Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fort-zender
New Contributor

SSL VPN avoid IP access

Hi all,

 

Is there a way to restrict SSL-VPN access solely to the FQDN, disallowing users from accessing the web portal via the IP address? We prefer users to only use the FQDN for access.

OR

Can we use multiple server certificates that cover both IP and FQDN, eliminating certificate warnings?

 

Any lead?

1 Solution
hbac
Staff
Staff

Hi @Fort-zender,

 

There is no way to allow FQDN and deny IP address as FortiGate always see traffic coming from IP addresses. FQDN is resolved at the client side.

 

To avoid certificate warning, you can add FortiGates IP address to the SAN field of the certificate: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-SAN-Subject-Alternative-Name-while/...

 

Regards, 

View solution in original post

3 REPLIES 3
AEK
SuperUser
SuperUser

Hello

I don't think FGT can deny VPN by IP and allow with FQDN.

On the other hand you can have one single private or public certificate for both IP and FQDN.

AEK
AEK
mle2802
Staff
Staff

Hi @Fort-zender,

You can use SAN certificate for both FQDN and IP.

hbac
Staff
Staff

Hi @Fort-zender,

 

There is no way to allow FQDN and deny IP address as FortiGate always see traffic coming from IP addresses. FQDN is resolved at the client side.

 

To avoid certificate warning, you can add FortiGates IP address to the SAN field of the certificate: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-SAN-Subject-Alternative-Name-while/...

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors