Description |
This article describes how to use an automation stitch to automatically prevent rogue IP addresses from accessing SSL-VPN.
Many distinct rogue IP addresses attempt brute force assaults virtually every day in an attempt to login to SSL-VPN globally using various passwords. Nevertheless, Fortigate will not permit them to join as it already has all of the necessary security measures in place for its SSL-VPN.
An additional security layer on SSL-VPN can be added by configuring an automation stitch to automatically block those IP addresses and prevent them from connecting. |
Scope |
FortiGate, all firmware. |
Solution |
This article will demonstrate development of an automated stitch that initiates a script which, upon detecting an attacker attempting to connect to SSL-VPN for the first time with the username 'temp123,' ('temp* ' will grab all the usernames starting with temp except only 'temp' - a separate stitch would be necessary for just 'temp') automatically blocks the connection at the interface level if it is attempted for the second time. This is done by forwarding the attacker's IP address to the 'SSLVPN-BLOCK-Group'.
These screenshots depict how, as soon as an Event log is generated with the name 'SSLVPN login fail' and 'Vdom root', the Action will be taken by running the script.
config firewall address edit SSLVPN-Block-%%log.remip%% set color 6 <- For a red color. set subnet %%log.remip%%/32 end
config firewall addrgrp edit "SSLVPN-Block-Group" append member SSLVPN-Block-%%log.remip%% end
Results:
On first attempt by 'test123', a log is generated.
The event log above triggers the automation stitch. The script creates an object under the addresses by using the IP of the attacker and further adding it in a group called 'SSLVPN-Block-Group'. That way, FortiGate will keep on adding the IPs to that group which can further use it under SSL-VPN settings to block them.
Under the SSL-VPN settings, it will be necessary to negate 'SSLVPN-Block-Group' so that attacker cannot able to try from same IP.
config vpn ssl settings set source-address "SSLVPN-Block-Group" set source-address-negate enable end
After running the commands above, the attacker will be blocked at the interface level. No unnecessary logs will be seen.
Note: Every FortiGate has it own Max firewall object table. For instance: 100F can have 20,000 Firewall objects. See the documentation on the max values table for more information. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.