I was hoping there was a built in method to automatically block IPs after they fail an attempt at IPSec VPN. I’ve seen my log full of attempts.
You can use an automation stitch for this, Fortinet have a KB here Archived - Fortinet Community
Local-In Policies
Or
Create loopback interface, create vIP to fwd ssl vpn and ipsec traffic to loopback, create drop policy with shitlist addr group and use policies to manage access.
Periodically add problem ips to the address group…for example, i have weekly checklist
Don’t get me the wrong way and no offence, but … Why, why would you need that? there it 10000001 and another 55 other methods bots will be probing everything and anything they can reach and if it is someone committed they have virtually unlimited supply of IPs. What you’ll achieve is creating a problem that no one will know how to fix when some valid peer messes up the PSK and you have forgotten you’ve done this. Possibly wasted hundreds of hours of time that people will never get back thanks to you.
IPSEC is one of the most stable and secure protocols, as long as you don’t use idiotically simple PSKs it is not going to go anywhere. This is by the way why main mode was created in ikev1, to make the attacker waste resources.
don’t chase ghosts, there are better things to do that actually mean and do something.
No automated way that I am aware of.
Put the addresses in a deny local in policy, with port 500 as a service.
We use FortiAuthenticator (FAC) for our SSLVPN authentication, which I assume will also work for IPSEC VPN.
In FAC you can set lockouts for both the user and IP. You set how many failed attempts and how long the timeout is.
You can probably do that easily with ForitSIEM or FortiSOAR, or you can do it the hard way with python / ansible.
Just my 2 cents
Great, now every time a user fat-fingers a password I need to go in and unban them.
Banned on first failed attempt? Manual removal to unblock? This is not a usable solution.
A better script should be possible.
One attempt?
110 days?
This would only be useful with some flexibility in attempts.
This is how we’ve done it in the past.
Thanks, gonna look at that now
So this has definitely helped. I’m gonna set up alerts and see how legit a concern this is. Also set up an alert for admin logins and failed login events.
Local-in policy is the way. We use a combination of GeoIP whitelist for IKE in a local in policy to reduce the noise. We know what countries clients are coming from and more importantly where they are not.
if it is someone committed they have virtually unlimited supply of IPs.
virtually. Starting in february I began tracking and banning whole ASNs based on type and number of attacks. Took a while to get my policies and lists dialed in but now in the last two weeks, ive had two failed SSLVPN login attempts. TWO. - According to my policy, 250k attempts have landed on my deny policy in the last 30 days.
Any time an attacker demonstrates that they rotate IPs to avoid a ban, I simply block every address their host is using all at once. I have millions of IPs blocked with very little work and dont need to resort to trusthosts to keep attempts out.
Bonus is that as I learn where these botnets are being hosted from, the Threat Feeds become more robust. If a new critical CVE comes out, I can make sure the most likely sources of attacks are immediately blocked. The data I collected from the influx in attacks due to the ivanti CVE in jan/feb really helped me nail down what sources/hosts/asns the least trustworthy.
You’re right, there may not be a need. I may discover this is a fruitless effort. But I’m using this a way to explore and learn more.
I would agree, u don’t want to accidentally block an employee. Just block that bad IP and report it
I would suggest using a threat feed if their version of FortiOS is new enough. Filling the fortigate with millions of address objects becomes difficult to manage.
I’m probably gonna do the hard way since I don’t have SIEM or SOAR.
make an automation stitch to unban them via some out of band method. slack, cloud function/lambda….