Hi,
We have a FortiGate-600D.
Our main rule of the firewall is to block traffic from "Unwanted countries":
This only seem to block traffic to the SSL VPN
Our main goal is to block traffic to the IP of the interface (or DNS name).
Currently it is possible to access the DNS/IP to the interace from any IP (despite the #1 drop unwanted countries rule).
Any ideas of how to block traffic to the https://vpn.domain.com/
Best Regads.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
You can map the geolocation under the source addresses of the dedicated policy you will create.
Hi,
That policy (geolocation block) is already in place (and it's the first rule of the firewall).
So it's kinda strange that people (within the geolocation block) can access the https://vpn.domain.com/.
I'm not sure why.
Best Regards.
Hi,
Can you check if the request is hitting the correct policy?
If not, we need to verify what IP is that and how FortiGate determines it.
No. You have to use local-in policy instead because this is SSL VPN "into the FGT", not coming-in and going-out VPN traffic, which is regulated by regular policies. You can use Geo IPs as source addresses to filter.
You can search on the internet with key words like "FortiGate local-in policy geoip" then below came up at the top with google.
https://conetrix.com/blog/fortigate-local-in-policies-and-geoblocking
Or, if you prefer Fortinet KB for authenticity, this is what I could search.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-VPN-access-to-certain-countries/t...
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.