|
In this scenario, FortiGate has configured to restrict SSL-VPN access from allowed GeoIP locations and the administrator wants to override this by allowing a specific banned GeoIP address to access SSL-VPN.
The banned GeoIP traffic can be seen in the debug flow outputs.
FortiGate # id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 113.211.210.124:64142->10.47.18.149:10443) tun_id=0.0.0.0 from port1. flag [S], seq 3275722027, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=6003 msg="allocate a new session-0011a12b, tun_id=0.0.0.0"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2604 msg="find a route: flag=84000000 gw-10.47.18.149 via root"
id=20085 trace_id=1 func=fw_local_in_handler line=497 msg="iprope_in_check() check failed on policy 0, drop"
Verify that the GeoIP information by executing the command.
# diagnose firewall ipgeo ip2country <Ip address>
For example:
# diagnose firewall ipgeo ip2country 113.211.210.124
113.211.210.124 is in country: MY, registered country is MY, is not anycast ip.
To verify the SSL-VPN settings.
# config vpn ssl setting
set source-interface "port1"
set source-address "Malaysia" <-----
set source-address-negate enable <----- GeoIP from Malaysia will be denied.
As for a workaround, applying the following configuration to override the geolocation mappings.
# config system geoip-override
edit "AllowMY"
set country-id "A0"
config ip-range
edit 1
set start-ip 113.211.210.124
set end-ip 113.211.210.124
next
end
next
# diagnose firewall ipgeo ip2country 113.211.210.124
113.211.210.124 is in country: A0, registered country is A0, is not anycast ip.
|
