Geoloaction & Authentication attempts
M390 with 12.11 firmware.
I seem to have an issue with Geolocation and some watchguard functions like sslvpn, proxies for exchange and other websites. I've been getting a number of attacks lately on sslvpn and other inbound sites requiring authentication against our active directory. As an example, here is a blocked site hit from Romania from Dimension.
FWDeny, blocked sites (geolocation source), pri=4, disp=Deny, policy=WatchGuard-SSLVPN-00, protocol=https/tcp, src_ip=80.94.95.120, src_port=62928, dst_ip=50.174.117.145, dst_port=443, src_intf=2-Comcast-Fiber, dst_intf=Firebox, rc=101, pckt_len=52, ttl=114, pr_info=offset 8 S 3976651325 win 61690, duration=0; sent_bytes=52; rcvd_bytes=0, 3000-0173, geo_src=ROU; geo_dst=USA
My sslvpn log levels are set to Information (High), but everything else is default. At the same time, an active directory account was locked out. The IP address tried a number of different services, but all were blocked.Dimension doesn't show the account it tried
My big question is could the geolocation be allowing the authentication attempt, and then block the traffic? Can I raise up some log to capture it all in dimension or the cloud portal logs? Should I just open a ticket?
Comments
Review this article:
Detect and mitigate brute force attacks that target Mobile VPN with SSL (SSLVPN)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000BcPmSAK&lang=en_US
You can increase diagnostic logging for authentication which may show something to help.
Thanks Bruce. I think the diagnostic logging for Authentication is what I am looking for. Everything else except the failed authentication blocking was set.