Description

When 'source-address' is configured under ‘config vpn ssl settings’ it will not take effect if the same parameter set under ‘config authentication-rule’.
The source-address configured under ‘config authentication-rule’ will take precedence.

Example.

config vpn ssl settings
    set source-interface "wan1"
    set source-address "Geo_restriction_ssl_vpn"
    set default-portal "Internet"
    # config authentication-rule
        edit 1
            set source-interface "wan1"
            set source-address "all"
            set groups "VPN_users"
            set portal "Internet"
        next
end

In the above configuration, the administrator intended that only source addresses included in ‘Geo_restriction_ssl_vpn’ could attempt to connect to SSL-VPN. However, when the users try to connect, the source-address 'all' configured on the authentication-rule takes precedence and a user is able to connect to the portal ‘Internet’ regardless of the source IP address.

Scope

FortiGate.

Solution

In order to restrict access to specific users based on source address, it is important to add the same source-address under ‘config authentication-rule’ or remove the source-interface configuration from the authentication-rule.

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 444
    set source-interface "wan1"
    set source-address "Geo_restriction_ssl_vpn"
    set default-portal "Internet"
    # config authentication-rule
        edit 1
            set source-interface "wan1"
            set source-address "Geo_restriction_ssl_vpn"
            set groups "VPN_users"
            set portal "Internet"
        next
    end
end

Related articles:

Technical Note: SSL VPN source-interface setting in authentication rule taking precedence

Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...