Technical Tip: Restricting/Allowing access to the FortiGate SSL VPN from specific countries or IP addresses with local-in-policy

This article describes how to restrict/allow access to the FortiGate SSL VPN from specific countries or IP addresses with local-in-policy.

The most effective way, to prevent accessing FortiGate resources is local-in-policy.

Local-in policies allow administrators to granularly define the source and destination addresses, interfaces, and services that need to be blocked/allowed.

In this example, only users from certain countries and the LAN are expected to access the SSL VPN, the rest countries should not have any access to the SSL-VPN portal/tunnel.

For example, the US, CANADA, and the private subnets (RFC1918) are allowed to access the SSL VPN and the rest should be dropped.

Be careful when local-in-policies is configured, it is possible to block legitimate traffic.

Step 1.

Configure GEO-IP address objects for the Countries to connect to the SSL-VPN.

Go to Policy & Objects -> Addresses, select Create New -> Address.

Create GEO-IP for required countries.

For example, Canada:

config firewall address

    edit "GEO-IP Canada"

        set type geography

        set color 13

        set country "CA"

    next

end

For example, the United States:

config firewall address

    edit "GEO-IP US"

          set type geography

        set color 10

        set country "US"

    next

end

Configure addresses for RFC 1918 (to allow local subnets to access FortiGate resources).

config firewall address

    edit "G - PRIVATE ADDRESS RANGE - LAN - 10.0.0.0/8"

        set color 10

        set subnet 10.0.0.0 255.0.0.0

          set comment "RFC 1918"

    next

    edit "G - PRIVATE ADDRESS RANGE - LAN - 172.16.0.0/12"

        set color 10

        set subnet 172.16.0.0 255.240.0.0

          set comment "RFC 1918"

    next

    edit "G - PRIVATE ADDRESS RANGE - LAN - 192.168.0.0/16"

        set color 10

        set subnet 192.168.0.0 255.255.0.0

          set comment "RFC 1918"

    next

end

config firewall addrgrp

    edit "G - ALL PRIVATE ADDRESS RANGES"

        set member "G - PRIVATE ADDRESS RANGE - LAN - 10.0.0.0/8" "G - PRIVATE ADDRESS RANGE - LAN - 172.16.0.0/12" "G - PRIVATE ADDRESS RANGE - LAN - 192.168.0.0/16"

        set comment "RFC 1918"

        set color 10

    next

end

Configure the address object for the WAN IP address or FQDN. In case WAN has secondary IPs configured, create an address object for secondary IPs too, and create an address group with all the WAN IP address objects. 

config firewall address

    edit "FGT_PUBLIC_IP"

        set type fqdn

        set associated-interface "WAN_LAG"

        set fqdn "your FQDN"

    next

end

Step 2.

Configure custom service for the SSL VPN port number.

For example, the SSL VPN portal is configured on port 51443.

config firewall service custom

    edit "SSLVPN port 51443"

        set tcp-portrange 51443

    next

end

Step 3.

Configure local-in-policy.

1. Configure the policy to allow traffic from the specific source addresses.
   
   

config firewall local-in-policy

    edit 0

        set intf "WAN_LAG" <----- Will be the WAN interface.

        set srcaddr "G - ALL PRIVATE ADDRESS RANGES" "GEO-IP Canada" "GEO-IP US"  <----- Specify here all sources needed to have access to the SSL-VPN.

        set dstaddr "FGT_PUBLIC_IP" <----- Will be the address object for the WAN IP address.

        set action accept <----- Action must be 'accept'.

        set service "SSLVPN port 51443"

        set schedule "always"

    next

end

2. Configure the policy to deny traffic from other source addresses.
   
   

config firewall local-in-policy

    edit 0

        set intf "WAN_LAG"

        set srcaddr "all"  <----- Will be the rest addresses that are not included in the allow policy.

        set dstaddr "FGT_PUBLIC_IP"

        set service "SSLVPN port 51443"

        set schedule "always"

    next

end

Note.

It is also possible to use the service 'ALL',  but in this case, it will affect access to all FortiGate resources, including FortiGate admin access, SSH, etc.

config firewall local-in-policy

    edit 1

        set intf "WAN_LAG"

        set srcaddr "G - ALL PRIVATE ADDRESS RANGES" "GEO-IP Canada" "GEO-IP US"

        set dstaddr "FGT_PUBLIC_IP"

        set action accept

        set service "ALL"

        set schedule "always"

    next

    edit 0

        set intf "WAN_LAG"

        set srcaddr "all"

        set dstaddr "FGT_PUBLIC_IP"

        set service "ALL"

        set schedule "always"

    next

The local-in-policy will not affect Virtual IP access, and the restriction should be implemented on the Firewall policy level.

Verification.

when someone from the not allowed sources will try to reach SSL VPN, that traffic will be dropped, and the source will not see any portal 'This site can’t be reached'.

diagnose debug flow filter saddr 24.114.106.18

diagnose debug flow trace start 100

diagnose debug enable

id=65308 trace_id=6 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6, 24.114.106.18:51058->184.147.176.25:51443) tun_id=0.0.0.0 from ppp6. flag [S], seq 693253275, ack 0, win 65535"

id=65308 trace_id=6 func=init_ip_session_common line=6073 msg="allocate a new session-003f81e1, tun_id=0.0.0.0"

id=65308 trace_id=6 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-184.147.176.25 via root"

id=65308 trace_id=6 func=fw_local_in_handler line=536 msg="iprope_in_check() check failed on policy 4, drop"

To disable debug:

diagnose debug reset

diagnose debug flow trace stop

diagnose debug disable