Hello,
I would block SSL VPN access from one public IP.
How can I do that ?
Best regards.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You should be able to use local-in-policy to block a specific IP from being able to access VPN.
Note that you want to be very careful with local-in-policy as you can inadvertently lock yourself out rather easily.
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33649
There's an option in the SSLVPN that allows you to set the source-address as a negate (ie: allow connects from every IP except the ones you specify).
This is configurable in the CLI
config vpn ssl settings
set source-address-negate enable
set source-address "the address object you've configured to block"
end
Despite 5 years later, a Big thanks to you! With Fortigate 5.6, there is no exempt list yet availabe from an address group which was introduced in Fortios 6 and 7.
It blocks all traffic it just doesn’t allow any vpn connections
Hi,
You may refer to the below KB to block SSL VPN connection from a specific IP address:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-SSL-VPN-Connection-from-a-cer...
BR,
Manosh
Thx. With FortiOS 6 and 7, it should be much easier if used to work with CLI. Can use the exempt list or GEO list. But with FortiOS 5, must use the way mentioned above to exyclude for SSL-VPN. Normal block in IP policy wont work.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.