FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 206883
Description This article describes how to block certain IP addresses from connecting to SSL VPN, not by using local-in policy, or specific geolocation restrictions.
Scope The simulation was done using:
FortiOS version 6.4.8 (applies to newer versions too 7.0,7.2,7.4).
FortiClient version 6.4.7.

There is an option on SSL VPN setting via CLI to enable 'source-address-negate'.

It is possible to create a firewall address object (for a blocked IP address), and then use it in the SSL VPN Setting with negate option enabled.


This way, FortiGate will only block connection attempts from this address object. Other IPs will be allowed.


config firewall address
    edit "Block_SSLVPN"
        set subnet


config vpn ssl setting

    set source-address "Block_SSLVPN"
    set source-address-negate enable



When the user tries to connect from the machine, the SSL VPN will be rejected.


FCT from


On FortiGate, it is possible to see that this machine is trying to connect, but FortiGate does not respond:


dia sniffer packet any "host and port 10443" 4
Using Original Sniffing Mode
filters=[host and port 10443]
7.107390 port1 in -> syn 1450279049
8.121837 port1 in -> syn 1450279049
10.137460 port1 in -> syn 1450279049


Connecting from the different machines will be allowed and connections established.


get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 dani SSL_VPN_Group 1(1) 296 28736 0/0 0/0 0

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 dani SSL_VPN_Group 64 12469/6784


The blocks will be visible in the 'Local Traffic' logs. Enable Local Traffic Log from under Log & Report -> Log Settings.


Advanced configuration options are available only through CLI. Therefore this option is only available in CLI.