Restrict access to VPN interface

Forum|Forum|4 years ago
March 25, 2022
2 replies
3923 views

Hi,

We have a FortiGate-600D.
Our main rule of the firewall is to block traffic from "Unwanted countries":

This only seem to block traffic to the SSL VPN

Our main goal is to block traffic to the IP of the interface (or DNS name).

Currently it is possible to access the DNS/IP to the interace from any IP (despite the #1 drop unwanted countries rule).

Any ideas of how to block traffic to the https://vpn.domain.com/

Best Regads.

sharmaj

Staff

Hi

You can map the geolocation under the source addresses of the dedicated policy you will create.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-p/196741

EnzureAuthor

New Member

Hi,

That policy (geolocation block) is already in place (and it's the first rule of the firewall).

So it's kinda strange that people (within the geolocation block) can access the https://vpn.domain.com/.

I'm not sure why.

Best Regards.

sharmaj

Staff

Hi,

Can you check if the request is hitting the correct policy?

If not, we need to verify what IP is that and how FortiGate determines it.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/ta-p/190341

Toshi_Esumi

SuperUser

No. You have to use local-in policy instead because this is SSL VPN "into the FGT", not coming-in and going-out VPN traffic, which is regulated by regular policies. You can use Geo IPs as source addresses to filter.
You can search on the internet with key words like "FortiGate local-in policy geoip" then below came up at the top with google.

https://conetrix.com/blog/fortigate-local-in-policies-and-geoblocking

Or, if you prefer Fortinet KB for authenticity, this is what I could search.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-VPN-access-to-certain-countries/ta-p/192328

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded