Description | This article describes a workaround to allow banned GeoIP for accessing SSL-VPN. |
Scope | FortiGate. |
Solution |
In this scenario, FortiGate has configured to restrict SSL-VPN access from allowed GeoIP locations and the administrator wants to override this by allowing a specific banned GeoIP address to access SSL-VPN.
The banned GeoIP traffic can be seen in the debug flow outputs.
FortiGate # id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 113.211.210.124:64142->10.47.18.149:10443) tun_id=0.0.0.0 from port1. flag [S], seq 3275722027, ack 0, win 64240"
Verify that the GeoIP information by executing the command.
For example:
# diagnose firewall ipgeo ip2country 113.211.210.124
To verify the SSL-VPN settings.
As for a workaround, applying the following configuration to override the geolocation mappings.
# config system geoip-override
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.