Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
johnathan
Staff
Staff

Created on ‎09-19-2023 06:48 AM Edited on ‎01-08-2025 11:02 PM By Moderator

Article Id 274422

Technical Tip: How to use a Threat Feed with SSL VPN

Description

This article describes how to use a Threat Feed with SSL VPN.

Threat Feeds are not selectable within VPN -> SSL VPN Settings. This article describes the proper way to use them.
Scope FortiGate v6.2.x, v7.x.x.
Solution

It is possible to use a Threat Feed in a local-in policy. This is a simple way to block addresses in the Threat Feed from accessing the VPN.

Starting 7.6.0+, the local-in policies can be configured from GUI. Below 7.6.0+, it needs to be configured from CLI only.

 

threat feed.PNG

Scenario 1: When the SSL VPN is on a Loopback interface.

 

It is possible then to make a Firewall Policy towards the Loopback, which would then allow to select the Threat Feed as the source.

 

Here is an example of the Loopback and WAN interface we will be using. The Loopback subnet can be any subnet wanted. However, it should not overlap with any real subnets.

 

interfaceLAB.PNG

Here is what should be configured in SSL VPN Settings.

 

sslvpnLOOP.PNG

 

It is necessary to make a VIP to forward the SSL VPN port configured above. The External IP should be the WAN IP, and the internal IP should be the IP configured on the Loopback.

 

vipLAB.PNG

The policy is necessary to allow connections from the WAN. The source is negated here, as that will be the most common implementation of the threat feed (allow everything except the Threat Feed).

 

To enable the source, negate option in the firewall policy, enable it from the CLI using the following commands: 

 

FortiGate# config firewall policy 
FortiGate(policy) # edit <policy_id>  

FortiGate (policy_id) # set srcaddr-negate
enable     <----- Enable source address to negate.
disable    <----- Disable source address to negate. 
 

FortiGate (policy_id) # set srcaddr-negate enable 

 

For more details regarding source and destination negate check the following link: 

Technical Tip: Firewall Policy 'Negate' option

 

policyLAB.PNG

 

Scenario 2: When the SSL VPN is configured on the WAN interface.

 

Threatfeed.JPG

 

Configure address object for WAN IP and custom service for SSL VPN port.

 

SSLVPN-address.JPG

 

config firewall address

    edit "sslvpn_wan"
        set uuid c3c5ca1a-c52b-51ef-be23-14c4ef10f15e
        set subnet 10.9.15.166 255.255.255.255
    next
end

 

SSLVPN_Service.JPG

 

config firewall service custom
    edit "sslvpn_port"
        set uuid 92c29470-c52b-51ef-5a58-d37c69abc313
        set tcp-portrange 10443
        set udp-portrange 10443
    next
end

 

Configure local-in-policy to block the connections from the IP in the threat feed.

 

config firewall local-in-policy
    edit 1
        set uuid 91f2f6b4-c857-51ef-1702-a45348473581
        set intf "port1"                      --> port1 is the WAN interface.
        set srcaddr "Threatfeed"
        set dstaddr "sslvpn_wan"
        set service "sslvpn_port"
        set schedule "always"
    next
end

 

v7.6.0+:

 

Capture.JPG
5470
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.