SSL VPN hundreds of Failed Logins

noahhuotari · March 12, 2025, 11:43am

I did some more digging on this. I’ve got 2 different customers running SSL VPN using SAML auth to Entra ID only. Within the past couple days, I’ve been alerted to login failures and account lockouts at both customers. DC logs are showing the audit failures coming from the FW’s internal IPs. Most of the SSL-LOGIN-FAIL events on the FW are from obvious bot names like admin, administrator, john, sean, copier, etc and are not hitting the DCs, but there are over 180k audit failures in the last couple of days.

It seems even though LDAP is not configured for use with the SSL VPN anymore, it’s still using it to send requests. Removing the LDAP config instantly stopped the audit failures on the DCs.

I suspect this may be a vulnerability that is being exploited.

allthewires · March 12, 2025, 11:43am

I have done this. i get a blank page when I go to the URL for the SSL VPN. I am still seeing logon attempts. Any idea why?

wallacebrf · March 12, 2025, 11:43am

Yes, those I add to my manual block list but that is whack a mole

allthewires · March 12, 2025, 11:43am

I started to see this on Monday. AD account lockouts due to the bots. I have got things under control now. It is odd that it popped up out of nowhere.

mk18mod1 · March 12, 2025, 11:43am

Same. We use Azure SSO so I have a script that automatically blocks any failed login attempt if group=“N/A” but I’m curious if it’s possible to deny any login attempt that’s not Azure SSO.

Wasteway · March 12, 2025, 11:43am

They come in waves. Enable source reputation filtering with a level of 3.

https://www.reddit.com/r/fortinet/s/mkbT4XF4rZ

wallacebrf · March 12, 2025, 11:43am

I block using my automation stitch without using Azure