Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Totof
New Contributor

Created on ‎12-23-2024 12:40 AM

SSL-VPN, exclude specific login address

Hi,

I have a huge connection attempt to my firewall (SSL-VPN). I have reduced the geographic origin of authorized connections, and I would like to exclude certain address from this geographic area. I can't do it.
Can you explain to me how to do it?

 

Fortigate FGT60E, last firmware
SSL-VPN Settings:

Restrict Access: Limit access to specific hosts

Hosts: my geographic alow zone

Negate source: disable

 

Thanks for your help

 

Labels:
739
0 Kudos
8 REPLIES 8
Yurisk
SuperUser
SuperUser

Created on ‎12-23-2024 01:50 AM

Specifically to your question - how to exclude/re-assign specific IP address from its GEO allocated country - it is not possible (at least 7.0.x, 7.2.x) . 

 

But in the context of what you are trying to do - you can move SSL VPN to listen on a Loopback interface, in which case you will have Security Rules as additional measure of control, then you could block these specific IPs in a rule above your GEO-allowing rule. 

 

Yuri Slobodyanyuk
Yuri Slobodyanyuk
722
Totof
New Contributor
In response to RazorHost

Created on ‎12-23-2024 02:20 AM

I already have a geographic address defined in the SSL parameter. This makes a filter, but I want to filter a range of addresses that are in the geographic area and I can't do it.
It's a fortinet 60E

703
0 Kudos
Anand_Narayana
Contributor

Created on ‎12-23-2024 06:43 AM

Create a local-in policy to block set of IP ranges.

Anand

Anand
639
0 Kudos
Renante_Era
Staff
Staff

Created on ‎12-23-2024 01:28 PM

You might find this KB as a better solution but keep in mind that a legitimate user might get blocked as well thus you need to manually remove the false positive public IP address from the group.
 How to permanently block SSL VPN failed l... - Fortinet Community

BSCS, BCIS, MIT
602
Totof
New Contributor

Created on ‎12-24-2024 03:35 AM

I do like this post, but I can't mixed accept only IP address of my contry and deny for this group.

I can only Accept my contry or only deny a group of IP.

I create a firewall policy with action as DENY and source as my group, but I have always login failed about some IP address of this group.

578
0 Kudos
pavankr5
Staff
Staff

Created on ‎12-26-2024 04:02 AM

Hello,
You can create a local in policy to restrict from specific IPs, refer below document for your reference
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/363127/local-in-policy

Thanks,

Pavan

536
Totof
New Contributor
In response to pavankr5

Created on ‎01-02-2025 12:50 AM

Hi,

I'm not have a GUI like this:

Capture d'écran 2025-01-02 094710.png

I have this one:

Capture d'écran 2025-01-02 092127.png

Totof

454
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Totof

Created on ‎01-02-2025 08:01 AM

Creating/editing local-in-policy in GUI is a new feature of 7.6. If yours is 7.4 or before you need to use CLI.
https://docs.fortinet.com/document/fortigate/7.6.0/new-features/308650/gui-support-for-local-in-poli...
https://docs.fortinet.com/document/fortigate/7.4.6/administration-guide/363127/local-in-policy

Toshi

424
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.