Description

This article describes how to allow specific countries and block specific IPs located in the same country from accessing SSL VPN.

Scope

FortiGate, SSL VPN.

Solution

In this example, only IP addresses from the Philippines are allowed to access SSL VPN but there is/are specific IP addresses (es) located in the Philippines that should be blocked.
The basic configuration of SSL VPN can be read in this related document SSL VPN split tunnel for remote user.

1. Create an Address Object for IP addresses located in the Philippines that should be blocked. It is also possible to create an Address Group for easier configuration and maintenance.
   
   

 
config firewall address
    edit "Blocked_PH_1"
        set subnet 120.28.65.X 255.255.255.255
    next
end

config firewall addrgrp
    edit "BLOCKED_IP_PHILIPPINES"
        set member "Blocked_PH_1"
    next
end

2. Create Address Object for your External Interface IP.

config firewall address
    edit "FGT_EXTERNAL_IP"
        set subnet X.X.X.X 255.255.255.255     <----- This is the IP address configured on the WAN interface.
    next
end

3. Create a GeoIP Address Object for the Philippines:

config firewall address
    edit "Geo_Philippines"
        set type geography
        set country "PH"
    next
end

4. Create Service for SSL VPN TCP Port.

 
config firewall service custom
    edit "SSLVPN_PORT"
        set tcp-portrange <#TCP PORT#>
    next
end

5. Create a local-in-policy to allow and deny connection.

config firewall local-in-policy
    edit 0
        set intf "<External_Interface_For SSLVPN>"  <----- Deny Specific IP from Philippines.
        set srcaddr "BLOCKED_IP_PHILIPPINES"
        set dstaddr "FGT_EXTERNAL_IP"
        set service "SSLVPN_PORT"
        set schedule "always"
    next
        edit 1
            set intf "<External_Interface_For SSLVPN>"    <----- Allow other IPs from Philippines.
            set srcaddr "Geo_Philippines"
            set dstaddr "FGT_EXTERNAL_IP"
            set service "SSLVPN_PORT"
            set action accept
            set schedule "always"
        next
            edit 2
                set intf "<External_Interface_For SSLVPN>"  <----- Deny other countries.
                set srcaddr "all"
                set dstaddr "FGT_EXTERNAL_IP"
                set service "SSLVPN_PORT"
                set schedule "always"
            next
        end

Result:

1. SSL VPN connection from IP 120.28.X.X (Located in the Philippines) is denied. SYN packet was received by FortiGate but it did not reply and silently dropped the packet.

2024-06-20 13:13:53.182305 port1 in 120.28.65.X.62271 -> 10.47.3.225.10443: syn 4241435653
2024-06-20 13:13:53.434265 port1 in 120.28.65.X.62274 -> 10.47.3.225.10443: syn 144891049
2024-06-20 13:13:54.184825 port1 in 120.28.65.X.62271 -> 10.47.3.225.10443: syn 4241435653

id=65308 trace_id=111 func=iprope_access_proxy_check line=439 msg="in-[port1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=111 func=__iprope_check line=2281 msg="gnum-100017, check-000000002cb7b081"
id=65308 trace_id=111 func=iprope_policy_group_check line=4703 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=111 func=iprope_in_check line=472 msg="in-[port1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=111 func=__iprope_check line=2281 msg="gnum-100011, check-00000000b3d55921"
id=65308 trace_id=111 func=iprope_policy_group_check line=4703 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=111 func=__iprope_check line=2281 msg="gnum-100001, check-000000002cb7b081"
id=65308 trace_id=111 func=__iprope_check_one_policy line=2033 msg="checked gnum-100001 policy-1, ret-matched, act-accept"
id=65308 trace_id=111 func=__iprope_user_identity_check line=1807 msg="ret-matched"
id=65308 trace_id=111 func=__iprope_check_one_policy line=2251 msg="policy-1 is matched, act-drop"
id=65308 trace_id=111 func=__iprope_check line=2298 msg="gnum-100001 check result: ret-matched, act-drop, flag-08010000, flag2-00000000"
id=65308 trace_id=111 func=iprope_policy_group_check line=4703 msg="after check: ret-matched, act-drop, flag-08010000, flag2-00000000"
id=65308 trace_id=111 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 1, drop"

2. SSL VPN connection from another IP (103.141.203.X), also located in the Philippines, is accepted. A three-way handshake is completed.

