Auto-Disable Forticlient VPN inside company network

pabaxe · ‎09-19-2023

Hello,

Is there a way to disable the Forticlient VPN when the computers are connecting from inside the company network?

I've seen some posts mentioning Local-in policies but I've had no success. We have a FortiGate 60F.

What I've done is create a policy with source address the internal network and destination the VPN IP, and set it to DENY, but it doesn't seem right.

Also is this something only done through CLI, or can it be implemented with Policies through the GUI?

srajeswaran · ‎09-19-2023

Local-in policies is expected to work on this scenario,please make sure the source subnet, destination-port (may not be 443), are correct . Can you share "show firewall local-in-policy" output along with SSL VPN interface, Office LAN subnet, VPN IP/Port to verify?

Regarding the local-in policy from GUI, we have to use CLI to configure them, GUI can be used to view the configured policies.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

pabaxe · ‎09-19-2023

Thanks for the swift reply.

So I'm having trouble setting the local in policy, because the external IP that the VPN Connects to, is set as an address (it shows in "show firewall address") but not as an interface. So what should I fill in the "set intf ____" ?

(I'm following the below structure)

config firewall local-in-policy
    edit 1
        set intf "XXXX"  
        set srcaddr "YYYY"  //internal network
        set dstaddr "all"    
        set action deny
        set schedule "always"
    next
end

srajeswaran · ‎09-19-2023

You can run "show vpn ssl settings" to confirm the interface name and the SSL VPN port.
On local-in-policy, you need to specify the service as well. You also need a second policy to permit connection from all other address.

config firewall local-in-policy
edit 1
set intf "interface name"
set srcaddr "Office LAN"
set dstaddr "VPN-address"
set action deny
set service "SSL/HTTPS-or a custom service based on the port number"
set schedule "always"
next
edit 2
set intf "interface name"
set srcaddr "all"
set dstaddr "VPN-address"
set service "SSL/HTTPS-or a custom service based on the port number"
set schedule "always"
set action accept
next
end

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

pabaxe · ‎09-20-2023

Thanks again for helping. Now I have two issues

1) Even though in policy 1 I type "set action deny" and it completes successfully, when I press end and type "show firewall local-in-policy" all other parameters show correctly except from the set action.

2) What type of service should you put for an SSL VPN on a customised port? Because SSL is not accepted as a service.

srajeswaran · ‎09-20-2023

1. Is expected because the default action is deny and thats why its not visible

2. You need to create a custom service.

To create a custom service using the CLI, enter the following commands

config firewall service custom
    edit <name>
        set protocol TCP/UDP
        set tcp-portrange <destination port range>
        set udp-portrange <destination port range>
    next
end

For example:

    edit <name>
        set protocol TCP/UDP
        set tcp-portrange <1-65535>
        set udp-portrange <1-65535>
    next
end

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

pabaxe · ‎09-20-2023

So now when typing view firewall local-in-policy it looks like this:

config firewall local-in-policy
    edit 1
        set intf "vsw.fortilink"
        set srcaddr "Internal Network"
        set dstaddr "External Address"
        set service "SSL custom"
        set schedule "always"
    next
    edit 2
        set intf "vsw.fortilink"
        set srcaddr "all"
        set dstaddr "External Address"
        set action accept
        set service "SSL custom"
        set schedule "always"
    next
end

Still I don't find any relevant DENY policy in the Local-In-Policies through GUI, and my computer from the local network connects to VPN as normal. Am I missing something?

srajeswaran · ‎09-20-2023

can you share the below , this will confirm the interface on which the SSL traffic is coming and we can modify the policy accordingly.
get router info routing-table details x.x.x.x
get router info routing-table details y.y.y.y
x.x.x.x - Internal Network
y.y.y.y - External Address

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

pabaxe · ‎09-21-2023

Internal network

Routing table for VRF=0
Routing entry for 192.168.2.0/24
  Known via "connected", distance 0, metric 0, best
  * is directly connected, vsw.fortilink

External Network:

Routing table for VRF=0
Routing entry for 0.0.0.0/0
  Known via "static", distance 5, metric 0, best
  * 192.168.1.1, via wan1

srajeswaran · ‎09-21-2023

As per this "External Address" is reachable via static route, which means its not an IP configured on Fortigate.

We need to use the IP address configured on Fortigate as the destination address on the local-in policies.
We can see the address under VPN settings.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.