Technical Tip: Blocking Geolocations for SSL VPN and management access via local in policy

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 268710

Description

This article shows how to block geolocations for SSL-VPN and management access with a local policy.

Scope

 FortiGate v6.x.x and v7.x.x.

Solution

Create a geolocation-based address object to block. Navigate to Policy & Objects -> Addresses and create a new address.

Go to the CLI and configure a local policy as shown in the picture below. For srcaddr, supply the name of the address created in step 1.

local in policy.PNG

The name of the address created above is 'china', so the following configuration is used in this example:

config firewall local-in-policy
edit 1
set intf "any"
set srcaddr "china"
set dstaddr "all"
set action "deny"
set service ALL
set schedule "always"
set status "enable"
end

Note: Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.

7889

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Blocking Geolocations for SSL VPN and management access with a local in policy

You are leaving our website