Geo-block a country with exceptions for SSL VPN

rsm · ‎10-16-2024

Hi

We have noticed a large amount of attempts hitting our SSL VPN from 1 particular country. The attempts are coming from a variety of IP addresses but are listed as this one country. We want to block these attempts but our issue is that we have an office in that country. The users are in a shared office but use SSL VPN to connect to us. The shared office has a static IP.

Is there a way in Fortinet to create a group to block all IP addresses from this country except the 1 that we one that our users connect from?

Many thanks

Roy

jorekco1 · ‎10-16-2024

Should work like that. Haven't tested it. This might also be a bit more insecure (not sure), because the check if the connection is allowed is done during authentication, and I believe when setting it globally that check is done before. Haven't tested that either.

router login 192.168.l.l

rsm · ‎10-16-2024

Sorry, What should work like what?

SonaMuvv · ‎10-16-2024

Hello Roy,

You can limit access to specific hosts, Under SSL-VPN settings, choose limit access to specific hosts then add the address groups/countries that you want to allow access to sslvpn login.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-allowing-SSL-VPN-access-from-s....

rsm · ‎10-16-2024

I know how to add create the group to block a country but I want to allow 1 IP from that country and block all the rest. How do I do that?

Toshi_Esumi · ‎10-16-2024

With that condition, you need to use local-in-policy. Then you can do in the same way you would do with regular plolicies, like allowing one I with the first policy then block from anywhere else.

https://docs.fortinet.com/document/fortigate/7.4.5/administration-guide/363127/local-in-policy

Toshi

Geo-block a country with exceptions for SSL VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website