- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Automatic blocking IP to prevent Fortigate web...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Automatic blocking IP to prevent Fortigate web interface login page
Hi,
Last few days I started to see new activity on my WAN link - many login attempts on HTTPS interfaces of my Fortigates. In majority they come from IP: 185.253.160.140 but not exclusevily. My question is how to automatically block these attempts, i.e. to ban certain IP from viewing login page of Forti after few unsuccessfull login trials.
I have few Fortigates with soft not older than 6.2.15.
Piotr
Labels:
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are all standard best practices and have been implemented on all of our customers' firewalls. Again, the port number makes no difference to a bot. Our typical block list contains 88 elements, (38 class C or greater ranges in the US - mostly data centers in Dallas, TX) and 50 country codes. These are applied to WAN1, WAN2, and the SSLVPN port in the form of local-policy-in rules. Still we see attempts continue. The answer here is an auto-ban element is needed. Its surprising that a security appliance needs this much tweaking (and even more) to not be picked at.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AFT
You can set failed login attempts from any source and block-time as well.
This can block other attempts from the attacker's IP for a very log time (for a maximum of 70 years if needed).
Here is for SSL VPN access:
config vpn ssl settings
set login-attempt-limit x (defalt=2)
set login-block-time x (default=60, max=86400)
Here is for WebUI admin login:
config system global
admin-lockout-threshold x (defult=3)
admin-lockout-duration x (default=60, max=2147483647)
You can also ban the IP automatically instead of block period, as explained in the below tech tip.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know,
Banning IP addresses won't affect the administrative access to the GUI login page. Instead, it simply blocks services passing through the FortiGate. To enforce administrative restrictions, you must configure a local-in policy or set up trusted hosts.
If you wish to automate this capability, you must establish specific criteria to trigger the automation. References for creating your criteria can be found in the following articles:
Without such automated settings, it's unlikely that any security appliance will automatically block IPs attempting to access your publicly hosted services. Blocking administrative access without validation checks is not feasible.
Think of it, how would a security appliance block the IPs in such a case?
Security appliances need to perform validation checks, such as C&C, P2P botnet, IP Reputation, Compromised hosts, and Threat level, for effective blocking or allowing of connections. Even for those detections to work, IPs need to pass through the Firewall policy.
Configuring best practices is one way to limit threats. However, for total blocking of GUI administrative access on FortiGate, you need to automate IP blocking in the local-in policy.
When configuring such settings globally, consider false positive attempts as well.
config vpn ssl settings
set login-attempt-limit x (default=2)
set login-block-time x (default=60, max=86400)
config system global
admin-lockout-threshold x (default=3)
admin-lockout-duration x (default=60, max=2147483647)
I hope this information is helpful.
Kind Regards,
Bijay Prakash Ghising
Ghising
Ghising
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize for the inconvenience caused by my repeated replies.
It seems there might be a limit or a bug in the system, as my responses were not visible. The response numbers are increasing, but replies to the most recent post are not displaying.
I'm unsure whether this response has been successfully posted. If anyone sees this response, please report the bug to the admin.
Thank you in advance for your assistance.
Ghising
Ghising
Created on 01-30-2024 12:33 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know,
Banning IP addresses won't affect the administrative access to the GUI login page. Instead, it simply blocks services passing through the FortiGate.
To enforce administrative restrictions, you must configure a local-in policy or set up trusted hosts.
If you wish to automate such a capability, you must establish specific criteria to trigger the automation. You can take a reference from the below articles and create your criteria(Trigger)
Without such automated settings, it's unlikely that any security appliance will automatically block IPs attempting to access your publicly hosted services. Blocking administrative access without validation checks is not feasible.
Think of it, how would a security appliance block the IPs in such a case?
Security appliances need to perform validation checks, such as C&C, P2P botnet, IP Reputation, Compromised hosts, and Threat level, for effective blocking or allowing of connections. Even for those detections to work, IPs need to pass through the Firewall policy.
Configuring best practices is one way to limit threats. However, for total blocking of GUI administrative access on FortiGate, you need to automate IP blocking in the local-in policy.
When configuring such settings globally, consider false positive attempts as well.
config vpn ssl settings
set login-attempt-limit x (default=2)
set login-block-time x (default=60, max=86400)
config system global
admin-lockout-threshold x (default=3)
admin-lockout-duration x (default=60, max=2147483647)
I hope this information is helpful.
Kind Regards,
Bijay Prakash Ghising
Ghising
Ghising
Created on 01-30-2024 12:35 PM Edited on 01-30-2024 12:41 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I think the image file response was uploaded successfully. So, I have captured my last response here as it was not visible earlier.
Ghising
Ghising
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you add your address object that contains each of your banned IP or Geo locations and apply the address object to your local-in-policy, banning IP addresses do work (as long as the attacker doesn't change IPs). Here is what I use on WAN1, WAN2, and the SSLVPN port (you must define a address object that contains your SSLVPN port for this to work. I use the name "SSLVPN-Port" in the example below:
!
config firewall local-in-policy
edit 1
set intf wan1
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable
next
edit 2
set intf wan2
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable
next
edit 3
set intf "wan1"
set srcaddr "Blocked_List"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "SSLVPN-Port"
set service-negate disable
set schedule "always"
set status enable
next
!
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Understanding the application control 120 Views
- NAT after server migration 116 Views
- FortiGate FGT200F MTU 7.v7.4.3 build2573 (Feature) 93 Views
- Fortigate captive Portal blank page. 175 Views
- DHCP on a Fortiswitch 124F from... 175 Views
Labels
-
FortiGate
6,610 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
74 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.