This article describes how to use IOC as an External resource in FortiGate to restrict random users’ login from the internet to SSL VPN.
Scope
FortiOS, FortiGate.
Solution
The SSL VPN in FortiGate opens the way for internet-connected users from remote to connect with a private network over the VPN. In most cases, if the users do not want to change the default portal configuration (Ex. Public IP, web port, etc.) for the web-based access, there will be face random unexpected users who do not have valid access rights, trying to access from internet.
This event can be checked from the SSL VPN event log with the message ‘SSL user failed to logged in’.
To reduce these login attempts and restrict the random users from having an IOC setup where the server will make a list of the suspicious or invalid source IP addresses, it can be used as an external resource in FortiGate. These learned IPs from IOC will be added to the resource database in FortiOS and can be used for restriction rules. Here is the procedure to configure the external resources.
CLI:
config system external-resource edit "<ext-resource-name>" set type address set username "LEN" set password ENC **** set resource "http://x.x.x.x:80/" set source-ip x.x.x.x next end
It has to be done to negate the resource list from SSL VPN settings so that only the addresses that do not match this list will be allowed.
config vpn ssl setting set source-address "<ext-resource-name>" set source-address-negate enable <-- end
Also, it can be done with the local-in-policy by following way and the default action of the policy will be enforced as deny.
config firewall local-in-policy edit 1 set intf "ssl.root" set srcaddr "<ext-resource-name>" <-- set dstaddr "<add>" set service "10443" set schedule "always" next end
Note: It is always recommended to change the default listening port for the SSL VPN and use a custom port instead of 10443.