- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrict access to VPN interface
Hi,
We have a FortiGate-600D.
Our main rule of the firewall is to block traffic from "Unwanted countries":
This only seem to block traffic to the SSL VPN
Our main goal is to block traffic to the IP of the interface (or DNS name).
Currently it is possible to access the DNS/IP to the interace from any IP (despite the #1 drop unwanted countries rule).
Any ideas of how to block traffic to the https://vpn.domain.com/
Best Regads.
- Labels:
-
FortiGate
-
FortiManager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You can map the geolocation under the source addresses of the dedicated policy you will create.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
That policy (geolocation block) is already in place (and it's the first rule of the firewall).
So it's kinda strange that people (within the geolocation block) can access the https://vpn.domain.com/.
I'm not sure why.
Best Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you check if the request is hitting the correct policy?
If not, we need to verify what IP is that and how FortiGate determines it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. You have to use local-in policy instead because this is SSL VPN "into the FGT", not coming-in and going-out VPN traffic, which is regulated by regular policies. You can use Geo IPs as source addresses to filter.
You can search on the internet with key words like "FortiGate local-in policy geoip" then below came up at the top with google.
https://conetrix.com/blog/fortigate-local-in-policies-and-geoblocking
Or, if you prefer Fortinet KB for authenticity, this is what I could search.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-VPN-access-to-certain-countries/t...
Toshi
