How do you configure your SSL VPN local access policies?

Hello Dongap3,

If you are blocking IP addresses after multiple failed SSL VPN login attempts using local-in policies, the issue you’re seeing is quite common. Many users connect from shared or dynamic public IPs (for example, ISP NAT, mobile networks, or corporate proxies).

When one user fails authentication multiple times, the same public IP may get blocked, which unintentionally affects other legitimate users. Instead of relying mainly on IP-based blocking, you may consider the following improvements:

1. Use local-in policies only where appropriate
Local-in policies work best when users connect from known, fixed public IPs, such as office locations.
For users connecting from public or dynamic networks, aggressive IP blocking can cause unnecessary lockouts.
In these cases, it is better to block only confirmed malicious IPs rather than automatically blocking based on login failures.

2. Enable Two-Factor Authentication (2FA)
Enabling 2FA adds an extra layer of protection and is one of the most effective ways to prevent unauthorized access.
Even if someone guesses a password, they still cannot log in without the second verification factor. This reduces the need to depend on IP-based blocking.

For public SSL VPN access, relying only on IP blocking can create usability issues. A better approach is to enable 2FA. This provides strong security while minimizing disruption for valid users.

Reference:
SSL VPN security best practices : [https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/947829/ssl-vpn-security-best-practices]