Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adimailig
Staff
Staff

Created on ‎06-09-2023 05:41 AM

Article Id 259689

Technical Tip: How to restrict or disable SSL VPN connections to Fortigate from the same LAN segment connected to the same FortiGate

Description The article explains how to restrict or disable SSL VPN connections to FortiGate from the same LAN segment connected to same FortiGate.
Scope FortiGate, SSL VPN.
Solution

1) Use 'source-address-negate enable' and specify the denied IP address in SSL VPN settings.
The following example shows how to deny RFC1918 (All Private IPs) to use SSL VPN.

 

config firewall address

edit "10.0.0.0/8"

set subnet 10.0.0.0 255.0.0.0

next

edit "172.16.0.0/12"

set subnet 172.16.0.0 255.240.0.0

next

edit "192.168.0.0/16"

set subnet 192.168.0.0 255.255.0.0

next

end

config firewall addrgrp

edit "RFC1918_RANGES"

set member "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"

next

end

config vpn ssl settings

set source-address "RFC1918_RANGES"

set source-address-negate enable

end

2) Deny SSL VPN service when using the firewall policy from LAN to WAN.


config firewall address

edit "WAN_IP"

set subnet <Public IP/32> -->> Public IP on SSL VPN listening interface(s)

next

end

config firewall service custom

edit "SSL_VPN"

set tcp-portrange <PORT> -->> SSL VPN TCP Port

next

end

config firewall policy

edit 0

set name "DENY_SSL_VPN_SERVICE"

set srcintf "LAN"

set dstintf "WAN"

set srcaddr "all"

set dstaddr "WAN_IP"

set schedule "always"

set service "SSL_VPN"

set logtraffic all

next

end

3) Deny SSL VPN service on the local-in-policy as it comes through the LAN interface.


config firewall address

edit "WAN_IP"

set subnet <Public IP/32> -->> Public IP on SSL VPN listening interface(s)

next

end

config firewall service custom

edit "SSL_VPN"

set tcp-portrange <PORT> -->> SSL VPN TCP Port

next

end

config firewall address

edit "10.0.0.0/8"

set subnet 10.0.0.0 255.0.0.0

next

edit "172.16.0.0/12"

set subnet 172.16.0.0 255.240.0.0

next

edit "192.168.0.0/16"

set subnet 192.168.0.0 255.255.0.0

next

end

config firewall addrgrp

edit "RFC1918_RANGES"

set member "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"

next

end

config firewall local-in-policy

edit 0

set intf "WAN" >>> SSL VPN listening interface

set srcaddr "RFC1918_RANGES"

set dstaddr "WAN_IP"

set service "SSL_VPN"

set schedule "always"

next

end
Labels:
3760
Suggest New Article
Article Feedback
Comments
jbernabe
Staff
Staff
‎06-14-2023 10:40 PM

This is very informative and helpful. Kudos to the Author!

Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.