Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff

Created on ‎03-14-2022 11:27 PM Edited on ‎07-06-2022 06:12 AM By Anonymous

Technical Tip: How to block SSL-VPN Connection from a certain source IP Address

Description This article describes how to block certain IP address to connect to SSL-VPN, not using local-in policy nor specific geolocation restriction
Scope Simulation was done using:
FortiOS version 6.4.8
FortiClient version 6.4.7
Solution

There is an option on SSL VPN setting via CLI to enable 'source-address-negate'.


It is possible to create firewall address object (for blocked IP address) then assign it to SSL-VPN Setting with negate option enabled.

 

This way, FortiGate will only block connection attempt from this address object. Other than that will be allowed.

 

# config firewall addres
 edit "Block_SSLVPN"
  set subnet 10.47.2.111 255.255.255.255
 next
end

 

# config vpn ssl setting

set source-address "Block_SSLVPN"
set source-address-negate enable

end

 

When the user tries to connect from 10.47.2.111 machine, SSL-VPN will be rejected.

 

FCT from 10.47.2.111.PNG

 

From FortiGate, can be seen that this machine trying to connect, but FortiGate did not respond.

 

# dia sniff pack any "host 10.47.2.111 and port 10443" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.47.2.111 and port 10443]
7.107390 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049
8.121837 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049
10.137460 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049

 

Connecting from the different machines will be allowed and connections established.

 

# get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 dani SSL_VPN_Group 1(1) 296 28736 10.47.1.189 0/0 0/0 0

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 dani SSL_VPN_Group 10.47.1.189 64 12469/6784 10.212.134.200

 

The blocks will be visible in the 'Local Traffic' logs. Enable Local Traffic Log from under Log & Report->Log Settings.

 

9038
Contributors

Contact Us