FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salmas
Staff
Staff
Article Id 287171
Description

This article describes how to make an Automation stitch that monitors and adds remote IP addresses associated with failed SSL VPN logins to a permanent block list.

Scope FortiGate, SSL VPN.
Solution

The FortiGate does already have tools (enabled by default) that allow it to block a given source IP address if it fails to login to the SSL VPN successfully within a configurable time window. For more information on these tools/timers, see the following KB article: Technical Tip: SSL VPN timers explanation and SSL-VPN Login Attempt Limit (aka 'Lockout').

 

With that being said, the above timers will only block a given offending source IP for a temporary period, after which the offending IP address may attempt to log in again (and possibly re-trigger the lockout). To make a permanent block list (i.e. an offender is put on the list and must be manually removed), it is possible to use an Automation Stitch that monitors for SSL VPN log events and auto-updates an Address Group list with a list of blocked addresses.

 

Warning:

This method will result in permanent bans for a given Source IP address unless an admin manually intervenes. It is recommended to adjust the SSL VPN lockout settings so that normal users are not likely to be caught in this permanent ban (e.g. increase login-attempt-limit so that it takes more failed attempts before a ban is triggered).

 

Alternative Approaches:

  1. If a FortiAnalyzer is available, consider using a FortiAnalyzer Event Handler. Refer to this article for setting up FortiAnalyzer Event Handler: Technical Tip: Enhance SSL VPN Security by blocking offenders' IP addresses using FortiAnalyzer Even...
  2. Before configuring the following, make sure to block known malicious IP addresses rather than adding these IPs to manually created address group(s) as described later in this document: Technical Tip: Prevent TOR IP addresses from accessing SSL VPN with brute-force attacks on FortiGate

 

Step 1: Create an Address Group:

To do this in the GUI:

  1. Navigate to Policy & Objects -> Addresses, then select Create New -> Address Group.
    • In later versions (v7.4 and later) select the Address Group button at the top of the page, then select Create New.
  2. Set a Name for the new Address Group object.
    • In this article, the example Address Group will be named 'VPN_Failed_Login'. No additional configuration is required at this step.
  3. Select the OK button to complete the configuration.

 

To do this in the CLI:

 

config firewall addrgrp

edit VPN_Failed_Login

end

 

Step 2: Creating the Automation Stitch (Part 1: Stitch and Trigger).

  1. Navigate to Security Fabric -> Automation -> Stitch, then select Create New. Specify a name for the new Automation Stitch.
    • This example will use 'SSL_VPN_Login_Block' for the name of the Automation Stitch itself.
  2. Next, select Add Trigger, then select the Create button in the top-right of the slide-out menu, followed by selecting FortiOS Event Log.
  3. Specify a name, then select the Event field and add the 'SSL VPN login fail' log entry (ID 39426).
    This example uses 'SSL_Login_Fail' as the name of the Automation Trigger.
  4. Select OK to complete the Trigger creation, then select the new Trigger and select Apply.

 

Trigger.png


Step 3: Creating the Automation Stitch (Part 2: Action and Finish Stitch).

5. In the same Automation Stitch, select Add Action, then select Create, followed by selecting CLI Script.

6. Specify the name ('BAN-SSLVPN-IP' is used in this example), then enter the following in the Script section:

 

config firewall address

edit SSLVPN-Block-%%log.remip%%

set color 6

set subnet %%log.remip%%/32

end

 

config firewall addrgrp

    edit VPN_Failed_Login

    append member SSLVPN-Block-%%log.remip%%

end

 

Note1:

The above script, when paired with the FortiOS Event Log action, extracts the logged remote IP address and creates an Address Object for it, followed by adding the Address object to the Address Group.

 

Note2: 

The maximum number of members added to the address group is dependent on the OS version and model. In the below example, the maximum value is 600, and if the FortiGate receives several failed SSL VPN connections above 600, it creates the address object but cannot be added to the address group. A workaround to add another automation stitch that dynamically updates the existing automation stitch is added to the end of this document.

 

max_value.JPG

 

7. Specify an Administrator profile of a super_admin (or another profile that has permission to create and modify Address objects/groups), then select OK, followed by Apply (to set the Action in the Stitch) and OK (to finalize the configuration for the Automation Stitch).

