Hi,
I’m looking at the Fortigate plugin.
What I’d like it to do is kick users off the VPN (ipsec or ssl)
The use case is that we would like to automate a playbook, that disconnects users from the VPN, disables their AD account. We have an issue in that disabling an AD account doesnt stop an active VPN session. So a malicious attacker may still have access.
Is this possible with the plugin or an feature request?
I’d try this (that overview doesn’t show it, but it’s “Force Reset Password”):
That will nuke the user’s session and unauthenticate them from any MS services.
The other thing you could do is add a group in Fortigate that’s like “black_listed_internal_addresses” and have it block all outgoing and ongoing traffic. Then you could add the user’s machine to that group.
I think the second part might be overkill, but I’d definitely checkout force password reset.
Looks like this capability is exposed in the Fortigate’s Monitor API.
GET https://{ip}:443/api/v2/monitor/vpn/ssl
POST https://{ip}:443/api/v2/monitor/vpn/ssl/delete
I could hack together some code and extend this plugin, but we don’t use the VPN feature on our Fortigate so I wouldn’t have a good opportunity to test it. I’d recommend some quick and dirty python/powershell scripting for this action if you’re pressed for time.
Hi,
This would only work if the Fortigates auth’d against Azure, currently they auth against a local AD
Blacklisting is great, but if the session is active. How do you stop an active session. The only time the fortigates look to auth is on tunnel up, they dont periodically check.
So I need a solution that will kill an IPSec/SSL VPN connection
On the API (fortigate developers network) I agree it can be done with the api. Just hope it can be done via the plugin.
You’d probably need to provide the information for the above
GET /vpn/ssl to get the ssl sessions
GET /vpn/ipsec to get the ipsec sessions
Would you be able to GET from /vpn/ssl and post the sanitized response? I’m curious what a production response looks like. FNDN is pretty sparse on details for the response body.
I’ll go ahead and put in an idea to potentially get these couple actions added. It sounds like we have a valid use case for them here. 