Hello,
Is there a way to disable the Forticlient VPN when the computers are connecting from inside the company network?
I've seen some posts mentioning Local-in policies but I've had no success. We have a FortiGate 60F.
What I've done is create a policy with source address the internal network and destination the VPN IP, and set it to DENY, but it doesn't seem right.
Also is this something only done through CLI, or can it be implemented with Policies through the GUI?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Local-in policies is expected to work on this scenario,please make sure the source subnet, destination-port (may not be 443), are correct . Can you share "show firewall local-in-policy" output along with SSL VPN interface, Office LAN subnet, VPN IP/Port to verify?
Regarding the local-in policy from GUI, we have to use CLI to configure them, GUI can be used to view the configured policies.
Thanks for the swift reply.
So I'm having trouble setting the local in policy, because the external IP that the VPN Connects to, is set as an address (it shows in "show firewall address") but not as an interface. So what should I fill in the "set intf ____" ?
(I'm following the below structure)
config firewall local-in-policy edit 1 set intf "XXXX" set srcaddr "YYYY" //internal network set dstaddr "all"
set action deny set schedule "always" next end
You can run "show vpn ssl settings" to confirm the interface name and the SSL VPN port.
On local-in-policy, you need to specify the service as well. You also need a second policy to permit connection from all other address.
config firewall local-in-policy
edit 1
set intf "interface name"
set srcaddr "Office LAN"
set dstaddr "VPN-address"
set action deny
set service "SSL/HTTPS-or a custom service based on the port number"
set schedule "always"
next
edit 2
set intf "interface name"
set srcaddr "all"
set dstaddr "VPN-address"
set service "SSL/HTTPS-or a custom service based on the port number"
set schedule "always"
set action accept
next
end
Thanks again for helping. Now I have two issues
1) Even though in policy 1 I type "set action deny" and it completes successfully, when I press end and type "show firewall local-in-policy" all other parameters show correctly except from the set action.
2) What type of service should you put for an SSL VPN on a customised port? Because SSL is not accepted as a service.
1. Is expected because the default action is deny and thats why its not visible
2. You need to create a custom service.
To create a custom service using the CLI, enter the following commands
config firewall service custom
edit <name>
set protocol TCP/UDP
set tcp-portrange <destination port range>
set udp-portrange <destination port range>
next
end
For example:
edit <name>
set protocol TCP/UDP
set tcp-portrange <1-65535>
set udp-portrange <1-65535>
next
end
So now when typing view firewall local-in-policy it looks like this:
config firewall local-in-policy
edit 1
set intf "vsw.fortilink"
set srcaddr "Internal Network"
set dstaddr "External Address"
set service "SSL custom"
set schedule "always"
next
edit 2
set intf "vsw.fortilink"
set srcaddr "all"
set dstaddr "External Address"
set action accept
set service "SSL custom"
set schedule "always"
next
end
Still I don't find any relevant DENY policy in the Local-In-Policies through GUI, and my computer from the local network connects to VPN as normal. Am I missing something?
can you share the below , this will confirm the interface on which the SSL traffic is coming and we can modify the policy accordingly.
get router info routing-table details x.x.x.x
get router info routing-table details y.y.y.y
x.x.x.x - Internal Network
y.y.y.y - External Address
Internal network
Routing table for VRF=0
Routing entry for 192.168.2.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, vsw.fortilink
External Network:
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 5, metric 0, best
* 192.168.1.1, via wan1
As per this "External Address" is reachable via static route, which means its not an IP configured on Fortigate.
We need to use the IP address configured on Fortigate as the destination address on the local-in policies.
We can see the address under VPN settings.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.