Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 2859 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Too many failed sign-in attempts from WAN Address..

cm00001

Hello,

I am puzzled for something that just happened to me. I got this alert from the XG today:

Subject: *ALERT* Sophos XG Firewall - Too many failed sign-in attempts

Device Information:
Hostname: <XG FIrewall FQDN>
Management Interface IP: Not configured/Not available
Date/Time: 2020-11-02 15:57:25
Alert ID: 17913

Message:
The administrative access from IP Address '40.97.230.101' is blocked for '5' minutes after '5' unsuccessful login attempts

If the only service allowed to the firewall from outside is SSL-VPN, how could "40.97.230.101" try to access the administrative access for 5 times?

Thank you!



This thread was automatically locked due to age.
  • 0

    Assuming you do not have a Local ACL Exception configured, the SSLVPN will share the port of the User portal. 

    Do you use SSLVPN on Port 443? Those blocks could be generated by the User Portal. Can you look up the logviewer - Authentication and look for the "Facility"? 

  • +1

    Hello cm00001,

    Thank you for contacting the Sophos Community!

    What port it is being used by the SSL VPN? If it is the same you are using for the User Portal or Admin, this might be causing this.

    Regards,

  • 0 in reply to emmosophos

    Thanks for the quick reply! 

    I was able to confirm the port for the User Portal was the same for the VPN. So in this case, the User Portal was not blocked in the WAN (even though it was under Device Access). 

    Once I changed the User Portal port to a different one, it was no longer accessible from the WAN.

    Since the User Portal was the source of these requests, why does the message says "administrative access"?