Try using an MFA setup that isn’t crap. Email MFA shouldn’t exist. You will have to pay for it, you’re not going to get a decent MFA solution for free.
I don’t think Geo IP blocks appear in logs, except maybe in Local Traffic.
Personally I have my VPN firewall in a DMZ of my main firewall, so I can restrict inbound/outbound traffic that way. I also keep it in a separate fabric so I can upgrade it without impacting the rest of the fabric.
SSLVPN isnt hw accellerated anyway.
I just create a handful of local-in policies that block address groups and specific service groups. Once its in place, I can add/remove items from the groups and not fiddle with the local-in parameters anymore. (In order)
Policy 1 = 'BlockedGroup", Deny (ssl port group)
Policy 2 = 'US Geolocation", Allow (ssl port group)
Policy 3 = “all”, Deny, (ssl port group)
Now, unless your IP or subnet is listed in the blocked group, you can connect to the VPN, as long as your IP is within the US. Everything else is blocked by default.
I can modify those address and service groups groups in the GUI and not have to terminal in each time I need to adjust the blocked/allow. If I suddenly need to block access to more ports, I can throw them in the group.
That page has more details. In short you can then use ISDB deny rule in fw policy.
It’s been a topic of discussion for a number of years now and a number of governments over the last few years have come out with mandates to transition off client VPNs due to their inherent security and/or scalability issues. Here is a good ref from the White House but there are of course, lots of other refs online that critically evaluate VPN and advocate for ZTNA/SASE and presentation (Citrix/Horizon/etc) as modernization of remote access. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
look at Azure App Proxy if you have Microsoft cloud. Cloudflare and akamai have similar offerings. Essentially you authenticate to the cloud service first, then it connects you to the on-prem application.
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy
https://techdocs.akamai.com/eaa/docs/welcome-guide
https://www.youtube.com/watch?v=eojWaJQvqiw
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
Yeah, sure, though the ones I got were clearly identified as foreign countries in the Fortinet’s geo DB, so it clearly should have been blocked.
I know some IPs varies countries depending on who you asked, but those weren’t the case. And local-in policies stopped those.
Even with GeoIP blocking, Ive noticed that my firewall listening port for SSLVPN gets hammered after hours like a college football player. Ive been blocking /24 and /16’s for months trying to keep up with the US based attacks. Given that we have several employees traveling a lot, switching to trusted hosts only would get aggravating to maintain. I may just switch to ipsec.
True, but IPsec is, and it still has to perform firewall policies to loopback interfaces.
I would love to hear the reasoning behind this.
Internet facing server receives traffic, more at 11
IMO I wouldn’t worry about it. Let the script kiddies keep trying to log in to the VPN with root/password. Only stress out about it when there’s a critical vuln. Which is why I have it on a separate fabric entirely. Can’t really turn off VPN but I could take a much less intrusive window to upgrade the one HA pair, as opposed to upgrading the whole fabric.
If you’ve got EMS opened to the outside and some scripting magic, you could write something that maintains a group (or publishes a threat feed) for all public IPs that are on endpoints registered to EMS. Or just tracks the IPs that have ever registered to EMS.
My stuff is up to date, I dont worry too much about some bots or scripters succeeding in gaining access. What I worry about is some 0-day or unpublished exploit that suddenly comes about. If I was them, I would be keeping lists of IP addresses where listeners are present so when a 0 day lands, I can press a button and blast them all with more login attempts. Once I know ive been discovered by another farm, I usually block the whole /16 so they cant just walk across the street and try again.
I try and keep my footprint as small as I feasibly can.
Lots of info. Thanks!
I understand the complaints but there’s no perfect vendor. There in the Palo alto subreddit there’s complaints too. Like the guy who posted “I’ll never recommend Palo alto to my clients ever again” a few days ago, because a horrible customer support experience. Also plenty of complains about the immaturity of software releases (same problem in every vendor).