I have been seeing random users in our VPN connections page like test and right now I see
[email protected]. That is not our tenant, the connection has been there for 56 minutes. There are 0B sent or received. We use SSO from our external IDP for authentication and use the SSL VPN Client. We only have the VPN port external ip:port accessible to the www so x.x.x.x:9443 or some.domain:9443. Is there something I am missing to stop this or is it just something that is going to happen as our VPN IP is scanned?
What version is your fortigate on? Do you have admin interface exposed to WAN?
No we do not, only the SSL VPN
What IP is the connection from? I would double check your config to see if someone has been poking around and added another identity source.
One is coming from a San Diego University IP and the others are Digital Ocean’s VPN IP
There is no other identify source. all requests go to our IdP
It “looks” like it is trying to use client based L2TP which is disabled. The only service that is enabled on the WAN interfaces is FTM.
It’s someone trying to brute force our L2TP VPN. For some reason the Fortigate shows it at connected even though phase 1 is failing.
Seems like a dumb way to log that.