Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ITHRBruce
New Contributor

Viewing incoming IP addresses

I have a Fortigate 100E.

 

We have a Windows Remote Desktop Server that allows users to externally connect via RDP. The server has a mapped external IP address via NAT.

 

Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.

 

Thank you.

 

4 REPLIES 4
abelio
Valued Contributor

Hello

ITHRBruce wrote:

I have a Fortigate 100E.

 We have a Windows Remote Desktop Server that allows users to externally connect via RDP.

Not a good practice; try to take your users to establish VPNs tunnels to your 100E, and once authenticated, rdp to the windows server. SSLVPN is really straightforward to implement.

 

 

The server has a mapped external IP address via NAT.

 

Just occasionally, we see a denied request for access in the security logs. How can I check the Fortigate to see what IP addresses are accessing the firewall? If I can identify them then I can block these from trying to access our server.

 

If you cannot the original IP in your logs, probably you're natting your external (all) -> internal (vip) firewall policy. That is a configuration error; please run to fix that, because if so, your server is at risk.

 

Try to implement vpn tunnels in order to replace this approach.

 

 

 

 

 

 

regards




/ Abel

regards / Abel
fernandezm_FTNT

I too agree in NEVER opening up RDP to the outside world.  If you cannot help it, then I would suggest locking it down by 'source' IP.  Also ensure you have an IPS profile assigned to the policy.  In the IPS Profile, you can set the action for certain signature(s) to "quarantine" which will quarantine the offending IP address for a period of time that you select.

 

As for seeing the IP addresses that are hitting the Firewall or a VIP, I would suggest to take a look at either FortiAnalyzer, FortiCloud (there are two flavors, free which stores logs for 7 days, and a paid that will store for 1 year), or Syslog (e.g. Kiwi Syslog, Sylog-NG, etc). 

 

In addition to this, ensure that the Windows RDP server and the Fortigate are using the same time source (e.g. NTP) which the Fortigate CAN give to the rest of the internal network(s) under the 'Settings' tabs.  This will ensure that when you look at the logs in Windows (e.g. login failure) that you can cross reference it on the FortiAnalyzer/FortiCloud/Syslog.  You also need to make sure your logging is set to 'All Sessions" not just "Security Events".  The former gives you ALL connections while the latter will ONLY log traffic that has been blocked.  Assuming you are allowing RDP traffic as you stated, unless you have 'All Sessions' you would NEVER see the IP addresses.

 

Hope this helps.

 

 

Manny Fernandez Team Lead Systems Engineering Commercial SE, Miami @secprimate fernandezm@fortinet.com www.infosecmonkey.com
ITHRBruce

Thank you for this, I will check the logging and NTP settings. This is all very useful, I appreciate the time you took to put it together for me.

ITHRBruce

Hi,

From the Windows logs, I can see the IP address of successful login attempts on my server, but not unsuccessful ones.

I am using Forticloud, and have been through it, but cannot find where I can view all incoming external IP addresses. I'm not sure if I have missed it. Would you know where I should be looking?

Thank you.

 

Labels
Top Kudoed Authors