So twice now I’ve checked the VPN monitor and a user “test” has shown up on the list. VPN type is blank, I do not have IPSec configured we just use SSL. The first time was in August and originating IP was New York. Second instance was last night and IP claims it’s from California. There was no traffic through the connection.
Firmware is 7.0.6 (we are upgrading as we can to 7.0.8) Has anyone else seen this? I’m at a loss on preventing future connections or worse. Or if this is just some random bug. There is no test user on the device or the connecting LDAP.
Edit/update: so FTAC saw the logs. We determined nothing was compromised. I was able to duplicate the message by attempting to connect with test test for the username and password and unsuccessfully connecting. In addition, we are currently undergoing pen testing so everything is ok. I killed the VPN web portal and all is good now. Thanks all
Do you have your management interface exposed on your WAN connection?
That’s a ransom attack waiting to happen. I went through that shit… Do you have sslvpn accessible via web? Also, I would advise to use multifactor with azure or anything else you can 2fa with.
Sound like its been compromised. Check admin users for anything fishy, system event logs, and ssl vpn connection history and traffic for anything unusual.
Open a case with TAC, they can help check the logs to try figuring out what happened. (no guarantees)
Not specific to the VPN monitor but I have seen a user with the name test in it show up when configuring/testing RADIUS server.
No. Disabled all that until the updates can happen. Good question though.
You mean, can they go to the public facing IP via a web browser?
Edit: If that’s the case, I did. It would just notify them that they have to download forticlient. No one uses that though so I have disabled it.
Yeah. That’s my next step. Appreciate it
Yes… take that off just to be on the safe side. I remember a vulnerability back in the 6.0.x days where this use to be an issue. It may be an issue again on 7.0.x. I would set up a deny setting closing the web access.