Technical Tip: Blocking Geolocations for SSL VPN and management access with a local in policy

Rajan_kohli · ‎08-13-2023

Description

This article shows how to block geolocations for SSL-VPN and management access with a local policy.

Scope

 FortiGate v6.x.x and v7.x.x.

Solution

Create a geolocation-based address object to block. Navigate to Policy & Objects -> Addresses and create a new address.

Go to the CLI and configure a local policy as shown in the picture below. For srcaddr, supply the name of the address created in step 1.

local in policy.PNG

The name of the address created above is 'china', so the following configuration is used in this example:

config firewall local-in-policy
edit 1
set intf "any"
set srcaddr "china"
set dstaddr "all"
set action "deny"
set service ALL
set schedule "always"
set status "enable"
end

Notes:

Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
After connecting to VPN, cannot restrict based on geo restrictions in firewall policy, as traffic will reach to firewall with a private IP.

Related documents:
Technical Tip: Restricting/Allowing access to the FortiGate SSL-VPN from specific countries or IP ad...
Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...
Technical Tip: Debug flow tool
Local-in policies
Technical Tip: Restrict unauthorized access on the SSL VPN service

Technical Tip: Blocking Geolocations for SSL VPN and management access with a local in policy

You are leaving our website