Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff

Created on ‎09-09-2024 11:07 AM Edited on ‎03-03-2025 09:42 PM By Community Manager

Article Id 339998

Technical Tip: Blocking SSL VPN access to malicious IPs belonging to the allowed country list in Geo Block Policies

Description

 

This article describes how to block access to a group of malicious IPs which belongs to a country that is allowed through the geo block policy in SSL VPN settings.

For example, a malicious IP address x.x.x.x located in the US may be allowed if the Geo address object 'United States' is allowed in the SSL VPN configuration.

 

Scope

 

FortiOS.

 

Solution

 

  1. Create an IP address threat feed to keep a list of malicious IP addresses: IP address threat feed.

 

config system external-resource

    edit "Blocklist"

        set type address

        set resource "http://x.x.x.x /blocllist.txt"

    next

end

 

Note:

A threat feed is one method for maintaining a list of IP addresses. Alternatively, a manual address group with malicious IPs can be created for this configuration. Malicious IPs can be identified through VPN event logs, which show frequent failed SSL VPN login attempts repeatedly from specific sources. The VPN event logs can be filtered with 'Message: SSL user failed to log in' or  'Action: ssl-login-fail'.

  1. Create a geography-based address object for the US.

 

config firewall address

edit "United States"

set type geography

set country "US"

next

end

  1. Create local-in policies to allow only the US for SSL VPN and deny connections coming from ALL other countries. Note: Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.

 

config firewall local-in-policy

    edit 2

        set uuid ff594706-6161-51ef-6747-b818bd1a8480

        set intf "wan1"

        set srcaddr "United States"

        set dstaddr "all"

        set action accept

        set service "8443"  ß Port on which SSL-VPN is listening

        set schedule "always"

    next

    edit 3

        set uuid 3cf916b0-6165-51ef-19c0-b20289c0416a

        set intf "wan1"

        set srcaddr "all"

        set dstaddr "all"

        set service "8443"

        set schedule "always"

    next

end

  1. Using source-address-negate in the SSLVPN settings allows all other IPs except the IPs present in the threat feed configured in Step 1.

config vpn ssl settings

     set banned-cipher SHA1 SHA256 SHA384

     set servercert "Fortinet_Factory"

           set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

            set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

    set port 8443

    set source-interface "wan1"

    set source-address "Blocklist”

    set source-address-negate enable

    set default-portal "No Access"

end

Result:
All the IPs that are from the United States and are NOT part of the 'Blocklist' threat feed are allowed to connect to the SSL VPN.

2048
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.