Block VPN SSL from one public IP

ShonGail · ‎02-12-2018

Hello,

I would block SSL VPN access from one public IP.

How can I do that ?

Best regards.

tanr · ‎02-12-2018

You should be able to use local-in-policy to block a specific IP from being able to access VPN.

Note that you want to be very careful with local-in-policy as you can inadvertently lock yourself out rather easily.

http://kb.fortinet.com/kb/documentLink.do?externalID=FD33649

neonbit · ‎03-05-2018

There's an option in the SSLVPN that allows you to set the source-address as a negate (ie: allow connects from every IP except the ones you specify).

This is configurable in the CLI

config vpn ssl settings

set source-address-negate enable

set source-address "the address object you've configured to block"

end

Steffffi · ‎08-13-2023

Despite 5 years later, a Big thanks to you! With Fortigate 5.6, there is no exempt list yet availabe from an address group which was introduced in Fortios 6 and 7.

Eng7 · ‎05-19-2024

It blocks all traffic it just doesn’t allow any vpn connections

mgoswami · ‎08-13-2023

Hi,

You may refer to the below KB to block SSL VPN connection from a specific IP address:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-SSL-VPN-Connection-from-a-cer...

BR,

Manosh

Steffffi · ‎08-13-2023

Thx. With FortiOS 6 and 7, it should be much easier if used to work with CLI. Can use the exempt list or GEO list. But with FortiOS 5, must use the way mentioned above to exyclude for SSL-VPN. Normal block in IP policy wont work.

Block VPN SSL from one public IP

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website