- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL-VPN, exclude specific login address
Hi,
I have a huge connection attempt to my firewall (SSL-VPN). I have reduced the geographic origin of authorized connections, and I would like to exclude certain address from this geographic area. I can't do it.
Can you explain to me how to do it?
Fortigate FGT60E, last firmware
SSL-VPN Settings:
Restrict Access: Limit access to specific hosts
Hosts: my geographic alow zone
Negate source: disable
Thanks for your help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Specifically to your question - how to exclude/re-assign specific IP address from its GEO allocated country - it is not possible (at least 7.0.x, 7.2.x) .
But in the context of what you are trying to do - you can move SSL VPN to listen on a Loopback interface, in which case you will have Security Rules as additional measure of control, then you could block these specific IPs in a rule above your GEO-allowing rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already have a geographic address defined in the SSL parameter. This makes a filter, but I want to filter a range of addresses that are in the geographic area and I can't do it.
It's a fortinet 60E
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a local-in policy to block set of IP ranges.
Anand
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might find this KB as a better solution but keep in mind that a legitimate user might get blocked as well thus you need to manually remove the false positive public IP address from the group.
How to permanently block SSL VPN failed l... - Fortinet Community
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do like this post, but I can't mixed accept only IP address of my contry and deny for this group.
I can only Accept my contry or only deny a group of IP.
I create a firewall policy with action as DENY and source as my group, but I have always login failed about some IP address of this group.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can create a local in policy to restrict from specific IPs, refer below document for your reference
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/363127/local-in-policy
Thanks,
Pavan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm not have a GUI like this:
I have this one:
Totof
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating/editing local-in-policy in GUI is a new feature of 7.6. If yours is 7.4 or before you need to use CLI.
https://docs.fortinet.com/document/fortigate/7.6.0/new-features/308650/gui-support-for-local-in-poli...
https://docs.fortinet.com/document/fortigate/7.4.6/administration-guide/363127/local-in-policy
Toshi
