I am wondering if it is possible to allow a specific IP address from a VPN client? I understand you can allow from regions but we have 2 host VMs in an Azure cloud that have the FortiGate VPN client installed. They will be SSL VPN into the network with specific access to an SQL database. I want to only allow that VPN connection from a static IP. Is this possible?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @davbu
You can check on SSLVPN Settings for Restrict Access and Limit access to specific hosts and you can include all subnets and hosts in your company that clients can authenticate.
Hi Rbraha,
Thank you for your reply. I am interested in learning more about this solution. Is this the config you are referring to?
Hi @davbu ,
You can create a firewall policy on the related WAN interface where the SSL-VPN is running where the destination IP/port is the FortiGate IP/SSL port and the source is the IP the source IPs that you want to allow (Azure cloud IPs and other offices public IPs).
Bear in mind that you have to include all the source IPs that you want to allow to use the SSL-VPN (i.e.: other branch offices).
Best regards,
So this would affect all incoming SSL VPN connections. How would you know all source IP's if they vpn in from all over? Sorry I'm a bit confused.
Hi,
If other users are also using the SSL-VPN and you are unable to know their IPs in advance then my solution does not fit your scenario. You may be able to restrict the access to specific regions/subnets/countries and those two static IPs for the Azure hosts. The solution proposed by rbraha might be more adequate to your scenario.
Best regards,
Thank you for your prompt reply. I will explore rbraha's solution.
Hi @davbu,
You can try with local-in policy following this document "https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa.... Replace GEO address with the public IP where you want to allow SSL VPN from.
Regards,
Minh
Created on 11-06-2023 01:35 PM Edited on 11-06-2023 01:36 PM
Hi mle2802,
I don't think that link works. When I click to open I get "An invalid set of parameters has been specified in the url."
Hi @davbu,
My apology. Please try this:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.