Hello everyone,
we have a XGS set up with SSL VPN, the VPN Portal, AD integration and MFA for every user.
Currently we are facing brute force attacks on the VPN Portal. We tried to prevent those by setting up an ACL rule which is blocking countries and dangerous IPs according to this article:
https://support.sophos.com/support/s/article/KBA-000009932?language=en_US
Unfortunately, this doesn't work. There are way too many IPs trying to connect to us to include all of those in the ACL rule and the blocked countries are still able to connect to the VPN Portal...
Did we do something wrong with this rule?
But the main problem is: The attacks do not succeed and MFA is also protecting us from those attacks, but every user account which is used in the attacks gets constantly locked out of our AD. We have the "block login" setting enabled, but the AD lockouts still occur...
So our questions are:
- Why is the ACL rule not working?
- Did we miss an important hardening setting to prevent those situations?
- Why are our users locked out by our AD even though we have MFA and "block login" enabled? Do we have a misconfiguration here? Is this an expected behavior by the firewall?
Thank you very much!
Markus
Added TAGs
[edited by: Raphael Alganes at 12:09 PM (GMT -8) on 5 Nov 2024]