2024-06-20 13:11:28.387677 port1 in 103.141.203.X.62192 -> 10.47.3.225.10443: syn 1788922158
2024-06-20 13:11:28.387844 port1 out 10.47.3.225.10443 -> 103.141.203.X.62192: syn 1149106797 ack 1788922159
2024-06-20 13:11:28.448439 port1 in 103.141.203.X.62192 -> 10.47.3.225.10443: ack 1149106798

id=65308 trace_id=144 func=iprope_in_check line=472 msg="in-[port1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=144 func=__iprope_check line=2281 msg="gnum-100011, check-00000000b3d55921"
id=65308 trace_id=144 func=iprope_policy_group_check line=4703 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=144 func=__iprope_check line=2281 msg="gnum-100001, check-000000002cb7b081"
id=65308 trace_id=144 func=__iprope_check_one_policy line=2033 msg="checked gnum-100001 policy-1, ret-no-match, act-accept"
id=65308 trace_id=144 func=__iprope_check_one_policy line=2033 msg="checked gnum-100001 policy-2, ret-matched, act-accept"
id=65308 trace_id=144 func=__iprope_user_identity_check line=1807 msg="ret-matched"
id=65308 trace_id=144 func=__iprope_check_one_policy line=2251 msg="policy-2 is matched, act-accept"
id=65308 trace_id=144 func=__iprope_check line=2298 msg="gnum-100001 check result: ret-matched, act-accept, flag-08010000, flag2-00000000"
id=65308 trace_id=144 func=iprope_policy_group_check line=4703 msg="after check: ret-matched, act-accept, flag-08010000, flag2-00000000"
id=65308 trace_id=144 func=__iprope_check line=2281 msg="gnum-10000e, check-000000002cb7b081"
id=65308 trace_id=144 func=__iprope_check_one_policy line=2033 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=144 func=__iprope_check_one_policy line=2033 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=144 func=__iprope_check_one_policy line=2033 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
id=65308 trace_id=144 func=__iprope_check_one_policy line=2251 msg="policy-4294967295 is matched, act-accept"
id=65308 trace_id=144 func=__iprope_check line=2298 msg="gnum-10000e check result: ret-matched, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=144 func=iprope_policy_group_check line=4703 msg="after check: ret-matched, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=144 func=ip_session_confirm_final line=3113 msg="npu_state=0x0, hook=1"

3. SSL VPN connection from IP (211.25.131.X) located in another Country. SYN packet was received by FortiGate but it did not reply and silently dropped the packet.

2024-06-20 13:22:47.658506 port1 in 211.25.131.X.62528 -> 10.47.3.225.10443: syn 2112400225
2024-06-20 13:22:47.915240 port1 in 211.25.131.X.62529 -> 10.47.3.225.10443: syn 662384382
2024-06-20 13:22:48.674259 port1 in 211.25.131.X.62528 -> 10.47.3.225.10443: syn 2112400225

id=65308 trace_id=101 func=iprope_in_check line=472 msg="in-[port1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=101 func=__iprope_check line=2281 msg="gnum-100011, check-00000000b3d55921"
id=65308 trace_id=101 func=iprope_policy_group_check line=4703 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=101 func=__iprope_check line=2281 msg="gnum-100001, check-000000002cb7b081"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2033 msg="checked gnum-100001 policy-1, ret-no-match, act-accept"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2033 msg="checked gnum-100001 policy-2, ret-no-match, act-accept"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2033 msg="checked gnum-100001 policy-3, ret-matched, act-accept"
id=65308 trace_id=101 func=__iprope_user_identity_check line=1807 msg="ret-matched"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2251 msg="policy-3 is matched, act-drop"
id=65308 trace_id=101 func=__iprope_check line=2298 msg="gnum-100001 check result: ret-matched, act-drop, flag-08010000, flag2-00000000"
id=65308 trace_id=101 func=iprope_policy_group_check line=4703 msg="after check: ret-matched, act-drop, flag-08010000, flag2-00000000"
id=65308 trace_id=101 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 3, drop"