Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Enzure
New Contributor

Created on ‎03-25-2022 01:23 AM

Restrict access to VPN interface

Hi,

We have a FortiGate-600D.
Our main rule of the firewall is to block traffic from "Unwanted countries":

Enzure_0-1648196123135.png

This only seem to block traffic to the SSL VPN

Enzure_1-1648196353851.png

Our main goal is to block traffic to the IP of the interface (or DNS name).

Currently it is possible to access the DNS/IP to the interace from any IP (despite the #1 drop unwanted countries rule).

Any ideas of how to block traffic to the https://vpn.domain.com/

 

Best Regads.

 

Labels:
2672
0 Kudos
4 REPLIES 4
sharmaj
Staff
Staff

Created on ‎03-25-2022 02:12 AM

Hi

You can map the geolocation under the source addresses of the dedicated policy you will create.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

Jay sharma
2628
0 Kudos
Enzure
New Contributor
In response to sharmaj

Created on ‎03-25-2022 03:16 AM

Hi,

That policy (geolocation block) is already in place (and it's the first rule of the firewall).

So it's kinda strange that people (within the geolocation block) can access the https://vpn.domain.com/.

I'm not sure why.

Best Regards. 

2613
0 Kudos
sharmaj
Staff
Staff
In response to Enzure

Created on ‎03-25-2022 08:31 AM

Hi,

Can you check if the request is hitting the correct policy?

If not, we need to verify what IP is that and how FortiGate determines it.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/t...

Jay sharma
2593
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-25-2022 09:27 AM Edited on ‎03-25-2022 09:35 AM

No. You have to use local-in policy instead because this is SSL VPN "into the FGT", not coming-in and going-out VPN traffic, which is regulated by regular policies. You can use Geo IPs as source addresses to filter.
You can search on the internet with key words like "FortiGate local-in policy geoip" then below came up at the top with google.

https://conetrix.com/blog/fortigate-local-in-policies-and-geoblocking

 

Or, if you prefer Fortinet KB for authenticity, this is what I could search.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-VPN-access-to-certain-countries/t...

 

Toshi

2587
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.