Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EdwinSoh
New Contributor

Restrict SSL VPN user to specific internal ip

Hi, Could someone advise how to restrict the SSL VPN user to access only a specific internal ip address? When I set a Firewall policy to limit the SSL VPN to FQDN name, when I run the RDP Connection Tool for this SSL VPN user, there will be an SSL negotiation error, preventing the connection to get through. I suspect, besides setting a Firewall for this user to access that specifc IP, I also need to set another policy to access the Fortigate for ssl negotiation? When I set the Destination address to all, it would work.
Edwinsoh
Edwinsoh
3 REPLIES 3
Carl_Wallmark
Valued Contributor

Your policys should look like this: To actvate the SSL: WAN1 -> Internal -> Action SSL To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
EdwinSoh

Thanks for the info. So, if I have 1 user having full access to the LAN, and another user2 restricted to a specific internal ip, my policy should lok like below? To actvate the SSL: WAN1 -> Internal -> Action SSL To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept (Enable Identity Based policy for user2) To allow access to entire LAN: ssl.root -> Internal (all)
Edwinsoh
Edwinsoh
ede_pfau
SuperUser
SuperUser

Not quite. If you use an Identity Based policy it should be placed after a more general policy. The reason for this is that if the auth fails no further policies will be examined. This changed in v4.0 so please look it up in the Admin Guide. In your case this poses a dilemma as with e.g. To allow access to entire LAN: ssl.root -> Internal (all) (Enable Identity Based policy for user1) To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept) (Enable Identity Based policy for user2) no non-admin user will ever be allowed thru the second policy. Will have to think about it again.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors