Description
This article describes the issue when 'source-address' is configured under ‘config vpn ssl settings’, it will not take effect if the same parameter is set under ‘config authentication-rule’.
The source-address configured under ‘config authentication-rule’ will take precedence.
Example:
config vpn ssl settings
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
set default-portal "Internet"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set groups "VPN_users"
set portal "Internet"
next
end
In the above configuration, the administrator intended that only source addresses included in ‘Geo_restriction_ssl_vpn’ could attempt to connect to SSL-VPN. However, when the users try to connect, the source-address 'all' configured on the authentication-rule takes precedence, and a user can connect to the portal ‘Internet’ regardless of the source IP address.
Scope
FortiGate.
Solution
In order to restrict access to specific users based on source address, it is important to add the same source-address under ‘config authentication-rule’ or remove the source-interface configuration from the authentication-rule.
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 444
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
set default-portal "Internet"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
set groups "VPN_users"
set portal "Internet"
next
end
end
Related documents:
Technical Note: SSL VPN source-interface setting in authentication rule taking precedence
Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...
config vpn ssl settings
