Technical Tip: SSL- VPN cannot be accessed due to geography IP blocked from specific remote user

In this scenario, FortiGate has configured to restrict SSL-VPN access from allowed GeoIP locations and the administrator wants to override this by allowing a specific banned GeoIP address to access SSL-VPN.

The banned GeoIP traffic can be seen in the debug flow outputs.

FortiGate # id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 113.211.210.124:64142->10.47.18.149:10443) tun_id=0.0.0.0 from port1. flag [S], seq 3275722027, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=6003 msg="allocate a new session-0011a12b, tun_id=0.0.0.0"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2604 msg="find a route: flag=84000000 gw-10.47.18.149 via root"
id=20085 trace_id=1 func=fw_local_in_handler line=497 msg="iprope_in_check() check failed on policy 0, drop"

Verify that the GeoIP information by executing the command.

# diagnose firewall ipgeo ip2country <Ip address>

For example:

# diagnose firewall ipgeo ip2country 113.211.210.124
113.211.210.124 is in country: MY, registered country is MY, is not anycast ip.

To verify the SSL-VPN settings.

# config vpn ssl setting
       set source-interface "port1"
       set source-address "Malaysia" <-----
       set source-address-negate enable <----- GeoIP from Malaysia will be denied.

As for a workaround, applying the following configuration to override the geolocation mappings.

# config system geoip-override
    edit "AllowMY"
        set country-id "A0"
        config ip-range
            edit 1
                set start-ip 113.211.210.124
                set end-ip 113.211.210.124
            next
        end
    next

# diagnose firewall ipgeo ip2country 113.211.210.124
113.211.210.124 is in country: A0, registered country is A0, is not anycast ip.