Disabling VPN portal breaks SSLVPN connections

Hi Stuart James ,

Please follow the recommended best practices 

Create ACL to Block IP/Country in Device Access by Creating ACL based on country

Enable Sign-in security settings

We are getting DDOS-like authentication-requests through the VPN portal.

Since some firewalls reported repeatedly failed authentications from an IP in St. Petersburg yesterday we disabled the VPN portal global for WAN, giving it local access with an ACL exception from country "Germany".

Today I wasn't even able to login to the firewall via VPN. Authentication log is completely flooded with failed authentications. After several tries I could login to WebAdmin from internal via Citrix Netscaler an restart the authentication service on the firewall. Then I was able to login via VPN (PRO file) again.

Source IP for the failed authentications is 127.0.0.1. I will go and disable the vpn portals completely now... fortunately our customers use OVPN only.

We are getting DDOS-like authentication-requests through the VPN portal.

Since some firewalls reported repeatedly failed authentications from an IP in St. Petersburg yesterday we disabled the VPN portal global for WAN, giving it local access with an ACL exception from country "Germany".

Today I wasn't even able to login to the firewall via VPN. Authentication log is completely flooded with failed authentications. After several tries I could login to WebAdmin from internal via Citrix Netscaler an restart the authentication service on the firewall. Then I was able to login via VPN (PRO file) again.

Source IP for the failed authentications is 127.0.0.1. I will go and disable the vpn portals completely now... fortunately our customers use OVPN only.

You will see the 127.0.0.1, if you do a Port sharing between VPN Portal and the SSLVPN. 

If you have separate ports for both services, like 443 and 8443, then you will see the original IP in authentication. 

Hi kerobra Regarding Source IP 127.0.0.1 below is a past community discussion that will give more clarification on the same:

community.sophos.com/.../vpn-portal-and-login-security

We see same problems. On one firewall auth services was crashed and a restart for that service was necessary.
Now we create a ACL DROP rule for Asia and russian federation.

Because of Fail2Ban isnt working here, Sophos hast to improve that issue as fast as possible!

You could import those Lists in V21.0 (EAP). This Version support third party feeds. 

Can you try adding the following option to the .pro file and check:

"check_remote_availability": false

Yep. Precisely what we're seeing kerobra . DDOS attacks on the VPN portal.

OK I understand.
We took 443 for VPN portal since we believed it would be more convenient for end users. 443 TCP was taken for SSLVPN in good faith to evade any problems withj restricted networks.
That "Note" in Administrator help should be a BIG FAT RED warning at least.

However, my idea in blocking VPN portal for anything but for country "Germany" didn't work.
On firewalls, where the bad combination of VPN portal and SSLVPN port-sharing was used and login security was unintentionally evaded logins are tried 5 or 6 times every second.
On firewalls with ports not shared it is done every 3 minutes evading the 1-120 second timeframe for login security.

Source IP is allways 92.53.65.166 on all firewalls.

You tried a Blackhole DNAT? Because this should forward everything to the blackhole regardless of the service. 

No for me it was easier to completely deactivate VPN portal in the WAN zone with no exceptions and enabling it on purpose only like we did with the UserPortal in the past.

We are getting similar. One on 9/4 started from IP 92.53.65.166 in Russia and today from a bunch of unique IP's around the world including US, Germany, Korea, Singapore. I have disabled VPN Portal to stop for the moment, but we need a better solution so SSL VPN is not impacted.