Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pabaxe
New Contributor

Created on ‎09-19-2023 10:15 PM

Auto-Disable Forticlient VPN inside company network

Hello,

 

Is there a way to disable the Forticlient VPN when the computers are connecting from inside the company network?

 

I've seen some posts mentioning Local-in policies but I've had no success. We have a FortiGate 60F.

What I've done is create a policy with source address the internal network and destination the VPN IP, and set it to DENY, but it doesn't seem right.

 

Also is this something only done through CLI, or can it be implemented with Policies through the GUI?

 

Labels:
750
0 Kudos
16 REPLIES 16
pabaxe
New Contributor
In response to srajeswaran

Created on ‎09-21-2023 03:54 AM

This is an internal ip (192.168.1.2) so when i add it as dstaddr nothing changes, the users connect as normal.

And the thing is that this policy doesn't appear on Local-in-policies through the GUI.

249
0 Kudos
srajeswaran
Staff
Staff
In response to pabaxe

Created on ‎09-21-2023 04:00 AM Edited on ‎09-21-2023 04:03 AM

That means this is mapped to a public IP. You may check the VIPs configured on firewall or you can check your Forticlient to see the IP/URL address to which you are connecting to.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

246
0 Kudos
pabaxe
New Contributor
In response to srajeswaran

Created on ‎09-21-2023 05:14 AM

Yes I know the public IP that the Forticlient connects to, and this is the External Address I was initially setting as dstaddr. But still doesn't appear/work.

239
0 Kudos
srajeswaran
Staff
Staff
In response to pabaxe

Created on ‎09-21-2023 05:18 AM

The Public IP is reachable via which interface? Can you specify that interface in the policy?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

237
0 Kudos
amouawad
Staff
Staff

Created on ‎09-20-2023 04:34 AM

Are you trying to configure the FortiClients so that when they're connected to the corp network then the VPN is disabled?

 

Ifso you can do this if you have the FortiClients managed through EMS. EMS allows you to create 'on net' and 'off net' rules to dictate how FortiClient operates when it's on the corp network or off it.

 

There's multiple options available including the DHCP server, DNS server, subnet, default gateway or even the public IP that users would be on when connecting to the network.

 

ems.png

286
0 Kudos
BellaEloise
New Contributor

Created on ‎09-20-2023 05:16 AM Edited on ‎09-23-2023 02:04 AM

Regarding CLI, you can also achieve this through command-line interface (CLI) using appropriate commands to configure the policy. However, using the GUI is generally more user-friendly and preferred for simpler configurations.

274
0 Kudos
mle2802
Staff
Staff

Created on ‎09-20-2023 05:50 AM

Hi @pabaxe,

Is the SSL VPN set up with the same public IP as local user? I believe that most ISP should block traffic being NAT out and hit the same public IP again to prevent looping attack. You can also create a deny LAN-WAN policy with SSL VPN service and put it above regular Internet access policy.

Regards,
Minh

260
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.