Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stauftm
New Contributor

Created on ‎12-27-2021 12:18 PM

Geo Filter for SSL VPN connections

Hi everyone. I am interested in having a geo filter applied to my ssl vpn configuration.  Now I know I can restrict access globally in VPN -> SSL-VPN Settings and 'Limit access to specific hosts', like you see below

 

 

Snip1.PNG

 

 

However what I'd like to do is restrict it via group/policy. I may want a specific ssl vpn group to have more loose or tighter restrictions. I thought the best spot for this would be in the firewall policy, see below. I'm noticing when I apply this it doesn't restrict the user though. It seems they can still connect from anywhere.

 

 

Snip2.PNG

 

Anyone have any thoughts on this matter?

Labels:
3834
0 Kudos
3 REPLIES 3
mariopugliese
New Contributor III

Created on ‎12-28-2021 07:26 AM

Hi,

In your firewall policy, the source interface is the SSL-VPN tunnel and the destination interface your local networks.

The source IP addresses used here are your VPN source IP pools defined on your SSL-VPN Portal (SSLVPN Tuf Full Access) and not the remote user's public IP addresses on which you want to apply a filtering.

3775
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-28-2021 09:52 AM

To filter the source IP of SSL VPN attempts, I think you have to use local-in-policy based on the TCP port. You can use addresses/address groups with geography to filter them. However, you can't use user/user group in local-in-policy.

 

Toshi

3761
mariopugliese
New Contributor III

Created on ‎12-29-2021 01:23 AM

I think one solution is to keep doing country filtering globally, as you showed in the SSL-VPN settings and then to separate your different SSL VPN user groups by using different SSL portals and IP pools.

In this way, you may use different firewall policies and be more granular about the access authorisations.


Example:

For the HR:
SSL-VPN portal: SSLVPN-Portal-HR
SSL-VPN Source IP pool: 10.10.10.0/24
Authentication/Portal Mapping in your SSL-VPN Settings: sslvpn-usergroup-hr ==> portal SSLVPN-Portal-HR

 

For the IT:
SSL-VPN portal: SSLVPN-Portal-IT
SSL-VPN Source IP pool: 10.10.20.0/24
Authentication/Portal Mapping in your SSL-VPN Settings: sslvpn-usergroup-it ==> portal SSLVPN-Portal-IT

 

On your IT users policies, you will apply a lot of authorisations for your IT users by using SSLVPN-Portal-IT and 10.10.20.0/24 in source, and what you need in destination / services.


On your HR users policies, you will apply less authorisations for your HR users by using SSLVPN-Portal-HR and 10.10.10.0/24 in source, and what you need in destination / services.

3745
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.