07 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Message meets Alert condition date=2013-11-28 time=11:21:03 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:03 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037128 type=event subtype=vpn level=error msg=" progress IPsec phase 1" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR Message meets Alert condition date=2013-11-28 time=11:21:00 devname=FG100D.......... devid=FG100D.......... logid=0101037124 type=event subtype=vpn level=error msg=" IPsec phase 1 error" action=negotiate remip=62.168.132.35 locip=62.xx.xx.xx remport=2152 locport=500 outintf=" ISP-Colt" cookies=" de77ecd5bbe71ce6/0000000000000000" user=" N/A" group=" N/A" xauthuser=" N/A" xauthgroup=" N/A" vpntunnel=" N/A" status=negotiate_error error_reason=" peer SA proposal not match local policy" peer_notif=" NOT-APPLICABLE" Does FortiOS (I' m running 5.0.4) do any kind of automatic blocking of a client IP address which repeatedly fails to login to a FortiOS VPN service over a short period of time? If it doesn' t do so by default, then is there a straightforward way to tell FortiOS to do so? It seems like an obvious thing in a soup-to-nuts UTM security appliance like FortiGate. thanks,
4 REPLIES 4
FortiRack_Eric
New Contributor III

You can block this by creating a custom IPS signature using the reply in the return traffic. Takes some work but will do the trick. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Jay_Libove
Contributor

Thanks Eric. That it' s possible is good to know, but sadly not very helpful to the great majority of users. We purchase UTM products in order to avoid having to invent our own Snort rules and otherwise spend time developing and exercising highly technical skills. (I' ve been working in this field for fifteen years; I *can* do these things; I don' t have time to). That FortiNet hasn' t included this, as a built-in option even if not enabled by default, is disappointing. Systems have, for decades now, had the ability to automatically block repeated failed login attempts. (5 tries to login with that user ID and password, and then block the account for a few minutes). That FortiOS in its current age and maturity still doesn' t have this built in seems to be a significant failure on FortiNet' s part.
oheigl
Contributor II

Hi Jay, are these logs regarding a Dial VPN IPsec connection? Because the FortiGate locks out every user account for 5 minutes I think by default, after 3 faulty attempts. But you posted IPsec vpn logs, so I' m not sure about what you are exactly talking.
Jay_Libove
Contributor

Hi oheigl, I' m not sure I know the difference between a " Dial" IPsec connection and any other type of IPsec connection. Maybe this will answer; we do not have any network-to-network VPNs. All of our VPNs are for end-users on PCs, Macs, Linux machines or mobile devices to connect as-needed. Is there some particular piece of the configuration which would help? Also, Where is the automatic lockout after some number of failed login attempts configured? Searching, I find this only for Administrator logins, not for VPNs :-/ Thanks! -Jay
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors