Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stauftm
New Contributor

Geo Filter for SSL VPN connections

Hi everyone. I am interested in having a geo filter applied to my ssl vpn configuration.  Now I know I can restrict access globally in VPN -> SSL-VPN Settings and 'Limit access to specific hosts', like you see below

 

 

Snip1.PNG

 

 

However what I'd like to do is restrict it via group/policy. I may want a specific ssl vpn group to have more loose or tighter restrictions. I thought the best spot for this would be in the firewall policy, see below. I'm noticing when I apply this it doesn't restrict the user though. It seems they can still connect from anywhere.

 

 

Snip2.PNG

 

Anyone have any thoughts on this matter?

3 REPLIES 3
mariopugliese
New Contributor III

Hi,

In your firewall policy, the source interface is the SSL-VPN tunnel and the destination interface your local networks.

The source IP addresses used here are your VPN source IP pools defined on your SSL-VPN Portal (SSLVPN Tuf Full Access) and not the remote user's public IP addresses on which you want to apply a filtering.

Toshi_Esumi
Esteemed Contributor II

To filter the source IP of SSL VPN attempts, I think you have to use local-in-policy based on the TCP port. You can use addresses/address groups with geography to filter them. However, you can't use user/user group in local-in-policy.

 

Toshi

mariopugliese
New Contributor III

I think one solution is to keep doing country filtering globally, as you showed in the SSL-VPN settings and then to separate your different SSL VPN user groups by using different SSL portals and IP pools.

In this way, you may use different firewall policies and be more granular about the access authorisations.


Example:

For the HR:
SSL-VPN portal: SSLVPN-Portal-HR
SSL-VPN Source IP pool: 10.10.10.0/24
Authentication/Portal Mapping in your SSL-VPN Settings: sslvpn-usergroup-hr ==> portal SSLVPN-Portal-HR

 

For the IT:
SSL-VPN portal: SSLVPN-Portal-IT
SSL-VPN Source IP pool: 10.10.20.0/24
Authentication/Portal Mapping in your SSL-VPN Settings: sslvpn-usergroup-it ==> portal SSLVPN-Portal-IT

 

On your IT users policies, you will apply a lot of authorisations for your IT users by using SSLVPN-Portal-IT and 10.10.20.0/24 in source, and what you need in destination / services.


On your HR users policies, you will apply less authorisations for your HR users by using SSLVPN-Portal-HR and 10.10.10.0/24 in source, and what you need in destination / services.