After discussing the problem with our 3rd party vendor, we concluded that MFA nor whitelisting will work on our situation. Since their access to our system is only necessary when I request support, we've decided to "Turn OFF" the SSL VPN when not in use. I did this yesterday and the attack notifications stopped immediately.
I recognize that the firewall was doing its job as many of you have said, however, it was making me really nervous and sometimes that's the driving force behind our decisions. Obviously, this solution doesn't work in every situation, but it does in this case, and it helps me sleep at night.
I think, your 3rd party did not give you the best possible advice.
Would you limit SSL VPN access to the IP address of the partner, NOBODY else could not even connect to the port and so also not try any usernames/passwords.
Would be MFA used...well, than even guessing user/pass would lead to nowhere, even if the offender had correctly guessed username and password.
I wonder, that you have one single SSL VPN users and already you are in panic mode. Why? Was this one users's username guessed? If so, than I would ask myself what is wrong with this user, when he leaked the credentials (at least username).
If it was some random username.... why worry, when nobody else has VPN access rights? Even if someone would access with the right user/pass, he wouldn't be connected, because he has no access right for VPN connections.
Why did I use the term 'panic'.....?
Well, you have ONE VPN user. Others may have hundreds and thousands. How many 'wrong password' emails do you think would they get, if they had this notification turned on? I bet, that they couldn't purge the mailbox fast enough!
I understand you, that it may be scary, when you see this happen for the first time. But it is not much different as when you are logging all the dropped connections to your firewall, all the IP and port-scans. That simply is the 'noise' of the Internet, that we have to live with , but not let it scare us. Some level of noise is good. Be scared, when it suddenly disappears! That will mean, either you have no Internet connection, your logging stopped working or even worse, your firewall isn't working.
Listen to the noise and start watching carefully, when the noise changes. That is what should make you worry - changes in the noise. But not some random VPN logon attempts, where some bot tries the top 10 most common user/password combinations.