[b112]

This sounds very weird.

If you're blocking non-US IPs, you trpically block at the IP layer, before a login attempt can even begin.

Why allow someone to even log in at all?

[ffsoftboiled]

If the intent is to collect foreign IPs attempting login - you could block it down the chain. Lots of intelligence reasons to do this.

[crtasm]

If you block outright an adversary has reason to try another IP. If you allow the attempt then show a standard "login failed" page they have less information to go on.

[filcuk]

Not necessarily. One could have a gov site allowing anyone to view it, but have stricter rules on a /login path, HTTP POST, auth header, or it could have been blocked by some compny-wide safety layer that manages this stuff semi-automatically. But that's just a speculation.

[ocdtrekkie]

So the default behavior of a Fortigate is to allow you to apply an access policy to the VPN tunnel itself, which can easily be a geoblock, but the local-in policy where the remote is actually authenticating against the firewall is much harder to change.

Not saying this is a Fortigate or that the federal government didn't change the low effort configuration, but it's certainly not unusual, Fortinet is a huge presence.

[kissiel]

maybe to detect that the valid credentials are leaked / used in the wilds?

[Cthulhu_]

Exactly; a valid login attempt from abroad should trigger an immediate account lock and credentials reset for sensitive systems like this.

[mikeocool]

Auth providers (like Okta for example) often do the geo-blocking at level 7 -- because if you know the login being used, you can then lock the account that is being accessed from a blocked region.

[dagaci]

Remember these are elons are script kiddie hackers, it only occurred to disable the outer firewall, azure ad will independently geoip block all by itself