Hi,
I have recently tried to restrict our SSL VPN to one specific country. I have created the Geography Object for the country, added it under SSL-VPN Settings, limit access to specific hosts.
Under the SSL-VPN tunnel interface policy the source for IPs was all, so I have changed it to the object I created for the country as I understand the Country has to be set in both places.
The problem I am having is that users can connect, but once connected they cannot access anything. If I take the Country out of the SSL-VPN tunnel interface policy and change back to all it works fine.
As far as I can see I have implemted as recommended so unsure of where to go next. I have tried one two different VPN devices both with public IPs in the country I created.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, this overrides your general settings. Remove both "set source-address" and "set source-interface", and it will start respecting the GeoIP setting:
...
unset source-address
unset source-interface
end
end
Thanks, please could you tell me the commands to delete these entries - I tried config authentication rule
edit 7
Then it said created 7 and I have clearly done in the wrong place, now I have an entry named config authentication rule that I cant get rid of!
Apologies, I have not needed to do this before.
Start:
config vpn ssl setting
config authentication-rule
show
=> make note of the IDs of the items you want to delete/edit
to delete a rule completely:
delete <id>
to edit a rule and remove the interface/address filters:
edit <id>
unset source-address
unset source-interface
next
Lastly, finish with:
end
end
Thank you, this has worked.
I'm assuming its still normal to see attempts to authenticate to the VPN from other countries in the logs?
Finally, any advice how I can delete the random config entry I entered by doing the below?
config authentication rule
edit 7
It said created 7 and I have clearly done in the wrong place, now I have an entry named config authentication rule that I cant get rid of!
If you have correctly cleaned up the authentication-rule section and it no longer contains any items with source-interface+source-address set, then the expected behaviour is that only addresses included in the general "Restrict Access - Limit access to specific hosts" should be capable of making a login attempt. Any other IPs should not even get a TCP SYN-ACK reply.
The rule ID 7 can be deleted using the instructions I've provided before - enter the authentication-rule section again, then run "delete 7", then do twice "end" to save the change.
Hi @DT3
Thank you for the question.
You can make the below configuration on CLI.
Configure firewall address with the geography type.
config firewall address
edit "restriction_poland"
set type geography
set country "PL" <- Only allows connections from Poland.
next
end
Configure the firewall address group.
config firewall addrgrp
edit "Geo_restriction_ssl_vpn"
set member "restriction_poland"
next
end
Configure the firewall address group as the source-address under SSL VPN settings.
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 444
set source-interface "wan1"
set source-address "Geo_restriction_ssl_vpn"
end
Please follow the Kb for more details- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...
Best regards,
Erlin
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1028 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.