Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pabaxe
New Contributor

Created on ‎09-19-2023 10:15 PM

Auto-Disable Forticlient VPN inside company network

Hello,

 

Is there a way to disable the Forticlient VPN when the computers are connecting from inside the company network?

 

I've seen some posts mentioning Local-in policies but I've had no success. We have a FortiGate 60F.

What I've done is create a policy with source address the internal network and destination the VPN IP, and set it to DENY, but it doesn't seem right.

 

Also is this something only done through CLI, or can it be implemented with Policies through the GUI?

 

Labels:
4783
0 Kudos
18 REPLIES 18
pabaxe
New Contributor
In response to srajeswaran

Created on ‎09-21-2023 03:54 AM

This is an internal ip (192.168.1.2) so when i add it as dstaddr nothing changes, the users connect as normal.

And the thing is that this policy doesn't appear on Local-in-policies through the GUI.

1603
0 Kudos
srajeswaran
Staff
Staff
In response to pabaxe

Created on ‎09-21-2023 04:00 AM Edited on ‎09-21-2023 04:03 AM

That means this is mapped to a public IP. You may check the VIPs configured on firewall or you can check your Forticlient to see the IP/URL address to which you are connecting to.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
1600
0 Kudos
pabaxe
New Contributor
In response to srajeswaran

Created on ‎09-21-2023 05:14 AM

Yes I know the public IP that the Forticlient connects to, and this is the External Address I was initially setting as dstaddr. But still doesn't appear/work.

1593
0 Kudos
srajeswaran
Staff
Staff
In response to pabaxe

Created on ‎09-21-2023 05:18 AM

The Public IP is reachable via which interface? Can you specify that interface in the policy?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
1591
0 Kudos
Azureauto
New Contributor
In response to pabaxe

Created on ‎03-17-2024 08:00 AM

Hey there, happy to help! For your first issue, it sounds like there might be a configuration glitch. Have you tried double-checking your commands and ensuring they're properly applied? As for the SSL VPN service, you might consider using a custom service with the appropriate port range specified. Hope this helps! If you need further assistance, feel free to reach out. Also, if you're interested, AzureAutoDetailing offers great car care services to help you unwind after tackling those tech challenges! :smiling_face_with_smiling_eyes:

Azure auto detailing
Azure auto detailing
1186
0 Kudos
amouawad
Staff
Staff

Created on ‎09-20-2023 04:34 AM

Are you trying to configure the FortiClients so that when they're connected to the corp network then the VPN is disabled?

 

Ifso you can do this if you have the FortiClients managed through EMS. EMS allows you to create 'on net' and 'off net' rules to dictate how FortiClient operates when it's on the corp network or off it.

 

There's multiple options available including the DHCP server, DNS server, subnet, default gateway or even the public IP that users would be on when connecting to the network.

 

ems.png

1640
0 Kudos
BellaEloise
New Contributor

Created on ‎09-20-2023 05:16 AM Edited on ‎09-23-2023 02:04 AM

Regarding CLI, you can also achieve this through command-line interface (CLI) using appropriate commands to configure the policy. However, using the GUI is generally more user-friendly and preferred for simpler configurations.

1628
0 Kudos
mle2802
Staff
Staff

Created on ‎09-20-2023 05:50 AM

Hi @pabaxe,

Is the SSL VPN set up with the same public IP as local user? I believe that most ISP should block traffic being NAT out and hit the same public IP again to prevent looping attack. You can also create a deny LAN-WAN policy with SSL VPN service and put it above regular Internet access policy.

Regards,
Minh

1614
0 Kudos
Jeremiah_Hahn
New Contributor

Created on ‎08-20-2024 07:00 AM Edited on ‎08-21-2024 08:32 PM

To disable FortiClient VPN when connecting from inside the company network, you can manage FortiClients through EMS, creating 'on net' and 'off net' rules that dictate how the VPN operates based on the network connection. For policies, consider specifying the interface associated with the public IP in the policy or using a custom service with the appropriate port range. Configurations can be done via GUI for ease or CLI for more control. This problem was faced by a knee wraps weightlifting selling company and was resolved by applying similar solutions as discussed here.

710
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.