blocking ip addresses with failed logins
Hi Team,
Fireware v12.10.4 includes a new feature to block IPs after failed login attempts, but it only works for failed logins to the accounts: status or admin.
In adition, it would be interesting to lock a same source IP when it's trying to login several attempts to different account names in short time, specially when they actually neither exist.
Thank in advance for any answer about this behaviour!
Javier
1
Sign In to comment.
Comments
Hi @JaviPic
There's two features that are getting mixed up here that were added in 12.10.4.
--This release adds checks to prevent inadvertent changes to the built-in status and admin account permissions. [FBX-26096]
--You can now block the source IP address of consecutive authentication failures to the Firebox. [FBX-9333, FBX-19172]
The feature you're looking for can be configured via the following methods.
(Configure Block Failed Login Attempts) WatchGuard Cloud
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/auth_firebox_ip_block.html
(Set Global Firewall Authentication Values) WatchGuard System Manager/WebUI
Scroll down to the section labeled "Configure Block Failed Logins Settings"
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/global_auth_settings_c.html
-James Carson
WatchGuard Customer Support
Hi James,
first at all thanks for your answer!
Rereading again the info, I saw that limitation to status and admin users is limited just to Web UI login page. It doesn't apply to another login option.
I have setup following your instructions and it's working and locking IPs as desired.
Thanks again for your assistance!