Block source IPs for honeypot users
As discussed in this feature request from April 2024, the mobile VPN as well as any external-facing firebox authentication pages can be subject to brute force attacks that are difficult to mitigate. Fireboxes v12.10 introduced the ability to deny repeat attacks from the same IP address and username, but a clever attacker will rotate usernames and/or IP addresses and thereby circumvent this setting.
If we could establish a list of "honeypot" users who do not exist in our VPN user pool or group, then we could have a setting to automatically block or drop packets from source IPs who try to log on with these usernames. The only potential downside is that depending on what gets returned to the attacker, they might be able to determine which user accounts are live and which are honeypot based on how the firebox handles the request. The upside is that an attacker who trips a honeypot account would then be unable to use that same IP address to make any further attacks, at least until block expires (if there is an expiration).
My apologies for making a potential "duplicate" post, but I thought this was distinct enough from the original to merit a separate entry. I'd really love to see both features implemented, of course.