FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_L
Staff
Staff
Article Id 277276
Description This article describes how to restrict or allow SSL VPN access from users in specific countries using the FortiGate SSL VPN settings. GUI and CLI methods are shown.
Scope FortiGate.
Solution

Note:

For this article, assuming that all other SSL VPN settings have been configured, access will restricted or allowed to the SSL VPN from users in Canada and the United States only.

 

GUI configuration:

  1.  Create geo-ip addresses for Canada and the United States:
  • In the GUI, go to Policy & Object -> Addresses and select 'Create New'.
  • Once on the 'New Address' page, configure the below fields:

Category: Address.
Name: geo-ip_Canada.
Type: Geography.
Country/Region: Canada.

 

Note:

It is possible to change the 'Color' and 'Interface' fields to leave at defaults.

 

  • Select 'OK' at the bottom of the page.
  • Repeat the above steps for the United States geo-IP address.

 

geo-ip_address_creation_GUI.JPG

 

  1. Once the geo-IP address objects have been created for Canada and the United States, they need to be referenced in the 'Restrict Access' section of the SSL VPN settings page.
  • In the GUI, go to VPN -> SSL-VPN Settings, ensure that 'Limit access to specific hosts' is selected in the 'Restrict Access' section and that the 'geo-ip_Canada' and 'geo-ip_UnitedStates' geo-ip address objects are selected in the 'Hosts' section.
  • Select 'Apply' at the bottom of the page.

 

sslvpn_settings_GUI.JPG


CLI configuration:

  1. Use the below CLI commands to create geo-ip addresses for Canada and the United States:

config firewall address
    edit geo-ip_Canada
        set type geography
        set country CA
    next
        edit geo-ip_UnitedStates
            set type geography
            set country US
        next
    end

 

  1.  Once the geo-IP address objects have been created for Canada and the United States, they need to be referenced in the SSL VPN settings using the below commands.

config vpn ssl settings
    set source-address "geo-ip_Canada" "geo-ip_UnitedStates"
end

 

Note:

  • If there are SSL VPN authentication rules that have the source-address defined as 'all', the globally configured source-address will not work. Make sure to remove source-address from the authentication rules, or configure appropriate source-addresses from allowed countries for each authentication rule.
  • Only IP and Geo objects are allowed to be configured here. User and User Group objects CANNOT be configured here.