- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allow a VPN connection from a specific IP address
I am wondering if it is possible to allow a specific IP address from a VPN client? I understand you can allow from regions but we have 2 host VMs in an Azure cloud that have the FortiGate VPN client installed. They will be SSL VPN into the network with specific access to an SQL database. I want to only allow that VPN connection from a static IP. Is this possible?
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davbu
You can check on SSLVPN Settings for Restrict Access and Limit access to specific hosts and you can include all subnets and hosts in your company that clients can authenticate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rbraha,
Thank you for your reply. I am interested in learning more about this solution. Is this the config you are referring to?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davbu ,
You can create a firewall policy on the related WAN interface where the SSL-VPN is running where the destination IP/port is the FortiGate IP/SSL port and the source is the IP the source IPs that you want to allow (Azure cloud IPs and other offices public IPs).
Bear in mind that you have to include all the source IPs that you want to allow to use the SSL-VPN (i.e.: other branch offices).
Best regards,
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this would affect all incoming SSL VPN connections. How would you know all source IP's if they vpn in from all over? Sorry I'm a bit confused.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If other users are also using the SSL-VPN and you are unable to know their IPs in advance then my solution does not fit your scenario. You may be able to restrict the access to specific regions/subnets/countries and those two static IPs for the Azure hosts. The solution proposed by rbraha might be more adequate to your scenario.
Best regards,
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your prompt reply. I will explore rbraha's solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davbu,
You can try with local-in policy following this document "https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa.... Replace GEO address with the public IP where you want to allow SSL VPN from.
Regards,
Minh
Created on 11-06-2023 01:35 PM Edited on 11-06-2023 01:36 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mle2802,
I don't think that link works. When I click to open I get "An invalid set of parameters has been specified in the url."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davbu,
My apology. Please try this:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa...