Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

AD Accounts locked by brute force despite MFA & ACL rule

Hello everyone,

we have a XGS set up with SSL VPN, the VPN Portal, AD integration and MFA for every user.
Currently we are facing brute force attacks on the VPN Portal. We tried to prevent those by setting up an ACL rule which is blocking countries and dangerous IPs according to this article:


https://support.sophos.com/support/s/article/KBA-000009932?language=en_US

Unfortunately, this doesn't work. There are way too many IPs trying to connect to us to include all of those in the ACL rule and the blocked countries are still able to connect to the VPN Portal...

Did we do something wrong with this rule?


But the main problem is: The attacks do not succeed and MFA is also protecting us from those attacks, but every user account which is used in the attacks gets constantly locked out of our AD. We have the "block login" setting enabled, but the AD lockouts still occur...


So our questions are:
- Why is the ACL rule not working?
- Did we miss an important hardening setting to prevent those situations?
- Why are our users locked out by our AD even though we have MFA and "block login" enabled? Do we have a misconfiguration here? Is this an expected behavior by the firewall?

Thank you very much!

  Markus



Added TAGs
[edited by: Raphael Alganes at 12:09 PM (GMT -8) on 5 Nov 2024]
Parents Reply Children
  • Hello and thanks for the fast answer!

    ehm, could you tell me what log I need to look at? I'm struggling to find the correct firewall log - it's neither fwlog.log, firewall_rule.log nor fwmgmt.log...

    And regarding your ACL Rule: I created one as described, but with countries instead of (only) IP addresses. This should be fine?

    Nevertheless the question remains: why are our users locked out so quickly in our AD? Is there an authentication misconfiguration? Do others face this problem?

  • We are not logging Firewall captures on the log directory. You should see this in packet capture (Diagnostic) or logviewer. 

    This rule will essentially take all the HTTPS traffic and send it somewhere else. 

    We are currently looking in adjusting this behavior for the greater good. 

    __________________________________________________________________________________________________________________

  • Ah, ok, so we are not the only ones facing locked out users through the VPN Portal... I'm looking forward for the next firewall version, then. Slight smile

    Mhm, we cannot have a look at the packet capture or logviewer any more. We closed the VPN Portal for the WAN interface since that was the only way to prevent our users from getting locked out. We want to open this again so everybody could re-download their VPN configurations, but we are still waiting a little bit. Would it be an option to simply keep the VPN Portal closed?