Technical Tip: 'set source-address' in SSL VPN settings

Description

This article describes an issue where, when 'source-address' is configured under ‘config vpn ssl settings’, it will not take effect if the same parameter is set under ‘config authentication-rule’.
The source-address configured under ‘config authentication-rule’ will take precedence.

Example:

config vpn ssl settings
    set source-interface "wan1"
    set source-address "Geo_restriction_ssl_vpn"
    set default-portal "Internet"
        config authentication-rule
            edit 1
                set source-interface "wan1"
                set source-address "all"
                set groups "VPN_users"
                set portal "Internet"
            next
end

In the above configuration, the administrator intended that only source addresses included in ‘Geo_restriction_ssl_vpn’ could attempt to connect to SSL VPN. However, when the users try to connect, the source-address 'all' configured on the authentication-rule takes precedence, and a user can connect to the portal ‘Internet’ regardless of the source IP address.

Scope

FortiGate.

Solution

In order to restrict access to specific users based on source address, it is important to add the same source-address under ‘config authentication-rule’ or remove the source-interface configuration from the authentication-rule.

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 444
    set source-interface "wan1"
    set source-address "Geo_restriction_ssl_vpn"
    set default-portal "Internet"
        config authentication-rule
            edit 1
                set source-interface "wan1"
                set source-address "Geo_restriction_ssl_vpn"
                set groups "VPN_users"
                set portal "Internet"
            next
        end
end

Note: Configuration of a source-address requires that a source-interface be defined first in the authentication rule settings via the CLI. Once the source interface is set, the source-address parameter becomes available for configuration.

Related documents:

• Technical Tip: SSL VPN source-interface setting in authentication rule taking precedence

• Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addresses

• config vpn ssl settings