Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kush_Patel
Staff
Staff

Created on ‎08-22-2023 07:13 AM Edited on ‎05-12-2024 10:26 PM By Community Manager

Article Id 269785

Technical Tip: Prevent TOR IP addresses from accessing SSL VPN with brute-force attacks on FortiGate

Description This article describes how to prevent malicious actors from using brute-force attacks on the FortiGate to access SSL VPN.
Scope FortiGate.
Solution

The utilization of the TOR network by attackers offers an elevated level of anonymity, which frequently drives them to heavily rely on brute-force attacks from within this network. It is important to note that this method can be effectively applied when the SSL-VPN is exclusively set up to listen on the Loopback interface.

 

Neither the VPN Settings nor the Local-in Policy currently supports the inclusion of ISDB addresses. By employing ISDB objects for Tor Exit Nodes, Relays, and VPN Anonymizers, these elements can be integrated into a firewall policy placed above the SSL-VPN rule to effectively deter attackers.

 

  1. Create a loopback interface with a dummy IP address that will not be reachable:

 

Loopbackinterface.png

 

  1. Create a service for a TCP port that will be used to listen for SSL VPN connections:

 

service.png

 

  1. Create a VIP to forward the traffic from WAN to the loopback interface as follows (here, 0.0.0.0 is an example WAN IP):

 

vip.png

 

  1. Configure SSL VPN to listen on the loopback interface and port 14144 as follows:

 

sslvpn.png

 

  1. Configure firewall policies to block the traffic coming from TOR IPs but to allow access to valid users as follows:

 

firewall_policy.png

 

Note:

when using 'all' as the destination, the traffic may sometimes fail to match and subsequently get allowed, so it is recommended to enable the 'match-vip' option using the CLI as follows:

 

config firewall policy

edit "8"

set match-vip enable

end

The match-vip option is disabled by default until v7.2.3. In versions after v7.2.3, the option is enabled by default.

Alternatively, try selecting the specific VIP as the destination to match the policy:

 

policywithvip.png

 

Related articles:

Technical Tip: Virtual IP (VIP) port forwarding configuration

Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination
Labels:
4001
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.