Description
The article describes how to restrict SSL VPN connectivity from certain countries. By default, the SSL VPN is accessible to all public IP addresses from the Internet. Still, it is possible to restrict access to a specified set of allowed IP addresses using IP/Subnet Address Objects and Geo-IP Address objects.
Scope
FortiGate.
Solution
There are three methods to block the connection: the source address under VPN SSL SETTINGS, local-in-policy, and regular policies when moving the listening interface to a loopback.
The Restrict Access (aka source-address) configuration can be modified without disrupting existing SSL VPN connections, though only if the modifications continue to allow a given user's source address to connect. For example:
config firewall address
edit "restriction_poland"
set type geography
set country "PL" <- Only allows connections from Poland.
next
end
config firewall addrgrp
edit "Geo_restriction_ssl_vpn"
set member "restriction_poland"
next
end
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 444
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
end
From the GUI.
In the preceding example, users from Poland are permitted to connect to this SSL VPN. However, if it is also necessary to add a few individual IP addresses/ranges from an undefined Country/Region, the address objects can be included under SSL VPN settings as shown below.
If there are still hits from different IPs from different countries that are not allowed, refer to the information and steps below:
execute update-geo-ip
To find the location of the IP:
diagnose firewall ipgeo ip2country x.x.x.x <- The IP.
Alternatively, check with Instant IP Address Lookup (whatismyipaddress.com)
config vpn ssl settings
config authentication-rule
edit 1
set source-interface "wan1" <----- Interface specified in SSL VPN.
set source-address "Allow US IPs Only" <----- Just use the country desired to allow.
set groups "SSLVPN_users" <----- This is the group in the policy of SSL VPN.
set portal "full-access"
Method 2: Local-in-Policy:
Create local-in policies that allow traffic from a specific country and denies for rest of them:
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "Allow US IPs Only"
set srcaddr-negate enable <-- Negates the Source group, In this scenario means any country IP other than US
set dstaddr "all"
set service "SSLVPN-Port" <-- Port that is used for SSL VPN connections.
set schedule "always"
set action deny
next
edit 0
set intf "wan1"
set srcaddr "Allow US IPs Only"
set dstaddr "all"
set service "SSLVPN-Port" <- Port that is used for SSL VPN connections.
set schedule "always"
set action accept
next
end
Note:
The Policies are processed in a Stack manner - 'Top to bottom'.
After this, it will show newly created policies via GUI.
Note that it can be necessary to activate local-in-policy in GUI to view the current settings under System -> Feature Visibility -> Check Local-In-Policy and select Apply.
Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
For SSL VPN, VPN configuration, and port used in this article, more information is available via this link: SSL VPN best practices | FortiGate / FortiOS 7.4.1 | Fortinet Document Library
Method 3:
Instead of using the outside interface, such as Wan1, as an inbound port for SSL VPN connections, configure a loopback with a private IP and follow the configuration below for port-forward/VIP/Static NAT for the inbound SSL port. With this configuration, the administrator can use a regular firewall policy to filter inbound connections.
CLI Loopback:
edit "Loop1"
set vdom "root"
set ip 192.168.1.1 255.255.255.255
set allowaccess ping https HTTP
set type loopback
set alias "Loop1"
set role lan
next
VIP:
edit "SSLVPN-VIP"
set uuid 4543d44c-ce91-51ef-605c-a619d14a6d20
set extip <public IP>
set mappedip "192.168.1.1"
set extintf "Wan1"
set portforward enable
set protocol tcp
set extport 443
set mappedport 443
Regular firewall rules apply as follows:
edit 4
set name "SSL-INBOUND-RULE"
set srcintf "wan1"
set dstintf "Loop1"
set action accept
set srcaddr "Allow US IPs Only"
set dstaddr "SSLVPN-VIP"
set schedule "always."
set service "ALL"
set logtraffic al
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.