Prevent SSL VPN connection from inside network

jgo · ‎01-13-2023

One of my customers is complaining they are able to connect to SSL VPN (SAML) from inside their network. Not sure why they're trying to do so but is there an easy way to block this from happening? I've tried running negate from the ssl vpn settings from RFC 1918 addresses but that did not work.

config vpn ssl settings set source-address-negate enable

set source-address "RFC1918"

end

Thanks in advance for any input

abarushka · ‎01-15-2023

Hello,

You may consider to use local-in-policy. Please find more details by following the link below:

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/363127/local-in-policies

FortiGate

View solution in original post

abarushka · ‎01-15-2023

Hello,

You may consider to use local-in-policy. Please find more details by following the link below:

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/363127/local-in-policies

FortiGate

jgo · ‎01-15-2023

Thank you! Works perfectly. Appreciate the response.

jgo · ‎01-23-2023

Apparently this is not working. Folks can still connect to the SSL VPN from inside the Fortigate. They've been told not too and it defeats the purpose, but they don't listen. Has anyone been successful in blocking this ability?

abarushka · ‎01-24-2023

Hello,

Alternatively you may consider to configure source address for incoming traffic:

config vpn ssl settings
set source-address <>
end

FortiGate

Prevent SSL VPN connection from inside network

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website