Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KumarV
Staff
Staff

Created on ‎12-27-2023 06:15 AM

Article Id 290823

Technical Tip: Permanently block rogue IPs from accessing the SSL-VPN automatically with an automation stitch

Description

This article describes how to use an automation stitch to automatically prevent rogue IP addresses from accessing SSL-VPN.

 

Many distinct rogue IP addresses attempt brute force assaults virtually every day in an attempt to login to SSL-VPN globally using various passwords.

Nevertheless, Fortigate will not permit them to join as it already has all of the necessary security measures in place for its SSL-VPN.

 

An additional security layer on SSL-VPN can be added by configuring an automation stitch to automatically block those IP addresses and prevent them from connecting.
Scope

FortiGate, all firmware.
Solution

This article will demonstrate development of an automated stitch that initiates a script which, upon detecting an attacker attempting to connect to SSL-VPN for the first time with the username 'temp123,' ('temp* ' will grab all the usernames starting with temp except only 'temp' - a separate stitch would be necessary for just 'temp') automatically blocks the connection at the interface level if it is attempted for the second time. This is done by forwarding the attacker's IP address to the 'SSLVPN-BLOCK-Group'.

 

kb1.PNG

 

These screenshots depict how, as soon as an Event log is generated with the name 'SSLVPN login fail' and 'Vdom root', the Action will be taken by running the script.

 

kb2.PNG

 

config firewall address

   edit SSLVPN-Block-%%log.remip%%

       set color 6       <- For a red color.

       set subnet %%log.remip%%/32

end

 

config firewall addrgrp

   edit "SSLVPN-Block-Group"

      append member SSLVPN-Block-%%log.remip%%

end

 

Results:

 

On first attempt by 'test123', a log is generated.

 

kb3.PNG

 

The event log above triggers the automation stitch. The script creates an object under the addresses by using the IP of the attacker and further adding it in a group called 'SSLVPN-Block-Group'. That way, FortiGate will keep on adding the IPs to that group which can further use it under SSL-VPN settings to block them.

 

kb4.PNG

 

Under the SSL-VPN settings, it will be necessary to negate 'SSLVPN-Block-Group' so that attacker cannot able to try from same IP.

 

config vpn ssl settings

    set source-address "SSLVPN-Block-Group"

    set source-address-negate enable

end

 

After running the commands above, the attacker will be blocked at the interface level. No unnecessary logs will be seen.

 

Note: Every FortiGate has it own Max firewall object table. For instance: 100F can have 20,000 Firewall objects.

See the documentation on the max values table for more information.
2431
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.