Description | This article describes how to block certain IP address to connect to SSL-VPN, not using local-in policy nor specific geolocation restriction |
Scope | Simulation was done using: FortiOS version 6.4.8 FortiClient version 6.4.7 |
Solution |
There is an option on SSL VPN setting via CLI to enable 'source-address-negate'.
This way, FortiGate will only block connection attempt from this address object. Other than that will be allowed.
# config firewall addres
# config vpn ssl setting set source-address "Block_SSLVPN" end
When the user tries to connect from 10.47.2.111 machine, SSL-VPN will be rejected.
From FortiGate, can be seen that this machine trying to connect, but FortiGate did not respond.
# dia sniff pack any "host 10.47.2.111 and port 10443" 4
Connecting from the different machines will be allowed and connections established.
# get vpn ssl monitor SSL-VPN sessions:
The blocks will be visible in the 'Local Traffic' logs. Enable Local Traffic Log from under Log & Report->Log Settings. |