Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EdwinSoh
New Contributor

Created on ‎07-18-2010 08:44 PM

Restrict SSL VPN user to specific internal ip

Hi, Could someone advise how to restrict the SSL VPN user to access only a specific internal ip address? When I set a Firewall policy to limit the SSL VPN to FQDN name, when I run the RDP Connection Tool for this SSL VPN user, there will be an SSL negotiation error, preventing the connection to get through. I suspect, besides setting a Firewall for this user to access that specifc IP, I also need to set another policy to access the Fortigate for ssl negotiation? When I set the Destination address to all, it would work.
Edwinsoh
Edwinsoh
4296
0 Kudos
3 REPLIES 3
Carl_Wallmark
Valued Contributor

Created on ‎07-19-2010 05:48 AM

Your policys should look like this: To actvate the SSL: WAN1 -> Internal -> Action SSL To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3226
0 Kudos
EdwinSoh
New Contributor
In response to Carl_Wallmark

Created on ‎07-19-2010 08:02 PM

Thanks for the info. So, if I have 1 user having full access to the LAN, and another user2 restricted to a specific internal ip, my policy should lok like below? To actvate the SSL: WAN1 -> Internal -> Action SSL To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept (Enable Identity Based policy for user2) To allow access to entire LAN: ssl.root -> Internal (all)
Edwinsoh
Edwinsoh
3226
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎07-20-2010 03:09 AM

Not quite. If you use an Identity Based policy it should be placed after a more general policy. The reason for this is that if the auth fails no further policies will be examined. This changed in v4.0 so please look it up in the Admin Guide. In your case this poses a dilemma as with e.g. To allow access to entire LAN: ssl.root -> Internal (all) (Enable Identity Based policy for user1) To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept) (Enable Identity Based policy for user2) no non-admin user will ever be allowed thru the second policy. Will have to think about it again.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3226
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.