DescriptionWhen 'source-address' is configured under ‘config vpn ssl settings’ it will not take effect if the same parameter set under ‘config authentication-rule’.
The source-address configured under ‘config authentication-rule’ will take precedence over ‘config vpn ssl settings’Example. # config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 444
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
set default-portal "Internet"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set groups "VPN_users"
set portal "Internet"
next
end
In the above configuration, connectivity is restricted to ssl vpn only when sourcing from ‘Geo_restriction_ssl_vpn’. However, when the users try to connect, the authentication rule config ‘set source-address 'all'’ takes precedence and any user is able to connect to the portal ‘Internet’. SolutionIn order to restrict the access to specific users based on source address, it is important to add the same source-address under ‘config authentication-rule’.
# config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 444
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
set default-portal "Internet"
# config authentication-rule
edit 1
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
set groups "VPN_users"
set portal "Internet"
next
end
Related Articles
Technical Note: SSL VPN source-interface setting in authentication rule taking precedence
Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...
