Hot!Viewing incoming IP addresses

Author
ITHRBruce
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/04 01:16:16
  • Status: offline
2019/11/01 08:18:08 (permalink)
0

Viewing incoming IP addresses

I have a Fortigate 100E.
 
We have a Windows Remote Desktop Server that allows users to externally connect via RDP. The server has a mapped external IP address via NAT.
 
Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.
 
Thank you.
 
#1

4 Replies Related Threads

    abelio
    Expert Member
    • Total Posts : 3642
    • Scores: 55
    • Reward points: 0
    • Joined: 2005/03/31 13:28:59
    • Location: Buenos Aires, Argentina
    • Status: offline
    Re: Viewing incoming IP addresses 2019/11/01 08:42:39 (permalink)
    0
    Hello
    ITHRBruce
    I have a Fortigate 100E.
     We have a Windows Remote Desktop Server that allows users to externally connect via RDP.

    Not a good practice; try to take your users to establish VPNs tunnels to your 100E, and once authenticated, rdp to the windows server. SSLVPN is really straightforward to implement.
     
     

    The server has a mapped external IP address via NAT.
     
    Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.
     

    If you cannot the original IP in your logs, probably you're natting your external (all) -> internal (vip) firewall policy. That is a configuration error; please run to fix that, because if so, your server is at risk.
     
    Try to implement vpn tunnels in order to replace this approach.
     
     
     
     
     
     

    regards
    --
    Abel
    #2
    fernandezm_FTNT
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/14 02:46:59
    • Status: offline
    Re: Viewing incoming IP addresses 2019/11/01 19:20:07 (permalink)
    0
    I too agree in NEVER opening up RDP to the outside world.  If you cannot help it, then I would suggest locking it down by 'source' IP.  Also ensure you have an IPS profile assigned to the policy.  In the IPS Profile, you can set the action for certain signature(s) to "quarantine" which will quarantine the offending IP address for a period of time that you select.
     
    As for seeing the IP addresses that are hitting the Firewall or a VIP, I would suggest to take a look at either FortiAnalyzer, FortiCloud (there are two flavors, free which stores logs for 7 days, and a paid that will store for 1 year), or Syslog (e.g. Kiwi Syslog, Sylog-NG, etc). 
     
    In addition to this, ensure that the Windows RDP server and the Fortigate are using the same time source (e.g. NTP) which the Fortigate CAN give to the rest of the internal network(s) under the 'Settings' tabs.  This will ensure that when you look at the logs in Windows (e.g. login failure) that you can cross reference it on the FortiAnalyzer/FortiCloud/Syslog.  You also need to make sure your logging is set to 'All Sessions" not just "Security Events".  The former gives you ALL connections while the latter will ONLY log traffic that has been blocked.  Assuming you are allowing RDP traffic as you stated, unless you have 'All Sessions' you would NEVER see the IP addresses.
     
    Hope this helps.
     
     
    #3
    ITHRBruce
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/04 01:16:16
    • Status: offline
    Re: Viewing incoming IP addresses 2019/11/03 23:32:48 (permalink)
    0
    Thank you for this, I will check the logging and NTP settings. This is all very useful, I appreciate the time you took to put it together for me.
    #4
    ITHRBruce
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/04 01:16:16
    • Status: offline
    Re: Viewing incoming IP addresses 2019/11/06 01:29:20 (permalink)
    0
    Hi,
    From the Windows logs, I can see the IP address of successful login attempts on my server, but not unsuccessful ones.
    I am using Forticloud, and have been through it, but cannot find where I can view all incoming external IP addresses. I'm not sure if I have missed it. Would you know where I should be looking?
    Thank you.
     
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5