#Deep_Dive #MX3_NW_SEC #SSL_VPN
This time we'll have a walkthrough on how to restrict Fortinet SSL VPN access from certain countries.
If you need to know more about what is the SSL VPN, Visit the below link:
By default, SSL VPN is accessible to all public IP addresses from the Internet.
A normal firewall policy won't help with this!
Solution
From CLI:
1) Configure firewall address with the type geography.
config firewall address
edit "USA-GEO-IP"
set type geography
set country "US" <--- Only connections from USA country.
next
end
If there is more than one country to allow, make a group on the firewall.
2) Configure firewall address group.
# config firewall addrgrp
edit "Geo_restriction_ssl_vpn"
set member "USA-GEO-IP"
next
end
3) Configure the firewall address group as the source-address under SSL VPN settings.
# config vpn ssl settings
set source-address "Geo_restriction_ssl_vpn"
end
From the GUI:
2) Once create the country on the addresses the same has to be mapped on the firewall SSL-VPN settings to restrict access.
Recommended by LinkedIn
Go to VPN -> SSL-VPN Settings, in 'Restrict Access' select 'Limit access to specific hosts', and add a host to allow for accessing the VPN.
Note:
If there are SSL VPN authentication rules that have source-address defined as "all", the globally configured source-address will not work.
Make sure to remove source-address from the authentication rules, or configure appropriate source-addresses from allowed countries for each authentication rule.
Another method would be to use local-in-policy to block any attempts to connect to SSL VPN.
First, create a policy that allows traffic from a specific country:
config firewall local-in-policy
set intf "wan1"
set srcaddr "Allow US IPs Only"
set dstaddr "all"
set service "SSLVPN-Port" <- port that is used for SSL VPN
set schedule "always"
set action accept
next
end
Second deny access from all other countries:
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr all
set dstaddr "all"
set service "SSLVPN-Port" <-- port that is used for SSL VPN.
set schedule "always"
next
end
After this, it will show newly created policies via GUI.
Note that it can be necessary to activate local-in-policy in GUI to view the current settings: System -> Feature Visibility -> Check Local-In-Policy and select Apply.
#Deep_Dive #MX3_NW_SEC #SSL_VPN