Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSIEM
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: SSL VPN goes down when limiting the access
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN goes down when limiting the access
Hello,
I'm working on a pre-configured Fortigate firewall and seeing too many logs under VPN Events, most of them SSL VPN alerts. I realized these logs are coming from other countries than the intended country. After looking for some solutions to minimize the logs, I came across this "limit access to specific hosts" option. I tried to add my country as the hosts, however, after applying the policy, it doesn't let anyone connect to the VPN. What I'm seeing under VPN logs when a user tries to connect is "Action: tunnel-up - Reason: login successfully", and a few minutes after I'm getting this "Action: tunnel-down - Reason: User requested termination of service". Additionally, on the client side, it app doesn't even ask for a token verification and just drops the connection.
I hope someone can let me know the reason for this issue and what I should do next.
Secondly, I tried to revert SSL VPN to the way it was and apply the restriction under firewall policies. This time, I was able to connect to the VPN even though it took longer time to let me in, however, it didn't let me to connect to the local services that I was supposed to have access to.
Just to clarify, when there is no policy at all, the VPN works just fine, but my concern is the SSL VPN alert. Also, you may want to point out to Local In Policy. I'd say yes, there are policies there that I'm not aware of their purposes. One more thing that may or may not help is that there is a firewall policy to block some countries from accessing any interfaces, and this policy also doesn't get any hits.
Thank you!
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to share us what exactly you configured (hopefully CLI) to let us understand why you got the result.
If you don't want to see those random hack attempts around the world in the log, only way is to use local-in-policy with geo blocking or specific subnet blocking. The firewall policies are examined after passing the local-in. If something is already configured, you need to understand what exactly it's doing to avoid conflict you're intending to configure.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the VPN settings that is currently in effect:
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory"
set login-attempt-limit 3
set login-block-time 600
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 *.*.*.*
set dns-server2 *.*.*.*
set port ***
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set groups "SSLVPN Users"
set portal "tunnel-access"
next
end
end
There is no user defined Local-In-Policy.
And here is the firewall policy that causes the problem when I add the country to the source address.
config firewall policy
edit 2
set name "SSL VPN Tunnel"
set uuid d9ca79f2-de35-****-d5f4-*****
set srcintf "ssl.root"
set dstintf "lan"
set action accept
set srcaddr "all" \\Stops working when changing it to a specific country
set dstaddr "*** Subnets" "*** Subnets"
set schedule "always"
set service "***" \\Some services
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "Default IPS Policy"
set logtraffic all
set groups "SSLVPN Users"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @danyal,
If you are looking to limit the access to specific hosts on SSL VPN then you need to define it only under the VPN settings and not on the firewall policy
Please review below document as it goes in detailed steps to apply the same
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...
Also you can review the best practice guide on SSL VPN as it goes over other options to help reduce the attempts
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @parthpatel,
I would have appreciated it if you could try it first and then suggesting it to others :)
I wished you would have known that the local in policy does not accept any port number as a service.
FYI:
*service Service object from available options.Error message:
# set service INT_PORT_NUM/STR_PORT_NUM
entry not found in datasource
value parse error before 'PORT_NUM'
Command fail. Return code -3[INT: integer, STR: string]
Also, FYI, I know how to google!
I'm sorry that I'm treating you this way, however, as a staff you have to be able to address people issues correctly, or simply do not respond.
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL-VPN firewall policies (srcintf=ssl.<vdom>) process the inner tunelled traffic. So the srcip will be an "internal IP", belonging to one of the configured pools.(default: "SSLVPN_TUNNEL_ADDR1") Thus it will never match a GeoIP entry, so this is functionally a misconfiguration.
parthpatel's suggestion is correct, GeoIP restrictions can be configured in three possible ways:
- Set allowed addresses in general SSL-VPN settings
- