Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rajan_kohli
Staff
Staff

Created on ‎07-27-2024 11:32 PM Edited on ‎06-28-2025 07:48 AM By Moderator

Article Id 328515

Technical Tip: How to disable SSL VPN on secondary WAN IP only

 

Description

This article describes how to block SSL VPN listening on secondary IP configured on WAN interfaces but it still works on Primary IP WAN address. It is even possible to select if it is desired to block SSL VPN for a particular secondary IP address only.
Scope FortiGate.
Solution

As shown below, FortiGate has 2 WAN interfaces in the SSL VPN config with multiple IP addresses configured on each interface.

 

Rajan_kohli_0-1722111045414.png

 

To block listening for the SSL VPN interface, it is possible to create a local in-policy and use secondary IPs as destination addresses to block SSL VPN traffic.

 

Step 1: It is necessary to make a new service that should have an SSL VPN Port.

 

Rajan_kohli_1-1722111045418.png

 

Step 2: Now, make sure to have the address object or address group of secondary IP addresses.

 

Rajan_kohli_2-1722111045421.png

 

Step 3: Make a local in policy as shown below:

 

Rajan_kohli_3-1722111045423.png

 

The default action is deny in the local in policy. Now the SSL VPN traffic will be dropped by the local in policy for the secondary WAN IP addresses.

 

Related article:

Technical Tip: Restrict unauthorized access on the SSL VPN service

 

876
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.