Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MisbaN
Staff
Staff

Created on ‎04-30-2025 06:01 AM Edited on ‎05-01-2025 10:58 PM By Community Manager

Article Id 389989

Technical Tip: Block remote users from accessing the Internal Network out of Office hours

Description This article describes how to block the remote users from accessing the internal resource such as servers etc. out of office hours.
Scope FortiGate.
Solution

This article describes for restricting the remote users accessing the resources from the internal network out of office hours. It can beachieved in 2 ways.

  1. Either block all the connection coming from the FortiClient for the remote users after the office hours.
  2. Just by blocking the traffic when trying to access the resources from the internal network out of office hours. Configure SSL VPN following the following guide: FortiGate 7.0.6 SSL VPN

In this example, SSL VPN will only be accessible from Monday to Friday from 09:00 AM to 06:00 PM every day and will be blocked during off business hours.

 

Configure two recurring schedules. One will be for weekdays, and another will be for weekends.

CLI:

config firewall schedule recurring

    edit "DENY-OFF-BH-MON-FRI"

        set start 18:01

        set end 08:59

        set day  monday tuesday wednesday thursday friday

    next

        edit "DENY-OFF-BH-SAT-SUN"

            set day sunday saturday

        next

  end

config firewall schedule group

    edit "Schedule the Firewall Policy"

        set member "DENY-OFF-BH-MON-FRI" "DENY-OFF-BH-SAT-SUN"

    next

end

GUI:


schedule.png
For situation 1:
It is expected to have a firewall policy from the ssl.root to WAN interface (as given below):


pic2 duplicat.jpg

 

Change the Schedule from 'Always' to 'Schedule the Firewall Policy'. That will block the FortiClient user from connecting to the FortiGate.

Result:

Users are unable to connect to the FortiGate using FortiClient.

 

For situation 2:
It is expected to have a Firewall Policy from ssl.root to LAN interface/ Internal resources (as given below). The Image brief about the firewall policy created from ssl.root to local subnet (LAN / Internal resource).

 

pic4.jpg
As observed, the firewall is set for scheduling the traffic for local subnet from ssl-root for Test group.

Results:

Users are not able to access the resource, even when connected to the FortiGate using FortiClient. 

pic5.jpg


For confirming if the traffic is being blocked, set the packet capture based on ssl-vpn ip pool and icmp.
The traffic for SSL VPN is incoming and also trying to ping the local resource, but there is no any reply to the pings.

It is possible to conclude that he traffic from internal resources is being blocked.

pic6.jpg

 

Related articles:
Technical Tip: How to permit temporary access to a site during a particular time slot

Technical Tip: Configuring a Firewall Policy which is valid only at certain days or hours by using a...
208
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.