Hardening FortiGate SSL VPN

Hi all,

I’ve configured a loopback interface and a virtual IP for SSL VPN in order to be able to control what traffic is allowed to access the portal.
I’m trying to find out how to best set up firewall policies going to my VIP. Right now I’ve configured geo-restrictions and blocking known malicious IP’s.
Is it a good idea to create a IPS profile with known FortiGate vulnerabilities and enable IPS on the policy? How would that work with certificate inspection?

Please give me, and others, inspiration by sharing how you harden SSL VPN access.

​

Hi,

I think you’ll find all tips on this link :

In summary :

Change the default SSL VPN port 10443/443 to anything else

Do not use local users for authentication, and if using - keep passwords elsewhere or/and enable MFA

Enable Multi-Factor Authentication for VPN users

Limit access to VPN SSL portal to specific IP addresses

Move VPN SSL listening interface to a Loopback interface

(Less preferred than above) Limit access to SSL VPN portal in Local-in Policy

Limit access to portal by GeoIP location

Block access to/from Tor Exit Nodes and Relays to anything

Install trusted CA-issued certificate, but don’t issue Let’s Encrypt certificates directly on the Fortigate

Configure email alert on each successful VPN SSL connection

Prevent re-using the same user account to connect in parallel

In security rules, allow access only to specific destinations and services, not all

If not using VPN SSL, disable it, or assign to a dummy interface

Create a no-access portal and set it as default in the VPN settings

Block offending IP after n failed attempts

Disable weak and outdated TLS protocols for SSL VPN

Consider switching from VPN SSL to VPN IPSec for clients

Consider moving VPN SSL into its own VDOM

Do SSLVPN in a separate VDOM - not a loopback. SSL decrypt will not work when it’s listening on a loopback so any IPS policy you apply to secure SSL VPN will not be effective.

All of our malicious attempts come from hosting companies.

I setup automation to email when a login attempt fails on the VPN interface.

And then look up the owner of the IP, if it’s a hosting company (which they all have been) I block them by their ASN.

Edit: I forgot, we also have a rule that blocks things like VPN anonymizers, and Tor Exit nodes. As a company policy, users are not allowed to access company resources with these.

Use Threat Feeds and ISDB objects to block whatever you want.

Any good advice for securing ssl vpn on the gate?
Is the use of a Loopback a good thing? (Advantzge/drawback) or is the local in policy good enough for that?
Any other good tricks?

Shoot I was not aware of that decryption limit. Is it formally documented somewhere?

Thanks

Doesn’t that give you like 100’s of emails every day? I mean there’s a lot of scanners out there.

I’m also using the ISDB’s with known bad IP/subnets, like tor exit notes etc. If you look for scanners in isdb you’ll find quite a few also
Don’t forget to use the option enable on vip because of the way packets are being processed in a fortigate

Good use case for FortiSOAR

No, it’s not. Not that I could find at least. I was working with a CSE on this too and he wasn’t aware either.

Nope. All the invalid attempts started about 6 months ago. These aren’t scanners.

Once I blocked the 14 responsible ASNs, haven’t had a single attempt in months.

I do get one when a valid user puts in their password wrong, but that’s not often enough to be a problem.

Definitely! Use that enrichment when you can

Way out of our price range.

can you provide an example of how you are blocking by ASN?

Security Fabric > External Connectors

New > IP addresses

URI of external resource: https://api.hackertarget.com/aslookup/?q=AS####

Replace last set with real ASN.

Refresh rate 1440 (once per day)

Then change the WAN side access policy source to negate (Add blocked ASNs)

I mean, you’re welcome to tell Fortinet not to charge a quarter of a million for it. Lol.

Man, this is gold. I’m always amazed at y’all ingenuity to solve problems. I’m definitely filing this one away for future use.

This is great information! Thanks for sharing.

Wouldnt this end up being a mess of tens of thousands of ASNs/Connectors to cover every set of subnets you’re trying to block?

Would it be easier to create a script that maintains a threat feed based on the list of ASNs you provide? Creating a different connector for every ASN you want to block would be… a lot of connectors after a while.

This is great, I have a lot of ASN’s to add and it’s not hard to use the CLI to add them but the question mark gets dropped out of the URL. Does anyone know how to get by that? It’s a CLI command thing so I don’t know if it’s possible.