- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Geo-lock access to Windows IKEv2 native VPN
Is there a way to geo lock access to Windows IKEv2 native VPN on Fortigate (same as one can do with SSL VPN)?
Seb
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @scerazy ,
According to my research, there is no option to restrict incoming connections to dial-up-only VPNs.
You can use local-in-policy for that. But if you configure local-in-policy, that policy affects all ipsec vpn. Because these types of VPNs use the same TCP/UDP ports.
If you want to get more information about local-in-policy you can review these articles.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/363127/local-in-policy
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @scerazy ,
Yes, you can use negate option in local-in-policy. You can do this with the negate setting. The negate option means outside the object you use.
For example
config firewall local-in-policy
edit 0
set srcaddr-negate enable
end
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @scerazy ,
According to my research, there is no option to restrict incoming connections to dial-up-only VPNs.
You can use local-in-policy for that. But if you configure local-in-policy, that policy affects all ipsec vpn. Because these types of VPNs use the same TCP/UDP ports.
If you want to get more information about local-in-policy you can review these articles.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/363127/local-in-policy
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would there be an easy way to do the opposite? Block all, but only allow X Y Z ?
I still do not see how/why local-in is different than normal rules
edit
firewall policy is for traffic going THROUGH the FortiGate.
Local-in is for traffic going TO the FortiGate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @scerazy ,
Yes, you can use negate option in local-in-policy. You can do this with the negate setting. The negate option means outside the object you use.
For example
config firewall local-in-policy
edit 0
set srcaddr-negate enable
end
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is GUI not capable displaying CLI created rule entry?
I cannot see it (it shows fine in CLI)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not mean to configure, just to display would be fine (but does not do that either)
It displays other existing bits, but not CLI configured policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet do not provide such option, but if you'd like a user Danny created a Javascript bookmarklet that will do it for you:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice, thanks