 

Action.png

 

Note:

If the FortiGate has multi-VDOM enabled then the script needs to also specify the VDOM that the Address Group and SSL VPN are located in. In that case, add the following to the top of the script:

 

config vdom

    edit <vdom>

[rest of the script follows]

 

VDOM-shot.PNG

 

config system automation-action
    edit "BAN-SSLVPN-IP"
        set action-type cli-script
        set script "config vdom                
        edit root<----- Adjust the VDOM name according to SSLVPN VDOM configuration, for example root.
            config firewall address
                edit %%log.remip%%
                    set subnet %%log.remip%%/32
                end


config firewall addrgrp
    edit VPN_Failed_Login_%%date%%
    append member %%log.remip%%
end"
    set accprofile "super_admin"
next
end

 

A complete Automation Stitch will look like this:

 

Final_Stitch.png

 

Use the Address Group to block incoming SSL VPN connections (two methods available):

 

Method 1: Set source-address and source-address-negate in SSL VPN settings.

 

This method sets the Address Group in the SSL VPN settings for the source-address filter, then it pairs with set source-address-negate enable config option. This results in the SSL VPN matching all incoming Source IP addresses that are not in the Address Group:

 

config vpn ssl settings

    set source-address "VPN_Failed_Login"

    set source-address-negate enable

end


Note:

Make sure to add a dummy address into the 'VPN_Failed_Login' address group as it will not work with empty address group **

 

Method 2: Create a Deny Local-In Policy with the Address Group in the Source Address field.

 

This method results in the creation of a local-in policy (which filters incoming traffic destined for the FortiGate itself) that denies traffic sourced from the specified Address Group. This can be useful if more flexible rules are needed compared to Method 1 (i.e. blocking/allowing SSL VPN traffic using multiple different sets of addresses):

 

config firewall local-in-policy

edit 1

set intf <SSL VPN Listening interface> <----- The source-interface under SSL VPN settings.
set srcaddr "VPN_Failed_Login"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable

next

end

 

The Result:

This stitch will add the remote-ip to the blocked address group on the first attempt itself so if that connection is legitimate then might have to remove it manually from the group so that the user can connect again.


After that, the Address Object will be added to the Address Group created at the start, and that Address Group will be checked for blocking incoming connections (either with the SSL VPN setting in Method 1 and/or the local-in policy for Method 2).

Note:

The address group has a limit of 600 IPs, the group needs to be manually swapped with a new group once it is full. If the attack persistence is higher, further measures need to be taken.
Maximum Values Table

 

If needed, another automation stitch can be configured to add a new Address group weekly and to use that for adding new block entries:

This stitch will keep running until it is disabled (it can be disabled at a set date in the future with a third automation stitch).

The frequency can be changed as needed. When required, a manual run of the automation stitch can be executed by right clicking on this automation stitch (on the FortiGate GUI) and selecting 'Test Automation Stitch'. 

If there are multiple WAN interfaces and hence multiple local-in policies, ensure that the automation action includes a modification to the required local-in policies. Make sure to correct the local-in-policy ID as needed per the configuration on the FortiGate.

If the FortiGate is VDOM enabled, make sure to modify the automation-action CLI scripts accordingly.

 

config system automation-trigger
    edit "weekly"

        set trigger-type scheduled

        set trigger-frequency weekly

        set trigger-weekday sunday

        set trigger-hour 2

        set trigger-minute 55
    next
end

 

config system automation-action
    edit "update_addrgrp"

        set action-type cli-script

        set script "config firewall addrgrp
edit VPN_Failed_Login_%%date%%

    set color 6
end
    config firewall local-in-policy
        edit 1
        append srcaddr VPN_Failed_Login_%%date%%
end"

set accprofile "super_admin"
next
end

 

In VDOM mode above script: 

 

config system automation-action
    edit "update_addrgrp"
        set action-type cli-script
        set script "end
            config vdom                     
                edit root                   <----- Select appropriate VDOM SSL VPN, example root vdom .
                    config firewall address
                        edit SSLVPN-Block-%%log.remip%%
                            set color 6
                            set subnet %%log.remip%%/32
                        end


config firewall addrgrp
    edit VPN_Failed_Login_%%date%%
    append member SSLVPN-Block-%%log.remip%%
end"
    set accprofile "super_admin"
next
end

 

config system automation-stitch

        edit "update addrgrp"
            set trigger "weekly"

                config actions

            edit 1

                set action "update_addrgrp"

                set required enable

            next

        end
    next
end


config system automation-action
    edit "BAN-SSLVPN-IP"
        set action-type cli-script
        set script " config firewall address
        edit SSLVPN-Block-%%log.remip%%
            set color 6
            set subnet %%log.remip%%/32
        end


config firewall addrgrp
    edit VPN_Failed_Login_%%date%%
    append member SSLVPN-Block-%%log.remip%%
end"
    set accprofile "super_admin"
next
end
        

Related articles:

SSL VPN security best practices 

Restrict unauthorized access on the SSL VPN service Restricting SSL VPN connectivity from certain countries using firewall geography addresses 

How to block SSL VPN Connection from a certain source IP Address