FortiOS 7.4.6 - Geo blocking except some client devices

Question

Hi there,I am about to implement geo blocking for SSL-VPN on our FortiGate FG 500E with FortiOS 7.4.6 under "VPN / SSL-VPN settings".The countries to be allowed access are within a group object and the rule ('Limit access to specific hosts') works fine dropping all access from all other countries. BUT - we have an employee working for us from one of the blocked countries and I do not want to 'allow' this whole country. So I tried to use the MAC address of his device and put it in the group object of allowed countries. It is then possible to select the group object but when you apply the changes, the group object disappears form the Host list!?Is there a way to solve this problem: blocking SSL-VPN for a country except defined client devices? Thanks to all of you and I whish you a happy new year :)

Dhruvin_patel · Answer

Greetings!

It is not possible to allow a single user from a country that is already blocked, especially not using a MAC address.

Possible Solution:
Instead of blocking countries from forming connections through SSL VPN, you can configure the system to allow specific countries to establish connections. In this list, you can also include the public IP of the user from the blocked country, enabling them to connect.

Disable the option "source-address-negate". This option will allow the countries or IP that is part of "source-address"

set source-address-negate disable

set source-address "ALLOW_SSLVPN"

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-SSL-VPN-Connection-from-a-certain/ta-p/206883

Best Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded