Hello Community,
this morning we faced the issue that users were not able to authenticate against the firewall. This affected the heartbeat/firewall rules were users are used, user/vpn/admin portal and SSL VPN were also unable to authenticate. The authentication service is set to a active directory domain. The default admin user was able to login to the firewall. On the firewall dashboard everything was normal, all services were running.
After our initial investigation we found that only one firewall was affected by this. During our search we noticed that a brute force attack against the SSL VPN Portal was present before the crash. It was more than usually but nothing special. The IP's are similiar to https://support.sophos.com/support/s/article/KBA-000009932?language=en_US I will attach a file with all the usernames and IP's used. We added a local ACL to combat the brute force but since it is a public facing firewall it is expected to be hit by attacks. We use 2FA so it doesn't really bother us.
After a bit more research we found the following in the access_server.log.
So the service crashed but was automatically restarted but it seems to was in a non functioning state. We restarted the service manually with "service access_server:restart -ds nosync". The service started with no issue and the authentication was working again.
After about 1 hour the SSL VPN service just died. We found the following in the access_server.log. The SSL VPN service died because the configuration were deleted and without a configuration the service will not be in a running state.
Does anyone else face similar issues? A brute force attack like this shouldn't cause an issue like this.
Added TAGs
[edited by: Raphael Alganes at 2:42 PM (GMT -8) on 10 Feb 2025]