Technical Tip: How to permanently block SSL VPN failed logins using an Automation Stitch

The FortiGate does already have tools (enabled by default) that allow it to block a given source IP address if it fails to login to the SSL-VPN successfully within a configurable time window. For more information on these tools/timers, see the following KB article: Technical Tip: SSL VPN timers explanation and SSL-VPN Login Attempt Limit (aka 'Lockout').

With that being said, the above timers will only block a given offending source IP for a temporary period of time, after which the offending IP address may attempt to log in again (and possibly re-trigger the lockout). To make a permanent block list (i.e. an offender is put on the list and must be manually removed), you can use an Automation Stitch that monitors for SSL-VPN log events and auto-updates an Address Group list with a list of blocked addresses.

Warning:

This method will result in permanent bans for a given Source IP address unless an admin manually intervenes. It is recommended to adjust the SSL-VPN lockout settings so that normal users are not likely to be caught in this permanent ban (e.g. increase login-attempt-limit so that it takes more failed attempts before a ban is triggered).

Creating an Address Group for Blocked Source IP Addresses

To do this in the GUI:

1. Navigate to Policy & Objects -> Addresses, then select Create New -> Address Group.
   • In later FortiOS versions (7.4 and later) you may have to select the Address Group button at the top of the page, then select Create New.
2. Set a Name for the new Address Group object.
   • In this article, the example Address Group will be named 'VPN_Failed_Login'. No additional configuration is required at this step.
3. Select the OK button to complete the configuration.

To do this in the CLI:

config firewall addrgrp

edit VPN_Failed_Login

end

Creating the Automation Stitch (Part 1: Stitch and Trigger).

1. Navigate to Security Fabric -> Automation -> Stitch, then select Create New. Specify a name for the new Automation Stitch.
   • This example will use 'SSL_VPN_Login_Block' for the name of the Automation Stitch itself, as well as
2. Next, select Add Trigger, then select the Create button in the top-right of the slide-out menu, followed by selecting FortiOS Event Log.
3. Specify a name, then select the Event field and add the 'SSL VPN login fail' log entry (ID 39426)
   1. This example uses 'SSL_Login_Fail' as the name of the Automation Trigger.
4. Select OK to complete the Trigger creation, then select the new Trigger and select Apply.

Creating the Automation Stitch (Part 2: Action and finish Stitch).

5. In the same Automation Stitch, select Add Action, then select Create, followed by selecting CLI Script.

6. Specify the name ('BAN-SSLVPN-IP' is used in this example), then enter the following in the Script section:

config firewall address

edit SSLVPN-Block-%%log.remip%%

set color 6

set subnet %%log.remip%%/32

end

config firewall addrgrp

    edit VPN_Failed_Login

    append member %%log.remip%%

end

Note:

The above script, when paired with the FortiOS Event Log action, extracts the logged remote IP address and creates an Address Object for it, followed by adding the Address object to the Address Group.

7. Specify an Administrator profile of super_admin (or another profile that has permission to create and modify Address objects/groups), then select OK, followed by Apply (to set the Action in the Stitch) and OK (to finalize the configuration for the Automation Stitch).

Note:

If the FortiGate has multi-VDOM enabled then the script needs to also specify the VDOM that the Address Group and SSL-VPN are located in. In that case, add the following to the top of the script:

config vdom

edit <vdom>

[rest of the script follows]

A complete Automation Stitch will look like this:

Use the Address Group to block incoming SSL-VPN connections (two methods available):

Method 1: Set source-address and source-address-negate in SSL-VPN settings.

This method sets the Address Group in the SSL-VPN settings for the source-address filter, then it pairs with set source-address-negate enable config option. This results in the SSL-VPN matching all incoming Source IP addresses that are not in the Address Group:

config vpn ssl settings

    set source-address "SSLVPN-Block-Group"

    set source-address-negate enable

end

Method 2: Create a Deny Local-In Policy with the Address Group in the Source Address field.

This method results in the creation of a local-in policy (which filters incoming traffic destined for the FortiGate itself) that denies traffic sourced from the specified Address Group. This can be useful if more flexible rules are needed compared to Method 1 (i.e. blocking/allowing SSL-VPN traffic using multiple different sets of addresses):

config firewall local-in-policy

edit 1

set intf <SSL VPN Listening interface> <----- The source-interface under SSL VPN settings.
set srcaddr "VPN_Failed_Login"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable

next

end

The Result:

When a potential attacker fails to log in multiple times (with the failure count based on login-attempt-limit), a log entry will be generated. This triggers the Automation Stitch, resulting in an Address Object being created for the individual remote IP associated with the failed login.

After that, the Address Object will be added to the Address Group that was created at the start, and that Address Group is checked for blocking incoming connections (either with the SSL-VPN setting in Method 1 and/or the local-in policy for Method 2).