FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salmas
Staff
Staff
Article Id 287171
Description This article describes how to make an automation stitch for failed SSL VPN logins to block the remote IP addresses.
Scope FortiGate.
Solution
  1. Create an address group: To do this in the GUI: Navigate to Policy & Objects -> Addresses -> Create New -> Address Group -> Name: VPN_Failed_Login -> Ok.

 

To do this in the CLI:

 

config firewall addrgrp

edit VPN_Failed_Login

end

 

  1. Create an automation stitch: Navigate to Security Fabric -> Automation -> Create New -> supply the name 'SSL_VPN_Login_Block'. Select Add Trigger -> Create -> FortiOS Event Log -> supply the name 'SSL_Login_Fail' -> open the FortiOS Event Log: Search and add 'SSL VPN login fail' -> select Ok -> select Apply.

 

Trigger.png

 

Select Add Action -> Create -> CLI Script -> Supply the name 'BAN-SSLVPN-IP' -> Enter the script below -> select Ok -> select Apply -> select Ok.

 

config firewall address

edit %%log.remip%%

set color 6

set subnet %%log.remip%%/32

end

config firewall addrgrp

     edit VPN_Failed_Login

    append member %%log.remip%%

end

 

Action.png

 

When a user has multiple VDOMs, the script must begin by specifying the same VDOM where the 'address group' object has been created:

config vdom

edit <vdom>

config firewall address

edit %%log.remip%%

set color 6

set subnet %%log.remip%%/32

end

 

config firewall addrgrp

    edit VPN_Failed_Login

    append member %%log.remip%%

end

 

VDOM-shot.PNG

 

A complete stitch will look like this:

 

Final_Stitch.png

 

  1. Create a local policy:

 

config firewall local-in-policy

edit 1

set intf <SSL VPN Listening interface>
set srcaddr "VPN_Failed_Login"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable

next

end

 

The result:

When the VPN login fails, the trigger will be generated and an address object will be created for the remote IP the failed attempt came from.
After, the address object will be added to the address object group 'VPN_Failed_Login', which is mentioned in the local policy.
The local police will block anything coming from that remote IP.

 

Failed_Remote_IP.png

 

Note: 

This will block legitimate users as well if the login attempt fails. It will be necessary to manually remove each user's public IP from this address object to allow them to connect to the VPN again.