Good day,
I am trying to create a firewall policy on my FortiGate 7.* from the SSL-VPN interface to the LAN interface to block certain counties, I have set an Address group with the GEO locations but the source keeps saying "One User or Group is required", I have an Active Directory group set up to only allow users in this group to use the VPN can I add this? or will adding this group means these users and the GEO locations will be blocked?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @julianhaines ,
You should add a user group and source address object as a source for ssl-vpn rules. If you want to create such a rule, it will work like this: If the users you choose try to go to the countries in your destination field, they will be blocked.
But there is something like this if you are using the split tunnel in ssl-vpn and users are accessing the internet via their own internet. There is no need for such a rule because it will not work even if you create it. if you say my users are accessing the internet via firewall when they connect to ssl-vpn, then you can create this rule from the ssl-vpn interface to the wan interface.
Hi,
Thanks but what I am trying to do is block users from certain counties from being able to try and connect to the VPN, I am getting a lot of random attempts to connect to the VPN and want to block counties were users are not located to make more secure.
Hi @julianhaines ,
I understood differently. You don't need to create a rule for this. Under SSL-VPN settings, you can only select which countries the connection should be made from. In this way, you can prevent these connection requests.
If you select the negate option and add the countries you do not want to this list, the countries other than these will be able to provide connection.
Hi @julianhaines,
Your policy will not work as traffic from SSLVPN interface has private IP address as source. By default, it is 'SSLVPN_TUNNEL_ADDR1' which is '10.212.134.200-10.212.134.210'. That IP range doesn't belong to any countries and hence will not match your policy.
If you want to block certain countries, please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.