|Description||This article describes how to block certain IP address to connect to SSL-VPN, not using local-in policy nor specific geolocation restriction|
|Scope||Simulation was done using:
FortiOS version 6.4.8
FortiClient version 6.4.7
There is an option on SSL VPN setting via CLI to enable 'source-address-negate'.
This way, FortiGate will only block connection attempt from this address object. Other than that will be allowed.
# config firewall addres
# config vpn ssl setting
set source-address "Block_SSLVPN"
When the user tries to connect from 10.47.2.111 machine, SSL-VPN will be rejected.
From FortiGate, can be seen that this machine trying to connect, but FortiGate did not respond.
# dia sniff pack any "host 10.47.2.111 and port 10443" 4
Connecting from the different machines will be allowed and connections established.
# get vpn ssl monitor
The blocks will be visible in the 'Local Traffic' logs. Enable Local Traffic Log from under Log & Report->Log Settings.