Description
The article explains how to schedule access to SSL-VPN using Local-in-Policy.
By default, SSL-VPNs are always accessible to all public addresses on internet.
Solution
In this example, SSL-VPN will only be accessible from Monday to Friday at 09:00 AM to 06:00 PM every day and will be block during off business hours.
1) Configure two recurring schedules.
# config firewall schedule recurring
edit "DENY-OFF-BH-MON-FRI"
set start 18:01
set end 08:59
set day sunday monday tuesday wednesday thursday friday
next
edit "DENY-OFF-BH-SAT-SUN"
set day sunday saturday
next
end
2) Configure firewall address object for SSL-VPN server IP:
# config firewall address
edit "SSLVPN-PUBLIC-IP"
set uuid e4bff0ac-20ea-51ed-7e95-8ab74c1bb2e7
set allow-routing enable
set subnet 10.47.3.73 255.255.255.255
next
end
3) Configure service for SSL-VPN port:
# config firewall service custom
edit "SSLVPN"
set category "Network Services"
set tcp-portrange 10443
next
end
4) Configure SSL-VPN following related guide.
https://docs.fortinet.com/document/fortigate/7.0.6/administration-guide/371626/ssl-vpn
5) Configure firewall local-in-policy.
Note.
Local-in-policy can only be configured from CLI. It is possible to have a GUI visibility of this feature when it is enabled under System -> Feature Visibility -> Additional Features -> Local In Policy.
# config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "all"
set dstaddr "SSLVPN-PUBLIC-IP"
set service "SSLVPN"
set schedule "DENY-OFF-BH-MON-FRI"
next
edit 2
set intf "port1"
set srcaddr "all"
set dstaddr "SSLVPN-PUBLIC-IP"
set service "SSLVPN"
set schedule "DENY-OFF-BH-SAT-SUN"
next
end
Result:
SSL-VPN service will not be available during off business hours.
