Technical Tip: How to block SSL VPN Connection from a certain source IP Address

There is an option on SSL VPN setting via CLI to enable 'source-address-negate'.

It is possible to create a firewall address object (for a blocked IP address), and then use it in the SSL VPN Setting with negate option enabled.

This way, FortiGate will only block connection attempts from this address object. Other IPs will be allowed.

config firewall address
    edit "Block_SSLVPN"
        set subnet 10.47.2.111 255.255.255.255
    next
end

config vpn ssl setting

    set source-address "Block_SSLVPN"
    set source-address-negate enable

end

When the user tries to connect from the 10.47.2.111 machine, the SSL VPN will be rejected.

On FortiGate, it is possible to see that this machine is trying to connect, but FortiGate does not respond:

dia sniffer packet any "host 10.47.2.111 and port 10443" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.47.2.111 and port 10443]
7.107390 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049
8.121837 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049
10.137460 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049

Connecting from the different machines will be allowed and connections established.

get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 dani SSL_VPN_Group 1(1) 296 28736 10.47.1.189 0/0 0/0 0

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 dani SSL_VPN_Group 10.47.1.189 64 12469/6784 10.212.134.200

The blocks will be visible in the 'Local Traffic' logs. Enable Local Traffic Log from under Log & Report -> Log Settings.

Note:
Advanced configuration options are available only through CLI. Therefore this option is only available in CLI. For newer firmware such as v7.2.9 onwards, there is now a 'Negate Source' button seen in the GUI.