Description | This article describes how to make an automation stitch for failed SSL VPN logins to block the remote IP addresses. |
Scope | FortiGate. |
Solution |
To do this in the CLI:
config firewall addrgrp edit VPN_Failed_Login end
Select Add Action -> Create -> CLI Script -> Supply the name 'BAN-SSLVPN-IP' -> Enter the script below -> select Ok -> select Apply -> select Ok.
config firewall address edit %%log.remip%% set color 6 set subnet %%log.remip%%/32 end
config firewall addrgrp edit VPN_Failed_Login append member %%log.remip%% end
When a user has multiple VDOMs, the script must begin by specifying the same VDOM where the 'address group' object has been created: config vdom edit <vdom> config firewall address edit %%log.remip%% set color 6 set subnet %%log.remip%%/32 end
config firewall addrgrp edit VPN_Failed_Login append member %%log.remip%% end
A complete stitch will look like this:
config firewall local-in-policy edit 1 set intf <SSL VPN Listening interface> <----- The source-interface under SSL VPN settings. next end
The result: When the VPN login fails, the trigger will be generated and an address object will be created for the remote IP the failed attempt came from.
Note: This will block legitimate users as well if the login attempt fails. It will be necessary to manually remove each user's public IP from this address object to allow them to connect to the VPN again. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.