|
This article does not focus on the initial setup, which is fully detailed in the article Technical Tip: Restricting/Allowing access to the FortiGate SSL VPN from specific countries or IP ad.... Instead, it explains the correct, risk-free procedure for removing those local-in policies without interrupting active SSL VPN sessions.
Example configuration:
config firewall local-in-policy
edit 1
set intf "WAN"
set srcaddr "GEO-IP Germany"
set dstaddr "FGT_PUBLIC_IP"
set action accept
set service "SSL_10443_custom_port"
set schedule "always"
next
edit 2
set intf "WAN"
set srcaddr "all"
set dstaddr "FGT_PUBLIC_IP"
set service "SSL_10443_custom_port"
set schedule "always"
next
end
Policy 1: Allows SSL VPN connections on port 10443 only from German IPs.
Policy 2: Catches all other sources on port 10443 (implicitly denies).
Why deletion order is important:
- The 'delete <policy_id>' command under 'config firewall local-in-policy' takes effect as soon as it is entered, no 'end' command required to apply the change.
- Removing the specific allow-Germany policy first (ID 1) means all incoming SSL VPN traffic (including legitimate German users) is now evaluated against policy 2, which denies everything. Users lose connectivity instantly.
Safe deletion procedure:
- Delete the generic (deny-all) policy first:
config firewall local-in-policy
delete 2
At this point, only the geo-specific policy remains, so connectivity for allowed countries is uninterrupted.
2. Delete the geo-specific policy:
config firewall local-in-policy
delete 1
With no other local-in policies targeting port 10443, all sources are now allowed.
|
