Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Totof
New Contributor

SSL-VPN, exclude specific login address

Hi,

I have a huge connection attempt to my firewall (SSL-VPN). I have reduced the geographic origin of authorized connections, and I would like to exclude certain address from this geographic area. I can't do it.
Can you explain to me how to do it?

 

Fortigate FGT60E, last firmware
SSL-VPN Settings:

Restrict Access: Limit access to specific hosts

Hosts: my geographic alow zone

Negate source: disable

 

Thanks for your help

 

6 REPLIES 6
Yurisk
SuperUser
SuperUser

Specifically to your question - how to exclude/re-assign specific IP address from its GEO allocated country - it is not possible (at least 7.0.x, 7.2.x) . 

 

But in the context of what you are trying to do - you can move SSL VPN to listen on a Loopback interface, in which case you will have Security Rules as additional measure of control, then you could block these specific IPs in a rule above your GEO-allowing rule. 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
RazorHost
New Contributor

To exclude a specific login address from accessing your SSL-VPN, you can typically set up access control policies or firewall rules to block that address. If you're using a solution like Fortinet or Cisco, there should be an option to define address groups or IP filters. Have you already configured your VPN rules or are you facing issues with applying these exclusions? I’d be happy to help with more specific steps depending on your VPN setup!

Totof

I already have a geographic address defined in the SSL parameter. This makes a filter, but I want to filter a range of addresses that are in the geographic area and I can't do it.
It's a fortinet 60E

Anand_Narayana
Contributor

Create a local-in policy to block set of IP ranges.

Anand

Anand
Renante_Era
Staff
Staff

You might find this KB as a better solution but keep in mind that a legitimate user might get blocked as well thus you need to manually remove the false positive public IP address from the group.
 How to permanently block SSL VPN failed l... - Fortinet Community

BSCS, BCIS, MIT
Totof
New Contributor

I do like this post, but I can't mixed accept only IP address of my contry and deny for this group.

I can only Accept my contry or only deny a group of IP.

I create a firewall policy with action as DENY and source as my group, but I have always login failed about some IP address of this group.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors