Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
timbu
New Contributor

Created on ‎12-22-2023 03:19 AM Edited on ‎12-30-2023 06:19 PM

Can FortiGate+FortiAuthenticator VPN restrict client IP address, but not apply to all VPN users, onl

We are using a FortiGate appliance as VPN gateway, which rely on a FortiAuthenticator to store account information. The accounts are created and stored on the FortiAuthenticator, not on any other LDAP or AD thing.

FortiOS 7.0.13 + FortiAuthenticator 6.5.1.

 

Now we need to create a temporary VPN account for some specific user to do some specific operations, for a period of time only. Since this is a very specific use case scenario, we hope to restrict that, this temp VPN account can only be connected from pre-defined Internet client IP addresses 10.0.0.1, like a IP white list.

 

We did found some IP restriction features:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa...

But they seem to be global restriction that apply to all VPN user accounts.

Can we apply this IP 192.168.0.1 restriction to specific VPN accounts only? i.e. other VPN accounts can still be connected from any IP address.

Labels:
644
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎12-22-2023 03:36 AM

You can restrict at firewall policy level, without changing anything to your VPN configuration, by adding this VPN group and the IP whitelist group as source address in a dedicated policy.

Like this, if the related users connect to VPN from allowed IP they can access to the allowed resources, while if they try connect from non-whitelisted IPs they can connect but can't access the resources.

AEK
AEK
638
hbac
Staff
Staff

Created on ‎12-22-2023 06:48 AM

Hi @timbu,

 

You are right. It is a global setting. If you want to create a whitelist, you need to specify all clients IP address in that list. 

 

Regards, 

609
0 Kudos
ozkanaltas
Contributor III

Created on ‎12-22-2023 07:20 AM

Hello @timbu ,

 

I think you can use Radius attributes for this request. On FortiAuthenticator Radius Policy, you can configure "Framed-IP-Address" or "Calling-Station-Id" in a Radius Attribute Criteria tab. These attributes are sent from Fortigate to FortiAuthenticator with your client's public IP address. If the user group and IP address are not matched in the radius policy your temp client can't connect ssl-vpn. Also, other clients can still connect. Because their radius policy will be different.

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
607
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.