Technical Tip: How to disable SSL VPN on secondary WAN IP only
| Description | This article describes how to block SSL VPN listening on secondary IP configured on WAN interfaces but it still works on Primary IP WAN address. It is even possible to select if it is desired to block SSL VPN for a particular secondary IP address only. |
| Scope | FortiGate. |
| Solution | As shown below, FortiGate has 2 WAN interfaces in the SSL VPN config with multiple IP addresses configured on each interface.
To block listening for the SSL VPN interface, it is possible to create a local in-policy and use secondary IPs as destination addresses to block SSL VPN traffic.
Step 1: It is necessary to make a new service that should have an SSL VPN Port.
Step 2: Now, make sure to have the address object or address group of secondary IP addresses.
Step 3: Make a local in policy as shown below:
The default action is deny in the local in policy. Now the SSL VPN traffic will be dropped by the local in policy for the secondary WAN IP addresses.
Related article: Technical Tip: Restrict unauthorized access on the SSL VPN service |
