Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acp
Staff
Staff

Created on ‎05-02-2020 07:04 AM Edited on ‎03-13-2025 06:24 AM By Community Manager

Article Id 195838

Technical Tip: Binding SSL VPN user/group to public IP address

Description

 

This article describes how to bind SSL VPN users/groups to specific IP addresses for security and authentication.

 

Scope

 

FortiGate.

Solution

 

Network diagram.

Scenario 1.
User1 and User2 with public_IP_1.

 

User1 of User1Group1 from PC1 with Public_IP_1 can connect to ssl_vpn.
User2 of User2group2 from PC2 with  Public_IP_1  cannot connect to ssl_vpn.

 

Scenario 2.
User1 and User2 with Public_IP_2.

 

User1 of User1Group1 from PC1 with Public_IP_2  cannot  connect to ssl_vpn.
User2 of User2group2 from PC2 with Public_IP_2 can connect to ssl_vpn.

 
  1. Users and usergroups configuration.
 
In this example the usergroup is local.
 
  • Go to User & Device -> User.
  • Configure User1Group1 with user ‘User1’.
  • Configure User2Group2 with user ‘User2’.

 

 
  1. Firewall addresses configuration.
     
     
  2. Create an SSL VPN portal.
  • Go to VPN -> SSL -> Portals.
  • Configure portals 'full-access-1'.

 

JeanPhilippe_P_0-1741871982519.png

 

  1. Configure SSL VPN connection settings.

  • Go to VPN -> SSL -> Settings.
  • Select the listen external interface, listen port.
  • Restrict the access to SSL VPN to the public IP previously defined ( Public_IP_1, Public_IP_2).
  • Associate user/group to SSL VPN Portals.

 
 
Note:
So far the address groups have been associated with the portal, but there is not an exclusive restriction yet by the public IP: user1 can access from both ‘ Public_IP_1 'and ‘ Public_IP_2 '.

Following CLI only config on autherntication-rule under VPN SSL setting provide the behavior request.
 
  • Go to CLI via SSH and specify source-int (port3 only in this case) and source-address per authentication rule.

 

config vpn ssl settings
    config authentication-rule
        edit 1
            set source-interface "port3"
            set source-address " Public_IP_1 "
            set groups " User1Group1"
            set portal "full-access-1"
        next
        edit 2
            set source-interface "port3"
            set source-address " Public_IP_2"
            set groups " User2Group2"
            set portal "full-access-1"
        next
    end
end

 

  1. Configure policy.

    Go to Policy & Objects-> Policy -> IPv4.
 

Test 1.
Try to log in from Public_IP_1 with User1 and User2.
 


Test 2.
Try to log in from Public_IP_2 with User1 and User2.
 
 
Labels:
11700
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.