| Description |
This article describes a scenario where a known good address is blocked by 'block failed SSLVPN logins autostitch'.
See Technical Tip: How to permanently block SSL VPN failed login for the autostitch setup 'block failed SSLVPN logins autostitch'. |
| Scope | FortiGate. |
| Solution |
Take the following steps to get an address unblocked from the address group created by the stitch.
On the GUI: Go to the address Policy and objects -> Address -> See screenshots.
Select where the addresses are.
Unselect the address that is known to be safe, then select 'okay'. See the screenshot below.
The address will now be unblocked.
To remove a member from the address object with the CLI, copy the highlighted text into a text editor:
config firewall addrgrp edit "VPN_Failed_Login" set uuid e74f802e-e340-51ef-dbdb-9349087af049 set member "SSLVPN-Block-X.X.X.145" "SSLVPN-Block-X.X.X.80" "SSLVPN-Block-X.X.X.75" "SSLVPN-Block-X.X.X.200" next end
Paste the highlighted text into a text editor. In the text editor, delete the address or addresses.
"SSLVPN-Block-X.X.X.145" "SSLVPN-Block-X.X.X.75" "SSLVPN-Block-X.X.X.200"
Paste the remaining output to the member:
config firewall addrgrp edit "VPN_Failed_Login" set member "SSLVPN-Block-X.X.X.145" "SSLVPN-Block-X.X.X.75" "SSLVPN-Block-X.X.X.200" next end
The address will be unblocked.
Another CLI method:
Run the following configuration commands:
config firewall addrgrp unselect address object
see the example below.
config firewall addrgrp (VPN_Failed_Login) # show end
(VPN_Failed_Login) # unselect member "SSLVPN-Block-X.X.X.80" (VPN_Failed_Login) # end
show firewall addrgrp VPN_Failed_Login
The address object is removed. |
