Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎05-08-2020 11:30 PM Edited on ‎03-31-2025 10:32 PM By Community Manager

Article Id 197360

Technical Tip: How to set geolocation address for SSL VPN authentication rule

Description


This article describes how to set the geolocation address object to a specific authentication rule in the SSL VPN setting.

 

Scope

 

FortiGate.

Solution


Assume the following scenario:
Users connecting SSLVPN from geolocation ABC are assigned with full-access portal and if users connect SSL VPN from any other geolocation address then FortiGate assigns default-portal.
To achieve this, set the source address in the authentication rule. Applying geolocation database in SSL VPN authentication rule is only available via CLI.

Configure the below setting to the respective authentication rule in the SS LVPN setting and test the access.

 

config vpn ssl setting
    config authentication-rule
        edit <id>
            set source-interface wan1                <----- SSL VPN listening interface.
            set source-address <Geo address object>
            set portal full-access
        next
    end

 

 

With this settings, when user try to connect the SSLVPN, FortiGate will check the user's public source-address and if it matches the source-address in the authentication rule then only the respective portal will be assigned else default-portal will be assigned.

 

In case of different restrict access GEO source for a specific user then it can be done by configuring below example:

 

config vpn ssl settings
   config authentication-rule
      edit 1
          set source-interface "wan1" <----- Interface specified in SSL VPN.
          set source-address "Allow group countries" <----- Just use the address group of countries address GEO desires to allow.

      set groups "SSLVPN_ test user group " <----- This is the specific user group that desired to have access.
      set portal "SSLVPN_ test_portal"

      edit 2
          set source-interface "wan1" <----- Interface specified in SSL VPN.
          set source-address "general Allow countries" <----- Just use the country desired to allow.
          set groups "SSLVPN_users" <----- This is the group in the policy of SSL VPN.
          set portal "full-access"
    end

 

Related articles:

Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr... 

Technical Tip: Restricting/allowing SSL VPN access from specific countries using sslvpn settings via... 

Labels:
4614
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.