所以過去沒特別鎖定連入 VPN 的位置與 IP ,在這次特別設定。也把 log 都打開,在第一時間就能收到警告。而資料備份三二一原則也是基本的
FortiGate 設定 VPN policy 之後沒有反應
在 GUI 介面設定完畢之後發現根本沒有作用,上網查了一下才發現...
Hi, you cannot block IPSec VPN traffic destined to the Fortigate IP itself with usual Security Rules - they only manage traffic PASSING the Fortigate from one interface to another.
To achieve that you need to use Local-in policy (viewable in GUI but editable in CLI only).
So your policy would look like (this will block ALL access from Ban_IP (only) to Fortigate, IPsec VPN, SSL VPN, Admin GUi etc. If you want to block just IPsec, set service accordingly):
REF: https://forum.fortinet.com/tm.aspx?m=188611
因為 VPN 的 Policy 沒有辦法透過 GUI 介面操作,必須要透過指令修改才會生效。
下面就是這次加上的 Policy
BAN 掉一些故意來試的
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "Ban_IP"
set dstaddr "all"
set service "ALL"
set schedule "always"
set action deny
set status enable
next
end
直接鎖定只有台灣的 IP 才可以用 VPN
config firewall local-in-policy
edit 2
set intf "wan1"
set srcaddr "ONLY_TAIWAN"
set dstaddr "all"
set service "ALL"
set schedule "always"
set action accept
set status enable
next
end
錯誤嘗試鎖定機制
config vpn ssl settings
set login-attempt-limit 3 <----- Replace number of attempt to allow in place of x.
set login-block-time 3600 <----- Replace number of seconds to block attempt in place of y.
end