Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dsrivastava
Staff
Staff

Created on ‎08-16-2023 11:42 PM Edited on ‎08-16-2023 11:48 PM By Community Manager

Article Id 269153

Technical Tip: Getting alert logs frequently on FortiGate for 'SSL failed users' from the unknown public IP addresses and from different countries

Description This article describes that suspected VPN breach when the legitimate user did not try to login Forticlient or try to access the SSL web portal, however, still getting SSL failed user alert logs as below:

Message meets Alert condition The following critical firewall event was detected: SSL VPN login fail. date=2022-12-29 time=09:36:07 devname=FG100E_TAKEMOTO devid=FG100E4Q17015334 eventtime=1672286767552373161 tz="+0530" logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=185.66.15.47 user="Userl" group="N/A" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"
Scope FortiGate.
Solution
  • Ensure, that a no-access profile is enabled for 'All other users/groups:

From GUI, at the bottom of the table in the 'SSL-VPN Settings' where the Authentication/Portal Mapping is configured, there is an option for 'All Other Users/Groups'

It is possible to disallow access to the SSL-VPN for groups that were not explicitly allowed in the group.

 

config vpn ssl web portal

    edit "no-access"

        set tunnel-mode disable

        set ipv6-tunnel-mode disable

        set web-mode disable

        set allow-user-access ping

        set limit-user-logins enable

        set forticlient-download disable

    next

end

 

config vpn ssl settings

    set default-portal "no-access"

end

 

  • It is also possible to change the listening Port for the SSL VPN portal.

Using another port is an easy but effective measurement if an attacker is only probing the default port of an application.

Do not forget to change the port on all VPN clients too. Otherwise, the connection will break.

 

Other methods to restrict SSL VPN connectivity:
1520
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.