Fortinet: Restricting SSL VPN connectivity from certain countries using firewall geography addresses (2024)

#Deep_Dive #MX3_NW_SEC #SSL_VPN

This time we'll have a walkthrough on how to restrict Fortinet SSL VPN access from certain countries.

If you need to know more about what is the SSL VPN, Visit the below link:

By default, SSL VPN is accessible to all public IP addresses from the Internet.

A normal firewall policy won't help with this!

Solution

From CLI:

1) Configure firewall address with the type geography.

config firewall address
edit "USA-GEO-IP"
set type geography
set country "US" <--- Only connections from USA country.
next
end

If there is more than one country to allow, make a group on the firewall.

2) Configure firewall address group.

See Also
Technical Tip: How to limit SSL VPN login attempts and block durationTechnical Tip: How to block SSL VPN Connection from a certain source IP AddressTroubleshooting IPsec Traffic | pfSense Documentation

# config firewall addrgrp
edit "Geo_restriction_ssl_vpn"
set member "USA-GEO-IP"
next
end

3) Configure the firewall address group as the source-address under SSL VPN settings.

# config vpn ssl settings
set source-address "Geo_restriction_ssl_vpn"
end

From the GUI:

  1. Go to Policy & Objects -> Addresses, select 'Create new', select 'Geography' as the address Type, and select the country.

Fortinet: Restricting SSL VPN connectivity from certain countries using firewall geography addresses (1)

2) Once create the country on the addresses the same has to be mapped on the firewall SSL-VPN settings to restrict access.

Go to VPN -> SSL-VPN Settings, in 'Restrict Access' select 'Limit access to specific hosts', and add a host to allow for accessing the VPN.

Fortinet: Restricting SSL VPN connectivity from certain countries using firewall geography addresses (5)

Note:

If there are SSL VPN authentication rules that have source-address defined as "all", the globally configured source-address will not work.

Make sure to remove source-address from the authentication rules, or configure appropriate source-addresses from allowed countries for each authentication rule.

Another method would be to use local-in-policy to block any attempts to connect to SSL VPN.

First, create a policy that allows traffic from a specific country:

config firewall local-in-policy
set intf "wan1"
set srcaddr "Allow US IPs Only"
set dstaddr "all"
set service "SSLVPN-Port" <- port that is used for SSL VPN
set schedule "always"
set action accept
next
end

Second deny access from all other countries:

config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr all
set dstaddr "all"
set service "SSLVPN-Port" <-- port that is used for SSL VPN.
set schedule "always"
next
end

After this, it will show newly created policies via GUI.

Note that it can be necessary to activate local-in-policy in GUI to view the current settings: System -> Feature Visibility -> Check Local-In-Policy and select Apply.

Fortinet: Restricting SSL VPN connectivity from certain countries using firewall geography addresses (6)

#Deep_Dive #MX3_NW_SEC #SSL_VPN

Fortinet: Restricting SSL VPN connectivity from certain countries using firewall geography addresses (2024)
Top Articles
A new deal for arts funding in England? - Creative Industries Policy and Evidence Centre
Disadvantages of KVP (Kisan Vikas Patra)
Foxy Roxxie Coomer
Duralast Gold Cv Axle
Truist Bank Near Here
Is pickleball Betts' next conquest? 'That's my jam'
Chase Bank Operating Hours
Bucks County Job Requisitions
Los Angeles Craigs List
Gwdonate Org
Tracking Your Shipments with Maher Terminal
Shreveport Active 911
Kris Carolla Obituary
2016 Ford Fusion Belt Diagram
Gon Deer Forum
Bitlife Tyrone's
Overton Funeral Home Waterloo Iowa
Driving Directions To Bed Bath & Beyond
Clear Fork Progress Book
라이키 유출
Tygodnik Polityka - Polityka.pl
A Biomass Pyramid Of An Ecosystem Is Shown.Tertiary ConsumersSecondary ConsumersPrimary ConsumersProducersWhich
Georgia Cash 3 Midday-Lottery Results & Winning Numbers
Cpt 90677 Reimbursem*nt 2023
Craigslist Ludington Michigan
Pixel Combat Unblocked
Pfcu Chestnut Street
Metro By T Mobile Sign In
Graphic Look Inside Jeffrey Dresser
Litter-Robot 3 Pinch Contact & DFI Kit
2016 Honda Accord Belt Diagram
Does Iherb Accept Ebt
Synchrony Manage Account
Myql Loan Login
Mcgiftcardmall.con
2008 DODGE RAM diesel for sale - Gladstone, OR - craigslist
Paperless Employee/Kiewit Pay Statements
Anhedönia Last Name Origin
Amc.santa Anita
Strange World Showtimes Near Century Stadium 25 And Xd
Port Huron Newspaper
Tacos Diego Hugoton Ks
Phmc.myloancare.com
Dying Light Mother's Day Roof
Das schönste Comeback des Jahres: Warum die Vengaboys nie wieder gehen dürfen
Mlb Hitting Streak Record Holder Crossword Clue
Random Warzone 2 Loadout Generator
Quest Diagnostics Mt Morris Appointment
Julies Freebies Instant Win
Fallout 76 Fox Locations
Goosetown Communications Guilford Ct
Latest Posts
Here's When It's OK to Eat Moldy Food—And When It's Not
Top Retailers Positioned for Growth in 2024
Article information

Author: Aron Pacocha

Last Updated:

Views: 6705

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.