Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Elbu3no
New Contributor II

Created on ‎03-20-2024 01:13 PM

Automation - SSLVPN Block IPs

I'm trying to automate an action in Fabric to avoid Brute Force
All SSLVPN logins failed I want to block, but after 3 attempts failed, for avoid legimitate login (wrong passwords).

My config is running well, I need to improve the action the 3 attempts.

Look the CLI action below. It's working.

config vdom
edit root

config firewall address
edit SSLVPN-Block-%%log.remip%%
set color 6
set subnet %%log.remip%%/32
end

config firewall addrgrp
edit "SSLVPN-Block-Group"
append member SSLVPN-Block-%%log.remip%%
end

Labels:
548
0 Kudos
9 REPLIES 9
ozkanaltas
Contributor III

Created on ‎03-20-2024 11:21 PM

Hello @Elbu3no ,

 

If you have a FortiAnalyzer you can use an event handler as a trigger.

 

Event handler offers options like at least after 3 events seen.

 

You can review this document for Use an event handler as a trigger. 

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/176287/fortianalyzer-event-h...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
514
Elbu3no
New Contributor II
In response to ozkanaltas

Created on ‎03-21-2024 05:19 AM

Hi @ozkanaltas, thanks for your answer.

It doesn't work from the fabric, because once the user gets the password wrong, they are already blocked, on the first atttempt.
I'd need to give 3 attempts, and block after these 3 errors.
It's possible?

497
0 Kudos
ozkanaltas
Contributor III
In response to Elbu3no

Created on ‎03-21-2024 06:04 AM

Hi @Elbu3no ,

 

in your scenario, you use a trigger on Fortigate.

 

But, in the scenario with FortiAnalyzer, the trigger is FortiAnalyzer. Fortianalyzer can wait for the same event to occur 3 times. This event will trigger Fortigate after repeating it 3 times.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
486
Elbu3no
New Contributor II
In response to ozkanaltas

Created on ‎03-22-2024 05:10 AM

Hi @ozkanaltas 

Thanks for your answer and your support.
Do you have any tutorial or documentation about that?
I never did this process. Could you help me?

Thanks a lot.
Lhuan

456
0 Kudos
ozkanaltas
Contributor III
In response to Elbu3no

Created on ‎03-22-2024 05:15 AM

Hello @Elbu3no ,

 

You can review this document. How to create an event handler on FortiAnalyzer.

 

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/348606/creating-a-custom...

 

Also, you can review this document. How can you use an event handler as a trigger.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/176287/fortianalyzer-event-h...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
452
Elbu3no
New Contributor II
In response to ozkanaltas

Created on ‎03-22-2024 11:59 AM

Hi @ozkanaltas.

I've created the event handler and linked it with Fortigate.
Thanks a lot for documentations. It helped me a lot.

 

Now, I'm facing another issue, the action is not happening in fortigate. I have some screenshots about the process.
In the fortianalyzer I have events in Fortigate I don't have any trigger.6.png5.png4.png3.png2.png1.png

428
0 Kudos
ozkanaltas
Contributor III
In response to Elbu3no

Created on ‎03-23-2024 02:50 AM

Hello @Elbu3no ,

 

Can you try to enable this setting?

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
409
Elbu3no
New Contributor II
In response to ozkanaltas

Created on ‎03-25-2024 06:41 AM Edited on ‎03-25-2024 06:50 AM

Hello @ozkanaltas 

Yes, I've tried it, and I don't have action on Fortigate, only logs.

Does it have any CLI script to verify the logs between Analyzer and Fortigate? I mean, I want to see that the analyzer is sending the logs to Fortigate, do a troubleshooting.

 

25032.png2503.png

369
0 Kudos
bpozdena_FTNT
Staff
Staff

Created on ‎03-21-2024 06:11 AM

Hi @Elbu3no ,

even if your script worked, it would not help prevent the connections.

 

Luckily you don't need to do such things as SSL VPN daemon has brute force protection already built-in. You can configure it with the below two commands:

 

config vpn ssl settings
set login-attempt-limit    #SSL-VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
set login-block-time       # Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
end

 

You can also allow/block connections from specific countries either from the SSL VPN daemon itself or via local-in firewall policy. Examples are below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-Geolocations-for-SSL-VPN-and-mana...

HTH,
Boris
472
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.