Skip to main content
danyal
danyal
Explorer
November 13, 2024
Question

SSL VPN goes down when limiting the access

  • November 13, 2024
  • 4 replies
  • 5311 views

Hello,

 

I'm working on a pre-configured Fortigate firewall and seeing too many logs under VPN Events, most of them SSL VPN alerts. I realized these logs are coming from other countries than the intended country. After looking for some solutions to minimize the logs, I came across this "limit access to specific hosts" option. I tried to add my country as the hosts, however, after applying the policy, it doesn't let anyone connect to the VPN. What I'm seeing under VPN logs when a user tries to connect is "Action: tunnel-up - Reason: login successfully", and a few minutes after I'm getting this "Action: tunnel-down - Reason: User requested termination of service". Additionally, on the client side, it app doesn't even ask for a token verification and just drops the connection.

I hope someone can let me know the reason for this issue and what I should do next.

 

Secondly, I tried to revert SSL VPN to the way it was and apply the restriction under firewall policies. This time, I was able to connect to the VPN even though it took longer time to let me in, however, it didn't let me to connect to the local services that I was supposed to have access to.

 

Just to clarify, when there is no policy at all, the VPN works just fine, but my concern is the SSL VPN alert. Also, you may want to point out to Local In Policy. I'd say yes, there are policies there that I'm not aware of their purposes. One more thing that may or may not help is that there is a firewall policy to block some countries from accessing any interfaces, and this policy also doesn't get any hits.

 

Thank you!

4 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 13, 2024

You need to share us what exactly you configured (hopefully CLI) to let us understand why you got the result.

 

If you don't want to see those random hack attempts around the world in the log, only way is to use local-in-policy with geo blocking or specific subnet blocking. The firewall policies are examined after passing the local-in. If something is already configured, you need to understand what exactly it's doing to avoid conflict you're intending to configure.

Toshi 

danyal
danyalAuthor
Explorer
November 14, 2024

Here is the VPN settings that is currently in effect:

config vpn ssl settings set banned-cipher SHA1 SHA256 SHA384 set servercert "Fortinet_Factory" set login-attempt-limit 3 set login-block-time 600 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-server1 *.*.*.* set dns-server2 *.*.*.* set port *** set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "tunnel-access" config authentication-rule edit 1 set groups "SSLVPN Users" set portal "tunnel-access" next end end

 

There is no user defined Local-In-Policy.

And here is the firewall policy that causes the problem when I add the country to the source address.

config firewall policy     edit 2         set name "SSL VPN Tunnel"         set uuid d9ca79f2-de35-****-d5f4-*****         set srcintf "ssl.root"         set dstintf "lan"         set action accept         set srcaddr "all" \\Stops working when changing it to a specific country         set dstaddr "*** Subnets" "*** Subnets"         set schedule "always"         set service "***" \\Some services         set utm-status enable         set inspection-mode proxy         set profile-protocol-options "custom-default"         set ssl-ssh-profile "certificate-inspection"         set av-profile "default"         set webfilter-profile "default"         set dnsfilter-profile "default"         set ips-sensor "Default IPS Policy"         set logtraffic all         set groups "SSLVPN Users"     next end

 

parthpatel
Staff
parthpatel
Staff
November 14, 2024

Hello @danyal,

If you are looking to limit the access to specific hosts on SSL VPN then you need to define it only under the VPN settings and not on the firewall policy 

Please review below document as it goes in detailed steps to apply the same 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-certain/ta-p/191997

Also you can review the best practice guide on SSL VPN as it goes over other options to help reduce the attempts 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-p/331260
 

danyal
danyalAuthor
Explorer
December 4, 2024

Hello @parthpatel,

I would have appreciated it if you could try it first and then suggesting it to others :)

I wished you would have known that the local in policy does not accept any port number as a service.

FYI:

*service         Service object from available options.

Error message:

# set service INT_PORT_NUM/STR_PORT_NUM entry not found in datasource  value parse error before 'PORT_NUM' Command fail. Return code -3

[INT: integer, STR: string]

Also, FYI, I know how to google!

 

I'm sorry that I'm treating you this way, however, as a staff you have to be able to address people issues correctly, or simply do not respond.

Thank you

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
December 4, 2024

Hi @danyal ,

 

I'm not sure why SSL VPN did not get down when you specified the Country address object in the SSL VPN firewall policy.

 

Did you run SSL VPN debug to collect outputs?

 

To limit the SSL VPN users for incoming sources, you may configure the "source-address" setting in "config vpn ssl settings" for a try.

 

sjoshi
Staff
sjoshi
Staff
December 4, 2024

It seems like the issue with restricting access to specific hosts in SSL VPN settings might be related to the source IP addresses not being configured correctly or the Negate Source option being enabled unintentionally. This could explain why users are unable to connect or are getting disconnected shortly after logging in. When reverting to the previous configuration and applying restrictions under firewall policies, the connection works but access to local services is restricted, possibly due to misconfigured local-in policies. It's important to review and adjust the source addresses and policies to ensure proper connectivity and access control. Additionally, checking the firewall policies blocking countries and ensuring they are correctly configured could help in troubleshooting the connectivity issues and SSL VPN alerts.

Thanks, Salon
    Terms & ConditionsAccessibility statement