Login with user test on all fireboxes the last 2 days

Hi,

The last 2 days i see logins from different ip addreses, not located in DK, with user TEST on all my fireboxes.

For now i have setup a rule to only allow login on most of my fireboxes from DK.

Authpoint logfile attached.

Have any of you seen this? It seems a bit odd they are hitting all my fireboxes at once.

Regards
Robert

Comments

  • I can see they are hitting my sslvpn interface on my boxes:

    2023-02-07 22:46:33 FWStatus, ready to end authentication session with error code 32, pri=3, proc_id=admd, msg_id=
    2023-02-07 22:46:33 FWStatus, SSL VPN user [email protected] from 1.53.198.88 was rejected - user is rejected by Cloud., pri=3, proc_id=wgcgi, msg_id=
    2023-02-07 22:46:33 FWStatus, User not authenticated, pri=3, proc_id=wgcgi, msg_id=
    2023-02-08 02:58:43 FWStatus, ready to end authentication session with error code 32, pri=3, proc_id=admd, msg_id=
    2023-02-08 02:58:43 FWStatus, SSL VPN user [email protected] from 175.157.213.229 was rejected - user is rejected by Cloud., pri=3, proc_id=wgcgi, msg_id=
    2023-02-08 02:58:43 FWStatus, User not authenticated, pri=3, proc_id=wgcgi, msg_id=

  • I am getting hits on all boxes from all over the world with user test.

    Date/Time
    2023-02-09 09:33:18
    User
    test
    IP Address
    deu.cloud.watchguard.com
    Source
    AUTH
    Category
    FIREBOX
    Sub-Category
    UNKNOWN
    Action
    UNAUTHORIZED
    Target
    Firebox Kaufmann Frederiksberg

    All are reported as Sub-Category UNKNOWN

    Looking as some of my valid users Sub-Category is LDAP_PUSH but sometimes they are also listed as UNKNOWN which cases they can´t login.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen
    I'm assuming that you've probably already done so, but please create a support case for this -- at face value this probably shouldn't be happening, but I can't really provide any data on how or why without more context.

    If you can reply with the case number I can ensure it's with the correct team to help as quickly as possible.

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson

    Thank you. I did indeed open a case, 01837549, and got a very good answer.
    All in all it ended up with the advice to use geolocation to block unwanted countries to access the sslvpn policy on my fireboxes.

    /Robert

  • RyanTaitRyanTait WatchGuard Representative

    Good morning,

    Multiple WatchGuard customers and partners have reported the suspicious behavior to the support team with a lot of similar questions. IN response we have published the following knowledge-base article.

    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000BcPmSAK

    Ryan Tait | Support Engineer
    WatchGuard Technologies, Inc. | www.watchguard.com

Sign In to comment.