| Description |
This article describes how to restrict/allow access to the FortiGate SSL VPN from specific countries or IP addresses with local-in-policy. |
| Scope | FortiGate. |
| Solution |
The most effective way, to prevent accessing FortiGate resources is local-in-policy.
Local-in policies allow administrators to granularly define the source and destination addresses, interfaces, and services that need to be blocked/allowed.
In this example, only users from certain countries and the LAN are expected to access the SSL VPN, the rest countries should not have any access to the SSL-VPN portal/tunnel.
For example, the US, CANADA, and the private subnets (RFC1918) are allowed to access the SSL VPN and the rest should be dropped.
Be careful when local-in-policies is configured, it is possible to block legitimate traffic.
Step 1. Configure GEO-IP address objects for the Countries to connect to the SSL-VPN.
Go to Policy & Objects -> Addresses, select Create New -> Address.
Create GEO-IP for required countries.
For example, Canada:
config firewall address edit "GEO-IP Canada" set type geography set color 13 set country "CA" next end For example, the United States:
config firewall address edit "GEO-IP US" set type geography set color 10 set country "US" next end
edit "G - PRIVATE ADDRESS RANGE - LAN - 10.0.0.0/8" set color 10 set subnet 10.0.0.0 255.0.0.0 set comment "RFC 1918" next edit "G - PRIVATE ADDRESS RANGE - LAN - 172.16.0.0/12" set color 10 set subnet 172.16.0.0 255.240.0.0 set comment "RFC 1918" next edit "G - PRIVATE ADDRESS RANGE - LAN - 192.168.0.0/16" set color 10 set subnet 192.168.0.0 255.255.0.0 set comment "RFC 1918" next end
edit "G - ALL PRIVATE ADDRESS RANGES" set member "G - PRIVATE ADDRESS RANGE - LAN - 10.0.0.0/8" "G - PRIVATE ADDRESS RANGE - LAN - 172.16.0.0/12" "G - PRIVATE ADDRESS RANGE - LAN - 192.168.0.0/16" set comment "RFC 1918" set color 10 next end
config firewall address edit "FGT_PUBLIC_IP" set type fqdn set associated-interface "WAN_LAG" set fqdn "your FQDN" next end
Configure custom service for the SSL VPN port number.
For example, the SSL VPN portal is configured on port 51443. config firewall service custom edit "SSLVPN port 51443" set tcp-portrange 51443 next end Step 3. Configure local-in-policy.
config firewall local-in-policy edit 0 set intf "WAN_LAG" <----- Will be the WAN interface. set srcaddr "G - ALL PRIVATE ADDRESS RANGES" "GEO-IP Canada" "GEO-IP US" <----- Specify here all sources needed to have access to the SSL-VPN. set dstaddr "FGT_PUBLIC_IP" <----- Will be the address object for the WAN IP address. set action accept <----- Action must be 'accept'. set service "SSLVPN port 51443" set schedule "always" next end
config firewall local-in-policy edit 0 set intf "WAN_LAG" set srcaddr "all" <----- Will be the rest addresses that are not included in the allow policy. set dstaddr "FGT_PUBLIC_IP" set service "SSLVPN port 51443" set schedule "always" next end
Note. It is also possible to use the service 'ALL', but in this case, it will affect access to all FortiGate resources, including FortiGate admin access, SSH, etc.
config firewall local-in-policy edit 1 set intf "WAN_LAG" set srcaddr "G - ALL PRIVATE ADDRESS RANGES" "GEO-IP Canada" "GEO-IP US" set dstaddr "FGT_PUBLIC_IP" set action accept set service "ALL" set schedule "always" next edit 0 set intf "WAN_LAG" set srcaddr "all" set dstaddr "FGT_PUBLIC_IP" set service "ALL" set schedule "always" next
The local-in-policy will not affect Virtual IP access, and the restriction should be implemented on the Firewall policy level.
Note: Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
Verification. when someone from the not allowed sources will try to reach SSL VPN, that traffic will be dropped, and the source will not see any portal 'This site can’t be reached'.
diagnose debug flow filter saddr 24.114.106.18 diagnose debug flow trace start 100 diagnose debug enable
id=65308 trace_id=6 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6, 24.114.106.18:51058->184.147.176.25:51443) tun_id=0.0.0.0 from ppp6. flag [S], seq 693253275, ack 0, win 65535" id=65308 trace_id=6 func=init_ip_session_common line=6073 msg="allocate a new session-003f81e1, tun_id=0.0.0.0" id=65308 trace_id=6 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-184.147.176.25 via root" id=65308 trace_id=6 func=fw_local_in_handler line=536 msg="iprope_in_check() check failed on policy 4, drop"
To disable debug:
diagnose debug reset diagnose debug flow trace stop diagnose debug disable |
