The VPN SNX portal in the IPsec VPN Software Blade does not implement any protection against brute-force attack on usernames/passwords.
The protection for the VPN SNX Portal behaves in this way:
Each failed authentication attempt in the VPN SNX Portal triggers a delay (the default delay is 3 seconds).
If a client IP address fails to authenticate in the VPN SNX Portal several times in a row, the protection bans the client IP address for a specific period of time.
The default is 3 failed login attempts in a row.
The default ban duration is 5 minutes.
The protection is included starting from:
The VPN SNX Portal protection is enabled by default.
You can control some protection aspects of this protection with kernel parameters on the Security Gateway.
Note - For instructions for configuring kernel parameters, see the Quantum Security Gateway Guide for your version > Chapter "Working with Kernel Parameters" > Section "Firewall Kernel Parameters".
Controls the delay before accepting the next login attempt from a specific IP address:
- 0 - Disables the feature (not recommended)
- Any positive integer - Configures the delay (in seconds) before accepting the next login attempt from a specific IP address
- Default - 3 seconds
Controls the number of failed authentication attempt (after how many consecutive login attempts, the SNX portal stops accepting the login attempts from a specific IP address):
- Any positive integer - Configures the number of failed login attempts
- Default - 3 failed attempts
Controls the ban penalty period for a failed authentication attempt (for how long the SNX portal stops accepting login attempts from a specific IP address):
- 0 - Disables the ban penalty period (not recommended)
- Any positive integer - Configures the ban penalty period (in seconds)
- Default - 300 seconds (5 minutes)
Note - This feature protects only SNX Portal and SNX CLI.
Removing a client IP address from an active ban
Connect to the command on the Security Gateway.
Log in to the Expert mode.
vpn snx_unban <Client_IP_Address>
vpn snx_unban 192.168.22.33
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.