FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 191997

Description


The article describes how to restrict SSL VPN connectivity from certain countries. By default, the SSL VPN is accessible to all public IP addresses from the Internet. Still, it is possible to restrict access to a specified set of allowed IP addresses using IP/Subnet Address Objects and Geo-IP Address objects.

 

Scope

 

FortiGate.

Solution

 

There are three methods to block the connection: the source address under VPN SSL SETTINGS, local-in-policy, and regular policies when moving the listening interface to a loopback. 

 

 

Method 1:  Source-address.

The Restrict Access (aka source-address) configuration can be modified without disrupting existing SSL VPN connections, though only if the modifications continue to allow a given user's source address to connect. For example:

  • If the Restrict Access option is set to Limit access to specific hosts, and the Hosts include Canada and USA Geography Address objects, then users in Canada and the USA can connect to the SSL VPN.
  • If Canada is then removed from this config and the changes are applied, any connected Canadian Users will be disconnected (since they have become disallowed).
  • On the other hand, adding a Mexico Geography Address object to the allowed hosts will not disrupt any existing connections for USA/Canadian VPN users.
  1. Configure the firewall address with the geography type.

config firewall address
    edit "restriction_poland"
        set type geography
        set country "PL"  <- Only allows connections from Poland.
    next
end

 

  1. Configure the firewall address group.

 

config firewall addrgrp
    edit "Geo_restriction_ssl_vpn"
        set member "restriction_poland"
    next
end

 

  1. Configure the firewall address group as the source-address under SSL VPN settings.

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 444
    set source-interface "wan1"
    set source-address "Geo_restriction_ssl_vpn"
end

 

From the GUI.

 

  1. Go to Policy & Objects -> Addresses, select 'Create new', select 'Geography' as the address Type, and select the country to allow.

 
If there is more than one country to allow, create a group on the firewall. Refer to this KB article, Technical Tip: Script to create Address objects and one address group for all geography countries on FortiGate, to import all geography address objects via script.
 
  1. After creating the country on the addresses, the same must be mapped on the firewall SSL VPN settings to restrict access. Go to VPN -> SSL-VPN Settings. Under 'Restrict Access', select 'Limit access to specific hosts' and add the address object created in Step 1 to allow access to the VPN.
 
 
 
This will ensure that only the selected Country/Region IP addresses can connect to the SSL VPN. Only IP and Geo objects can be configured here. User and User Group objects CANNOT be configured here.
 
Note:
  • If the original public source IP is not visible to FortiGate, the geo-ip location-based restriction will not work.
  • If there are SSL VPN authentication rules that have source-address defined as 'all', the globally configured source-address will not work.

 

In the preceding example, users from Poland are permitted to connect to this SSL VPN. However, if it is also necessary to add a few individual IP addresses/ranges from an undefined Country/Region, the address objects can be included under SSL VPN settings as shown below.

 
akileshc_1-1663141474908.png

 

If there are still hits from different IPs from different countries that are not allowed, refer to the information and steps below:

 

  1. It is possible to see other IPs trying to log into the VPN event logs (other than the US, which is allowed).
  2. It is possible to check the location through the geo IP command. Be sure to update the geo IP database on FortiGate first with the following command:

 

execute update-geo-ip


To find the location of the IP:

 

diagnose firewall ipgeo ip2country x.x.x.x <- The IP.

 

Alternatively, check with Instant IP Address Lookup (whatismyipaddress.com)

 

  1. It is possible to create an authentication rule if one is not present. If one is present, add the source interface and source address under it:

          

config vpn ssl settings

    config authentication-rule
        edit 1
            set source-interface "wan1" <----- Interface specified in SSL VPN.
            set source-address "Allow US IPs Only" <----- Just use the country desired to allow.
            set groups "SSLVPN_users" <----- This is the group in the policy of SSL VPN.
            set portal "full-access"

 

  1. After these changes, it will not be possible to see any other attempt from outside the US in the VPN events logs. Another method would be to use local-in-policy to block any attempts to connect to SSL VPN.

 

Method 2: Local-in-Policy:

Create local-in policies that allow traffic from a specific country and denies for rest of them:

 

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "Allow US IPs Only"

                 set srcaddr-negate enable   <-- Negates the Source group, In this scenario means any country IP other than US
        set dstaddr "all"
        set service "SSLVPN-Port"   <-- Port that is used for SSL VPN connections.
        set schedule "always"

                 set action deny
    next


    edit 0
        set intf "wan1"
        set srcaddr "Allow US IPs Only"
        set dstaddr "all"
        set service "SSLVPN-Port"   <- Port that is used for SSL VPN connections.
        set schedule "always"
        set action accept

    next
end


Note:

The Policies are processed in a Stack manner - 'Top to bottom'.

After this, it will show newly created policies via GUI.

 

Note that it can be necessary to activate local-in-policy in GUI to view the current settings under System -> Feature Visibility -> Check Local-In-Policy and select Apply.

 

xshkurti_0-1698226382350.png

 

Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.

 

For SSL VPN, VPN configuration, and port used in this article, more information is available via this link: SSL VPN best practices | FortiGate / FortiOS 7.4.1 | Fortinet Document Library

 

 

Method 3: 

Instead of using the outside interface, such as Wan1, as an inbound port for SSL VPN connections, configure a loopback with a private IP and follow the configuration below for port-forward/VIP/Static NAT for the inbound SSL port. With this configuration, the administrator can use a regular firewall policy to filter inbound connections.

 

CLI Loopback:

 

edit "Loop1"
  set vdom "root"
  set ip 192.168.1.1 255.255.255.255
  set allowaccess ping https HTTP 

  set type loopback
  set alias "Loop1"
  set role lan
next

 

VIP:

 

edit "SSLVPN-VIP"
  set uuid 4543d44c-ce91-51ef-605c-a619d14a6d20
  set extip <public IP>

  set mappedip "192.168.1.1"
  set extintf "Wan1"
  set portforward enable
  set protocol tcp
  set extport 443
  set mappedport 443

 

Regular firewall rules apply as follows:

 

edit 4
  set name "SSL-INBOUND-RULE"
  set srcintf "wan1"
  set dstintf "Loop1"
  set action accept
  set srcaddr "Allow US IPs Only"

  set dstaddr "SSLVPN-VIP"
  set schedule "always."
  set service "ALL"
  set logtraffic al