Description
The article explains how to schedule access to SSL-VPN using Local-in-Policy.
By default, SSL VPNs are always accessible to all public addresses on internet.
Solution
In this example, SSL VPN will only be accessible from Monday to Friday from 09:00 AM to 06:00 PM every day and will be blocked during off business hours.
- Configure two recurring schedules.
config firewall schedule recurring
edit "DENY-OFF-BH-MON-FRI"
set start 18:01
set end 08:59
set day sunday monday tuesday wednesday thursday friday
next
edit "DENY-OFF-BH-SAT-SUN"
set day sunday saturday
next
end
- Configure firewall address object for SSL VPN server IP:
config firewall address
edit "SSLVPN-PUBLIC-IP"
set uuid e4bff0ac-20ea-51ed-7e95-8ab74c1bb2e7
set allow-routing enable
set subnet 10.47.3.73 255.255.255.255
next
end
-
Configure service for SSL VPN port:
config firewall service customedit "SSLVPN"
set category "Network Services"
set tcp-portrange 10443
next
end
-
Configure SSL VPN following the following guide.
FortiGate 7.0.6 SSL VPN -
Configure the firewall local-in-policy.
Note.
It is possible to have a GUI visibility of this feature when it is enabled under System -> Feature Visibility -> Additional Features -> Local In Policy.
While local-in policies can only be configured via the CLI in earlier versions, starting from v7.6.0, they can be configured directly through the GUI.
CLI:
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "all"
set dstaddr "SSLVPN-PUBLIC-IP"
set service "SSLVPN"
set schedule "DENY-OFF-BH-MON-FRI"
next
edit 2
set intf "port1"
set srcaddr "all"
set dstaddr "SSLVPN-PUBLIC-IP"
set service "SSLVPN"
set schedule "DENY-OFF-BH-SAT-SUN"
next
end
GUI:
Result:
SSL VPN service will not be available during off-business hours.
