Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff

Created on ‎03-14-2022 11:27 PM Edited on ‎03-09-2025 10:47 PM By Community Manager

Article Id 206883

Technical Tip: How to block SSL VPN Connection from a certain source IP Address

Description This article gives an example of how to block a certain IP address or list of IP addresses from connecting to SSL VPN without using local-in policies.
Scope FortiGate v6.4.8 and later.
Solution

There is an option on SSL VPN setting to enable 'source-address-negate'.


It is possible to create a firewall address or address group object (for a blocked IP address), and then use it in the SSL VPN Setting with negate option enabled.

 

This way, FortiGate will only block connection attempts from this address object. Other IPs will be allowed.

 

config firewall address
    edit "b-10.47.2.111"
        set subnet 10.47.2.111 255.255.255.255
    next
end

 

config vpn ssl setting

    set source-address "b-10.47.2.111"
    set source-address-negate enable

end

 

When the user tries to connect from the 10.47.2.111 machine, the SSL VPN will be rejected.

 

FCT from 10.47.2.111.PNG

 

On FortiGate, it is possible to see that this machine is trying to connect, but FortiGate does not respond:

 

diagnose sniffer packet any "host 10.47.2.111 and port 10443" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.47.2.111 and port 10443]
7.107390 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049
8.121837 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049
10.137460 port1 in 10.47.2.111.64299 -> 10.47.2.141.10443: syn 1450279049

 

Connecting from the different machines will be allowed and connections established.

 

get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 dani SSL_VPN_Group 1(1) 296 28736 10.47.1.189 0/0 0/0 0

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 dani SSL_VPN_Group 10.47.1.189 64 12469/6784 10.212.134.200

 

The blocks will be visible in the 'Local Traffic' logs. Enable Local Traffic Log from under Log & Report -> Log Settings.

 

If multiple addresses should be blocked, an address group can be used for simplified management.

 

config firewall address

edit "b-10.47.2.111"

set subnet 10.47.2.111 255.255.255.255

next

edit "b-10.47.2.200"

set subnet 10.47.2.200 255.255.255.255

next

end

 

config firewall addrgrp

edit "BLOCKED-IP_SSLVPN"

set member "b-10.47.2.111" "b-10.47.2.200" 

next

end

 

config vpn ssl setting

set source-address "BLOCKED-IP_SSLVPN"
set source-address-negate enable

end

 

To add or remove members from a multi-select object, use the 'append' and 'unselect' keywords.

 

config firewall addrgrp

edit "BLOCKED-IP_SSLVPN"

append member "new address to block"

unselect member "address to remove from block"

next

end

 

In v7.2.9, v7.4.5 and later, IP address blocks can be configured from SSL-VPN GUI. This is done by using 'Limit access to specific hosts' in combination with 'Negate Source'.

 

block one address.PNG

 

81119
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.