Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FractalSphere
New Contributor II

Created on ‎03-12-2024 03:24 PM Edited on ‎03-12-2024 04:56 PM

Blocking by region and stopping attempted logins

I have many corporate Fortinet firewalls in play, but finally just went and bought one for myself (a 60e, great for home internet and labs) so am posting with my personal acct - and am seeing the following weird issue.  

 

I have created an address group blocking a number of countries (Russia and China primarily, seeing attempted connectoin attempts from various IP's).

 

While I do 'allow' SSH on wan1, the administrator super_admin and my acct profile_admin are only allowed from certain IP ranges (my inside subnets and the VPN DHCP range I hand out when I connect to my own network from outside) so that's already fairly locked down.

I am seeing logs denying 'admin' by blocked IP because it falls outside trustedhosts range, but if the bots try any other account (that does NOT exist on the Fortinet) it allows the connection to try passwords and then of course fails because there's no such account. 

 

I have created a deny policy referencing the regions and put wan1/wan1 as the from/to because this isn't hitting a VIP, it's just SSH attempts to wan1. 

Screenshot from 2024-03-12 17-19-34.png

Screenshot from 2024-03-12 17-07-11.png
yes, despite being policy #7, it's ordered to the top of the list so it's the first policy processed when traffic hits wan1

Screenshot from 2024-03-12 17-18-45.png

What I was hoping would happen here is that the policy would deny even the attempted connection from source IP's that match the regions and my address group BEFORE allowing the SSH connection and attempting authentication.  I have tested this from another static IP that I added to the group and the hitcount does not increase (show matching logs shows nothing hitting the policy at all)

What's happening here where a bad acct can attempt to log in from a region blocked IP but a known acct filters based on the trustedhosts?

 

These are slow attempts, maybe a few to up to a dozen a day, so definitely not killing my bandwidth, stressing the firewall, or causing any disruptions, but I would still want to deny ANY connections from those regions.

 

Looking for advice and guidance here. 

 

Thanks!

666
0 Kudos
1 Solution
hbac
Staff
Staff
In response to FractalSphere

Created on ‎03-13-2024 10:36 AM

Hi @FractalSphere,

 

Do you have trusted hosts configured for all admin accounts? You can use local-in-policy to block incoming connections to the FortiGate. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/363127/local-in-policy

 

Regards, 

View solution in original post

554
10 REPLIES 10
FractalSphere
New Contributor II
In response to smkml

Created on ‎03-12-2024 07:28 PM Edited on ‎03-12-2024 07:29 PM

Those are both good reads, but neither applies to my issue - here check it out

 

The first one talks about restricting SSLVPN access against certain regions, which I hadn't employed before but isn't the issue here.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...


The second one talks about applying region blocking to VIP traffic into a server, which is a smart move if you're defining regions like this.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-allowing-sslvpn-access-from-sp...


My issue is that there's various ssh connection attempts happening directly to my firewall, the Fortinet 60e, and only known accounts are being blocked against my trustedhosts lists. Unknown accounts, despite the policy blanket denying regions, are being allowed to try multiple login attempts with no IP filtering.  That's the goal, to filter against any connection attempts against those regions directly ssh'ing into my firewall.

 

 

557
0 Kudos
FractalSphere
New Contributor II
In response to smkml

Created on ‎03-13-2024 06:29 AM

Here, see how the 'admin' acct is being actively blocked because of "blocked IP" but other non-existent accts aren't being blocked by region. They're just allowed to connect and attempt the login regardless. 

Oddly enough this hasn't come up at work at all where we have strict allow lists and appliances are behind AWS security groups, or field sites are often times behind some other forward device with allow lists. I'm seeing this at home because I'm on consumer internet and there's bots out there doing slow trolls of the public subnets. 

 

Screenshot from 2024-03-13 08-26-39.png

518
0 Kudos
ametkola
Staff
Staff

Created on ‎03-13-2024 08:52 AM

Hi,

 

Please check the documentation related to the SSH and Telnet restriction : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSH-and-telnet-from-FortiGate-...

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

 

Regards,

509
0 Kudos
ametkola
Staff
Staff

Created on ‎03-13-2024 09:27 AM

Hi,

 

Let me add also how to block by region >> https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

 

In your case the firewall policy is create from Wan to Wan , can you please change from Wan to Lan ?

 

Regards,

 

505
0 Kudos
FractalSphere
New Contributor II
In response to ametkola

Created on ‎03-13-2024 09:53 AM

Unfortunately, that does not apply.  It's the same link as posted above in the first reply.

It references applying region blocking to a VIP so you limit inbound traffic that is able to hit an inside resource. That's not the case here, I am seeing attacks directly against the firewall itself, and need to apply the region blocking against wan1's SSH port.  Again, only known accounts are being filtered against the trustedhosts lists, unknown accounts, despite the attempted block, are being allowed to test credentials.

 

The other link you posted is limiting using the firewall as a jump-point to SSH to other devices.  

 

How do we apply a policy that blocks against these filters BEFORE even allowing the SSH session to begin?  Should I define an address object as wan1 on the destination portion of the policy?

 

498
0 Kudos
hbac
Staff
Staff
In response to FractalSphere

Created on ‎03-13-2024 10:36 AM

Hi @FractalSphere,

 

Do you have trusted hosts configured for all admin accounts? You can use local-in-policy to block incoming connections to the FortiGate. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/363127/local-in-policy

 

Regards, 

555
FractalSphere
New Contributor II
In response to hbac

Created on ‎03-13-2024 12:45 PM

Yes as stated, I do have trustedhosts configured for admin accts.

 

Local-in policies was the right answer, apparently!  Thanks!  :) 

 

I got a local-in policy that appears to be working as intended by applying the following block via the CLI!  

config firewall local-in-policy
edit 10
set intf "wan1"
set srcaddr "External-blocked IPs by geography"
set dstaddr "all"
set action deny
set service "ALL"
set schedule "always"
set comments "test local-in"
next
end

 

I will be looking into logging of this I suppose and getting some stats on how often those regions attempt connections, but for now my other static IP I'm testing against just hangs and denies the connections for both known and unknown accts. 

 

474
0 Kudos
FractalSphere
New Contributor II
In response to FractalSphere

Created on ‎03-13-2024 02:10 PM

FYI I enabled some logging (will likely tweak this as I go) from this reference

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-traffic-logs-tab-shows-no-results/ta...

 

 

467
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.