Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davbu
New Contributor

Allow a VPN connection from a specific IP address

I am wondering if it is possible to allow a specific IP address from a VPN client?  I understand you can allow from regions but we have 2 host VMs in an Azure cloud that have the FortiGate VPN client installed.  They will be SSL VPN into the network with specific access to an SQL database.  I want to only allow that VPN connection from a static IP.  Is this possible?

9 REPLIES 9
rbraha
Staff
Staff

Hi @davbu 

 

You can check on SSLVPN Settings for Restrict Access and Limit access to specific hosts and you can include all subnets and hosts in your company that clients can authenticate.

davbu
New Contributor

Hi Rbraha,

Thank you for your reply.  I am interested in learning more about this solution.  Is this the config you are referring to?

Limit access to specific hosts.PNG

Limit access to specific hosts.PNG

fricci_FTNT
Staff
Staff

Hi @davbu ,

 

You can create a firewall policy on the related WAN interface where the SSL-VPN is running where the destination IP/port is the FortiGate IP/SSL port and the source is the IP the source IPs that you want to allow (Azure cloud IPs and other offices public IPs).
Bear in mind that you have to include all the source IPs that you want to allow to use the SSL-VPN (i.e.: other branch offices).

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
davbu

So this would affect all incoming SSL VPN connections.  How would you know all source IP's if they vpn in from all over?  Sorry I'm a bit confused.

fricci_FTNT

Hi,

If other users are also using the SSL-VPN and you are unable to know their IPs in advance then my solution does not fit your scenario. You may be able to restrict the access to specific regions/subnets/countries and those two static IPs for the Azure hosts. The solution proposed by rbraha might be more adequate to your scenario.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
davbu

Thank you for your prompt reply.  I will explore rbraha's solution.

mle2802
Staff
Staff

Hi @davbu,

You can try with local-in policy following this document "https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa.... Replace GEO address with the public IP where you want to allow SSL VPN from.

Regards,
Minh

davbu
New Contributor

Hi mle2802,

 

I don't think that link works.  When I click to open I get "An invalid set of parameters has been specified in the url."

Top Kudoed Authors