Hi everyone. I am interested in having a geo filter applied to my ssl vpn configuration. Now I know I can restrict access globally in VPN -> SSL-VPN Settings and 'Limit access to specific hosts', like you see below
However what I'd like to do is restrict it via group/policy. I may want a specific ssl vpn group to have more loose or tighter restrictions. I thought the best spot for this would be in the firewall policy, see below. I'm noticing when I apply this it doesn't restrict the user though. It seems they can still connect from anywhere.
In your firewall policy, the source interface is the SSL-VPN tunnel and the destination interface your local networks.
The source IP addresses used here are your VPN source IP pools defined on your SSL-VPN Portal (SSLVPN Tuf Full Access) and not the remote user's public IP addresseson which you want to apply a filtering.
To filter the source IP of SSL VPN attempts, I think you have to use local-in-policy based on the TCP port. You can use addresses/address groups with geography to filter them. However, you can't use user/user group in local-in-policy.
I think one solution is to keep doing country filtering globally, as you showed in the SSL-VPN settings and then to separate your different SSL VPN user groups by using different SSL portals and IP pools.
In this way, you may use different firewall policies and be more granular about the access authorisations.
For the HR: SSL-VPN portal: SSLVPN-Portal-HR SSL-VPN Source IP pool: 10.10.10.0/24 Authentication/Portal Mapping in your SSL-VPN Settings: sslvpn-usergroup-hr ==> portal SSLVPN-Portal-HR
For the IT: SSL-VPN portal: SSLVPN-Portal-IT SSL-VPN Source IP pool: 10.10.20.0/24 Authentication/Portal Mapping in your SSL-VPN Settings: sslvpn-usergroup-it ==> portal SSLVPN-Portal-IT
On your IT users policies, you will apply a lot of authorisations for your IT users by using SSLVPN-Portal-IT and 10.10.20.0/24 in source, and what you need in destination / services.
On your HR users policies, you will apply less authorisations for your HR users by using SSLVPN-Portal-HR and 10.10.10.0/24 in source, and what you need in destination / services.