| Description | This article describes how it is possible to block a certain country and allow the rest of the world to connect to SSL VPN. |
| Scope | FortiOS. |
| Solution |
Step 1: Go to Policy & Objects -> Addresses, select 'Create new', select 'Geography' as the address Type, and select the country to block.
If it is desired to block more than one country, make an address group on the firewall. After creating the country on the addresses, the same must be mapped on the firewall SSLVPN settings to restrict access.
Until here, it is only allowed connections from Blocked_Country, BUT it is desired to block the connection. So, it will be negated the source as explained in the next step.
Step 3: Run the following CLI command to Negate the source.
config vpn ssl settings set source-address-negate enable end
Now, with this configuration setup, it should be possible to block a certain country and allow the rest of the world to connect to an SSL VPN.
Note: Sometimes this option (set source-address-negate enable) is not available under config authentication-rule. This happens when there is no source-interface or source-address defined on the vpn ssl settings . Under authentication-rule, source-interface and source-address should be set. After this, 'set source-address-negate' option should become available :
config vpn ssl settings set source-interface "wan1" end
Related articles: Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database Technical Tip: How to block SSL VPN Connection from a certain source IP Address |
