Hi,
I have a huge connection attempt to my firewall (SSL-VPN). I have reduced the geographic origin of authorized connections, and I would like to exclude certain address from this geographic area. I can't do it.
Can you explain to me how to do it?
Fortigate FGT60E, last firmware
SSL-VPN Settings:
Restrict Access: Limit access to specific hosts
Hosts: my geographic alow zone
Negate source: disable
Thanks for your help
Specifically to your question - how to exclude/re-assign specific IP address from its GEO allocated country - it is not possible (at least 7.0.x, 7.2.x) .
But in the context of what you are trying to do - you can move SSL VPN to listen on a Loopback interface, in which case you will have Security Rules as additional measure of control, then you could block these specific IPs in a rule above your GEO-allowing rule.
To exclude a specific login address from accessing your SSL-VPN, you can typically set up access control policies or firewall rules to block that address. If you're using a solution like Fortinet or Cisco, there should be an option to define address groups or IP filters. Have you already configured your VPN rules or are you facing issues with applying these exclusions? I’d be happy to help with more specific steps depending on your VPN setup!
I already have a geographic address defined in the SSL parameter. This makes a filter, but I want to filter a range of addresses that are in the geographic area and I can't do it.
It's a fortinet 60E
Create a local-in policy to block set of IP ranges.
Anand
You might find this KB as a better solution but keep in mind that a legitimate user might get blocked as well thus you need to manually remove the false positive public IP address from the group.
How to permanently block SSL VPN failed l... - Fortinet Community
I do like this post, but I can't mixed accept only IP address of my contry and deny for this group.
I can only Accept my contry or only deny a group of IP.
I create a firewall policy with action as DENY and source as my group, but I have always login failed about some IP address of this group.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.