FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to block certain IP address to connect to SSL-VPN, not using local-in policy nor specific geolocation restriction
Scope Simulation was done using:
FortiOS version 6.4.8
FortiClient version 6.4.7

There is an option on SSL VPN setting via CLI to enable 'source-address-negate'.

It is possible to create firewall address object (for blocked IP address) then assign it to SSL-VPN Setting with negate option enabled.


This way, FortiGate will only block connection attempt from this address object. Other than that will be allowed.


# config firewall addres
 edit "Block_SSLVPN"
  set subnet


# config vpn ssl setting

set source-address "Block_SSLVPN"
set source-address-negate enable



When the user tries to connect from machine, SSL-VPN will be rejected.


FCT from


From FortiGate, can be seen that this machine trying to connect, but FortiGate did not respond.


# dia sniff pack any "host and port 10443" 4
Using Original Sniffing Mode
filters=[host and port 10443]
7.107390 port1 in -> syn 1450279049
8.121837 port1 in -> syn 1450279049
10.137460 port1 in -> syn 1450279049


Connecting from the different machines will be allowed and connections established.


# get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 dani SSL_VPN_Group 1(1) 296 28736 0/0 0/0 0

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 dani SSL_VPN_Group 64 12469/6784


The blocks will be visible in the 'Local Traffic' logs. Enable Local Traffic Log from under Log & Report->Log Settings.