Description
The article describes how to restrict SSL VPN connectivity from certain countries. By default, the SSL VPN is accessible to all public IP addresses from the Internet. Still, it is possible to restrict access to a specified set of allowed IP addresses using IP/Subnet Address Objects and Geo-IP Address objects.
Scope
FortiGate.
Solution
There are three methods to block the connection: the source address under VPN SSL settings, local-in-policy, and regular policies when moving the listening interface to a loopback.
Method 1: Source-address.
The Restrict Access (aka source-address) configuration can be modified without disrupting existing SSL VPN connections, though only if the modifications continue to allow a given user's source address to connect. For example:
- If the Restrict Access option is set to Limit access to specific hosts, and the Hosts include Canada and USA Geography Address objects, then users in Canada and the USA can connect to the SSL VPN.
- If Canada is then removed from this config and the changes are applied, any connected Canadian Users will be disconnected (since they have become disallowed).
- On the other hand, adding a Mexico Geography Address object to the allowed hosts will not disrupt any existing connections for USA/Canadian VPN users.
- Configure the firewall address with the geography type.
config firewall address
edit "restriction_poland"
set type geography
set country "PL" <- Only allows connections from Poland.
next
end
- Configure the firewall address group.
config firewall addrgrp
edit "Geo_restriction_ssl_vpn"
set member "restriction_poland"
next
end
- Configure the firewall address group as the source-address under SSL VPN settings.
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 444
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
end
From the GUI.
- Go to Policy & Objects -> Addresses, select 'Create new', select 'Geography' as the address Type, and select the country to allow.
If there is more than one country to allow, create a group on the firewall. Refer to this KB article, Technical Tip: Script to create Address objects and one address group for all geography countries on FortiGate, to import all geography address objects via script.
- After creating the country on the addresses, the same must be mapped on the firewall SSL VPN settings to restrict access. Go to VPN -> SSL VPN Settings. Under 'Restrict Access', select 'Limit access to specific hosts' and add the address object created in Step 1 to allow access to the VPN.
This will ensure that only the selected Country/Region IP addresses can connect to the SSL VPN. Only IP and Geo objects can be configured here. User and User Group objects CANNOT be configured here.
Notes:
- If the original public source IP is not visible to FortiGate, the geo-ip location-based restriction will not work.
- Check the logs under Logs and Report -> System Events, select configure table, and enable source country/Region. Once this setting is enabled, the source country from which the traffic is initiated will be visible, and those locations can be added to restrict.
- If there are SSL VPN authentication rules that have source-address defined as 'all', the globally configured source-address will not work.
In the preceding example, users from Poland are permitted to connect to this SSL VPN. However, if it is also necessary to add a few individual IP addresses/ranges from an undefined Country/Region, the address objects can be included under SSL VPN settings as shown below.
After making this change, if there are still hits from different IPs from unintended countries, refer to the information and steps below:
- Check the FortiGate's geo-ip database. First, update the Geo IP database on FortiGate with the following command:
execute update-geo-ip
Wait a few minutes for this to complete. After the update, find FortiGate's current verdict on the location of an IP address:
diagnose firewall ipgeo ip2country x.x.x.x <- The IP.
Alternatively, check with Instant IP Address Lookup (whatismyipaddress.com).
- If an IP address is blocked in the global SSL VPN configuration but still has connection attempts logged, the authentication rule may have a different address group configured. See the article Technical Note: SSL VPN source-interface setting in authentication rule taking precedence. If a specific source-address in authentication-rule is overriding the intended global rule, remove the source-address configuration by unsetting source-interface in authentication-rule.
config vpn ssl settings
config authentication-rule
edit <index>
unset source-interface
next
end
end
Alternatively, reconfigure the authentication-rule to allow or block the required source address.
config vpn ssl settings
config authentication-rule
edit <index>
set source-interface "wan1" <----- Interface specified in SSL VPN.
set source-address "Allow US IPs Only" <----- Just use the country desired to allow.
set source-address-negate disable
set groups "SSLVPN_users" <----- This is the group in the policy of SSL VPN.
set portal "full-access"
next
end
end
- After these changes, it will not be possible to see any other attempt from outside the US in the VPN events logs. Another method would be to use local-in-policy to block any attempts to connect to the SSL VPN.
Method 2: Local-in-Policy:
Create local-in policies that allow traffic from a specific country and deny it for the rest of them:
config firewall local-in-policy
edit <index of allow policy>
set intf "wan1"
set srcaddr "Allow US IPs Only"
set dstaddr "all"
set service "SSLVPN-Port" <- Port that is used for SSL VPN connections.
set schedule "always"
set action accept
next
edit <index of deny policy>
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "SSLVPN-Port" <-- Port that is used for SSL VPN connections.
set schedule "always"
set action deny
next
end
Another way to configure a local-in-policy to deny all traffic except from the US is to create a policy with the source address (srcaddr) set to 'US' geo-location and enable the srcaddr-negate option, as shown below. The same requirement can be achieved using a single local-in-policy.
config firewall local-in-policy
edit <index of deny policy>
set intf "wan1"
set srcaddr "Allow US IPs Only"
set srcaddr-negate enable <-- Negates the Source group, in this scenario, means any country IP other than the US.
set dstaddr "all"
set service "SSLVPN-Port" <-- Port that is used for SSL VPN connections.
set schedule "always"
set action deny
next
end
Note:
The Policies are processed in configuration order, 'top to bottom', and processed according to the first match. To reorder a local-in-policy, use the move command, see Technical Tip: How to move the order local-in policy FortiGate.
config firewall local-in-policy
move 2 before 1
end
For read-only local-in-policy visibility in the GUI, navigate to System -> Feature Visibility -> Local-In-Policy and select Apply.
As of v7.6.0, Local-in Policy can also be configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
For full guidance on setting up local-in-policy to perform geoblocking, may refer to this article:
Technical Tip: Blocking Geolocations for SSL VPN and management access with a local in policy
For SSL VPN, VPN configuration, and port used in this article, more information is available via this link: SSL VPN best practices | FortiGate / FortiOS 7.4.1 | Fortinet Document Library.
Method 3:
Instead of using an outside interface as an inbound interface or SSL-VPN connections, an administrator may configure a loopback with a private IP, following the example in Technical Tip: SSL VPN connection to a Loopback Interface using Virtual IP, and use a firewall policy and Virtual IP to forward SSL VPN connection attempts to the loopback interface.
With this method, the administrator can use a regular firewall policy to filter inbound connections.
config firewall policy
edit <index>
set name "SSL-INBOUND-RULE"
set srcintf "wan1"
set dstintf "Loop1"
set action accept
set srcaddr "Allow US IPs Only"
set dstaddr "SSLVPN-VIP"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Note:
As of v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.
Related articles:
Technical Tip: How to set geolocation address for SSL VPN authentication rule
