Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davbu
New Contributor

Created on ‎11-06-2023 07:34 AM

Allow a VPN connection from a specific IP address

I am wondering if it is possible to allow a specific IP address from a VPN client?  I understand you can allow from regions but we have 2 host VMs in an Azure cloud that have the FortiGate VPN client installed.  They will be SSL VPN into the network with specific access to an SQL database.  I want to only allow that VPN connection from a static IP.  Is this possible?

Labels:
4503
0 Kudos
9 REPLIES 9
rbraha
Staff
Staff

Created on ‎11-06-2023 07:52 AM

Hi @davbu 

 

You can check on SSLVPN Settings for Restrict Access and Limit access to specific hosts and you can include all subnets and hosts in your company that clients can authenticate.

4493
0 Kudos
davbu
New Contributor
In response to rbraha

Created on ‎11-06-2023 10:07 AM

Hi Rbraha,

Thank you for your reply.  I am interested in learning more about this solution.  Is this the config you are referring to?

Limit access to specific hosts.PNG

Limit access to specific hosts.PNG

4449
0 Kudos
fricci_FTNT
Staff
Staff

Created on ‎11-06-2023 07:53 AM Edited on ‎11-06-2023 07:53 AM

Hi @davbu ,

 

You can create a firewall policy on the related WAN interface where the SSL-VPN is running where the destination IP/port is the FortiGate IP/SSL port and the source is the IP the source IPs that you want to allow (Azure cloud IPs and other offices public IPs).
Bear in mind that you have to include all the source IPs that you want to allow to use the SSL-VPN (i.e.: other branch offices).

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
4492
davbu
New Contributor
In response to fricci_FTNT

Created on ‎11-06-2023 08:10 AM

So this would affect all incoming SSL VPN connections.  How would you know all source IP's if they vpn in from all over?  Sorry I'm a bit confused.

4473
0 Kudos
fricci_FTNT
Staff
Staff
In response to davbu

Created on ‎11-06-2023 08:26 AM

Hi,

If other users are also using the SSL-VPN and you are unable to know their IPs in advance then my solution does not fit your scenario. You may be able to restrict the access to specific regions/subnets/countries and those two static IPs for the Azure hosts. The solution proposed by rbraha might be more adequate to your scenario.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
4465
0 Kudos
davbu
New Contributor
In response to fricci_FTNT

Created on ‎11-06-2023 10:02 AM

Thank you for your prompt reply.  I will explore rbraha's solution.

4455
0 Kudos
mle2802
Staff
Staff

Created on ‎11-06-2023 01:18 PM

Hi @davbu,

You can try with local-in policy following this document "https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa.... Replace GEO address with the public IP where you want to allow SSL VPN from.

Regards,
Minh

4438
0 Kudos
davbu
New Contributor
In response to mle2802

Created on ‎11-06-2023 01:35 PM Edited on ‎11-06-2023 01:36 PM

Hi mle2802,

 

I don't think that link works.  When I click to open I get "An invalid set of parameters has been specified in the url."

4432
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.