Brute force WAF NGAF

favianbayu Lv1Posted 2024-Mar-05 18:05

Hi there,

So we are implementing WAF on our NGAF
The issue is Bruteforce is not enforced on our Sangfor.

We set for brute force on Web-based Login password setting on the WAF policy template
Basically, we make a custom database for brute force.

It used to work because we use cookies from web apps we protect. But now it seems like it doesn't work anymore
Not after we change the cookie.
Does anyone have a solution for us on this brute-force policy?
Or maybe best practice for brute force?

Thank you

This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x

pmateus has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi,
DDOS is not supported, but you can apply some configuration that will help you, like:
•  Limit Failed Login Attempts
•  Complex Password Policies
•  Two-Factor Authentication (2FA)
•  Monitor and Alert
•  VPN Path Configuration
•  Endpoint Protection

Hope this helps,
Is this answer helpful?
Newbie290036 Posted 2024-Mar-15 03:25
  
To enforce Brute Force protection on your Sangfor NGAF, follow these steps:

1. Log in to the Sangfor NGAF web interface.
2. Navigate to the "Security" module and then click on "Web Application Firewall (WAF)".
3. In the WAF management page, select the "Policy Template" option from the left sidebar.
4. Find the policy template you wish to modify or create a new one if needed.
5. Click on the "Edit" button associated with the selected policy template.
6. Under the "Security Policy" section, locate the "Web-based Login Password" option.
7. Enable the "Brute Force Protection" feature by clicking the checkbox or moving the toggle to the "On" position.
8. Configure additional settings, such as the number of failed login attempts before the protection kicks in, the lockout duration, and the allowed login speed, as per your requirements.
9. Click "OK" to save the changes.
10. Apply the updated policy template to the relevant interfaces or zones within your NGAF configuration.
Farina Ahmed Lv5Posted 2024-Mar-14 13:49
  
If brute force protection is not being enforced on your Sangfor NGAF (Next-Generation Application Firewall) despite configuring it in the WAF (Web Application Firewall) policy template for web-based login passwords, it's essential to ensure that the settings are properly configured and activated within the NGAF's interface. Double-check that the WAF policy template is correctly applied to the relevant web-based login services and that the brute force protection parameters, such as threshold limits and blocking actions, are appropriately configured to trigger enforcement actions upon detection of suspicious login attempts.
Zonger Lv5Posted 2024-Mar-12 18:46
  
More information is required, however, to be precise DDOS is not supported by Sangfor NGAF
Newbie517762 Lv5Posted 2024-Mar-12 17:41
  
This is facing an issue with brute force detection not working effectively after changing the cookie structure on their Sangfor WAF. They are solutions and best practices to mitigate brute force attacks.


Solutions:
  • Update cookie validation logic to consider the updated cookie structure.
  • Check cookie expiration time to ensure effectiveness in detecting ongoing attacks.
  • Implement IP address-based blocking as an additional security measure.
  • Enable two-factor authentication (2FA) for user accounts.
  • Use rate limiting to restrict login attempts from a single source.
  • Incorporate CAPTCHAs to distinguish legitimate users from automated bots.


Best Practices:
  • Use strong passwords and enforce regular password changes.
  • Implement account lockout policies after failed login attempts.
  • Monitor logs for suspicious activities and investigate anomalies.
  • Keep software and security patches up to date.
  • Educate users about security best practices.

Prosi Lv3Posted 2024-Mar-12 16:32
  
Use Strong Passwords.
Limit Login Attempts.   
Monitor IP addresses.   
Use Two-Factor Authentication (2FA).   
Use CAPTCHAs.   
Disable Root SSH Logins
Use Web Application Firewalls (WAFs)
Enrico Vanzetto Lv4Posted 2024-Mar-12 16:25
  
Hi, try to follow this steps:

Identify the Login Page URI and User Identification Method:
Determine the specific Uniform Resource Identifier (URI) for your login page.
Choose whether user identification will be based on usernames or IP addresses.

Create a Web Application Firewall (WAF) Policy:
Set up a WAF policy specifically for your login page URI.
Define the rules and actions that will govern traffic to this page.

Configure a Brute-Force Rule:
Within the WAF policy, create a rule to detect and handle brute-force attacks.
Set a threshold (e.g., 5 login attempts within 1 hour) for triggering this rule.
Specify a blocking action (e.g., temporary IP block) to prevent further malicious attempts.

Consider Enabling IP Reputation Filtering:
If you have a Next-Generation Firewall (NGAF), explore enabling IP reputation filtering.
This feature helps block traffic from known malicious IP addresses.

Rate Limiting Rules (Optional):
Extend your WAF policy by configuring rate limiting rules.
These rules can further restrict login attempts based on specific criteria.

Set Session Timeouts:
Implement session timeouts within your web application.
Define how long a user session remains active before automatic logout.
Christian Ni Lv1Posted 2024-Mar-12 16:05
  
Can you please give more information about the problem. The DDOS of WAF is not like the full blown DDOS solutions.
Mar Estonido Lv1Posted 2024-Mar-12 16:04
  
DDOS is not supported by Sanfor WAF. The only supported is DOS
mdamores Posted 2024-Mar-12 14:15
  
Hi,

Have you the below configuration?

1. Identify your login page URI and user identification method (username or IP).
2. Create a WAF policy for the login page URI.
3. Within the policy, configure a brute-force rule with a threshold (e.g., 5 attempts within 1 hour) and a 4. blocking action (e.g., temporary IP block).
5. Consider enabling IP reputation filtering on your NGAF to block malicious IPs.
6. Try to configure rate limiting rules on the WAF policy to further restrict login attempts as an option
7. Set session timeouts on your web application.


If all else fail, you may consider consulting Sangfor WAF documentation or Sangfor support for specific configuration instructions and available brute-force protection features.

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
138
3

Started Topics

Followers

Follow

Board Leaders