User blocked

Hi!
I've a M270 with SSL VPN using active directory for authentication.
One of my users keeps getting is password blocked because of failed login attempts.
On my DC I've the information the request is coming from the firebox ip.
Is there a way to see where are the auth requests coming in the firebox log? How can I access those logs?

I also removed the user from the AD VPN Group, but it keeps getting blocked.

Can anyone help?

Thanks!

Comments

  • I'm not using AD for my SSLVPN connection.
    Here is what I see in my logs when entering an incorrect password:

    2022-07-05 16:46:51 admd Authentication of Firewall user [[email protected]] from 10.0.1.2 was rejected, invalid credentials or user doesn't exist msg_id="1100-0005" Event
    2022-07-05 16:46:51 wgcgi SSL VPN user [email protected] from 10.0.1.2 was rejected - Unspecified. Debug

    You should be able to test this at your site from behind your firewall, as I did above, and see what shows in Traffic Monitor.

  • Hi Bruce.
    In traffice monitor I can only access real time information. How can I access those logs? Tried Firebox System Manager, Fireware Web UI and Watchguard Cloud... cant find the logs!
    Can you help?

    Thank you!

  • You can set up a log server.
    1) a syslog server
    2) Dimension
    3) WSM Log Server - note that this will be going away in the next major release

    Set Up Logging and Reporting for Your Network
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/set-up_logging-reporting_network.html

  • edited July 6

    You can see that log in Dimension...but...you can also see it live with System Manager.

    From there, every time I have had that - every time...it is an end user who is trying to copy paste a credential and has something more, like a blank space at the end of the PW.

    I also avoid common user names, for instance, if my email address is [email protected] the username I take out the punctuation and it is johnsmithjohnsmithcom for the username and use a password site for the credential. I then also use almost exclusively the OpenVPN Connect software as opposed to the WatchGuard version of the same thing. It gives a bit more information to the end user including logs they can decipher.

  • I've installed Dimension and its working, logs are being recorded and search is better.
    However, cant find any log with this user.
    Also tried purposely failing a vpn connection 5 times with a firebox user, not AD, and looking for that user, nothing is shown...

    I'm lost... and I nedd to find where are this auth requests coming!

    Thanks.

  • You don't see anything in Traffic Monitor related to these failed VPN connection attempts ?

  • FYI, in WSM Firebox System Manager -> Traffic Monitor, you can set it to display up to 25,000 log lines. (right click -> Settings)
    The max size will happen if your have FSM connected for a long period of time.

  • Also in Dimension Log Search, make sure that you select the ALL log message types option.
    The default is to only search for TRAFFIC type logs.

  • Finaly in Dimension I found Reports / Device / Authentication and it's there!

    Thank you for helping!

Sign In to comment.