Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PurpleShirt
New Contributor III

Created on ‎05-07-2023 11:38 PM

[Automation] SSL VPN login fail event -> Ban IP

Hi All

 

I would like to leverage the automation in security fabric to ban IP's that are trying to connect with the username "administrator". I've made a trigger with the event "SSL VPN login fail" with the field filter user:administrator: 

 

Screenshot 2023-05-08 083138.png

 

I've then created an IP Ban Action, that looks like this: 

 

Screenshot 2023-05-08 083244.png

 

The problem is, I can't stich the trigger with the action to create an automation stitch. When I go to select the Action, it doesn't appear in the list: 

Screenshot 2023-05-08 083633.png

 

Does anyone know what I do wrong and how I could achieve banning an IP, if there is a connection attempt with a certain user name?

 

Thank you. 

Labels:
6139
0 Kudos
9 REPLIES 9
tthrilok
Staff
Staff

Created on ‎05-08-2023 12:05 AM

Hi Purple,

 

Thank you for the query!

 

I understand you want to block an IP from where when a user connects to SSLVPN using administrator username and password you want to block the IP.

 

After testing your scenario in the lab, I could see IP-Ban action cannot be used with SSL VPN login fail trigger.

 

IP-Ban action is for the comprimised host trigger, I am here attaching the article:
>> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-the-automation-stitches/ta-p/1957...

+ Please let us know if you have any further queries!

6129
0 Kudos
PurpleShirt
New Contributor III

Created on ‎05-08-2023 02:52 AM

Hi tthrilok

 

thank you for your response and the link. Hmm that's too bad.

 

Do you know how I could block the IP's that try to connect with the user administrator in a automated manner? Of course I could write scripts that parse these events and create objects that I put in a rule that denies the traffic, but that would create so many unnecessary objects, that I would like to avoid that. 

 

6118
0 Kudos
srajeswaran
Staff
Staff

Created on ‎05-08-2023 03:36 AM

I see you can call IP-BAN action along with FortiAnalyzer event-handler as trigger. I have not tested this, but can you try creating an even-handler on your FortiAnalyzer for VPN login failures and then use that in FGT stitch?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

6113
0 Kudos
PurpleShirt
New Contributor III
In response to srajeswaran

Created on ‎05-08-2023 06:33 AM Edited on ‎05-08-2023 06:36 AM

Hi Suraj

 

thank you for your suggestion. Unfortunately we don't have the FortiAnalyzer, so that isn't an option for me. 

 

I've done it in a (suboptimal) way. 

 

I download the events that contain the message "SSL user failed to logged in" from the fortigate logs and then run this python script. This prints the commands that I can run on the firewall to ban the IP's indefinitely.

 

 

vpn_events_file_path = "/mnt/c/temp/vpn_events.log"

list = []

def find_between(s, first, last):
  try:
    start = s.index(first) + len(first)
    end = s.index (last, start)
    return s[start:end]
  except ValueError:
    return " "

with open(vpn_events_file_path, "r") as events:
    lines = events.readlines()
    for line in lines:
        if ('user="administrator"' in line):
            remip = find_between(line,'remip=',' user')
            if (not remip in list):
                list.append (remip)

for item in list:
    ban_config = 'diagnose user quarantine add src4 ' + item + ' indefinite admin'
    print (ban_config)

 

 

I'll probably do this manually every day until I either implement a FortiAnalyzer or find a better way to do it.

6105
Mikael1989
New Contributor

Created on ‎07-20-2023 03:04 PM

Hi,

You can use Local In Policy to achieve it.

I created stitch automation on SSL VPN Failed Login event.

I used the following script:

config firewall address

edit %%log.remip%%

set color 6

set subnet %%log.remip%%/32

end

config firewall addrgrp

edit AUTOBLK_GRP

set member %%log.remip%%

end

The object AUTOBLK_GRP should be created before.

The local In policy should be:

firewall # config firewall local-in-policy 

firewall (local-in-policy) # edit 1

firewall (1) # get 

policyid            : 1

uuid                : XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

intf                : wan1

srcaddr             : "AUTOBLK_GRP"

srcaddr-negate      : disable 

dstaddr             : "all"

dstaddr-negate      : disable 

action              : deny 

service             : "ALL"

service-negate      : disable 

schedule            : always 

status              : enable 

comments            : 

Mikael
Mikael
5480
ede_pfau
SuperUser
SuperUser
In response to Mikael1989

Created on ‎07-26-2023 08:21 AM

You should use

"append member %%log.remip"

instead of

"set member %%log.remip"

as the latter will overwrite any existing addresses so that the address group will only ever contain 1 address.

Besides, the address group does not have to exist beforehand.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
5394
JairCandia
New Contributor
In response to Mikael1989

Created on ‎11-30-2023 01:11 PM

Hi Mikael,

 

I was working on same solution, but the script is not getting the remote IP as the debug shows

image.pngimage.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Do you have any idea?

Thank you!

JC
JC
3362
0 Kudos
Fabio
Contributor
In response to Mikael1989

Created on ‎04-05-2024 09:12 AM Edited on ‎04-05-2024 09:13 AM

This is the configuration I was looking for to prevent SSL VPN login attempts from not retrying and thus put them in a kind of infinite quarantine.

But with the ability to remove from the address group the ip that should by mistake go on the black list

Fabio
Fabio
545
0 Kudos
Bjay_Prakash_Ghising
Contributor

Created on ‎07-20-2023 09:51 PM Edited on ‎07-20-2023 10:07 PM

Hi PurpleShirt

 

Please apply the given script on the Action Filed of CLI to ban SSL VPN IPs.

 

diagnose user banned-ip add src4 %%remip%% 0 admin

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-and-append-addresses-into-address-g...

1. SSL Admin Fail - Trigger.png

 

2. Ban IP - Action.png

3. Stitches.png

 

4. Baned Monitor - GUI.png

 

5. Ban IP - CLI.png

 

Hope that helps, 

 

Kind Regards, 

Bijay Prakash Ghising

Ghising
Ghising
5472
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.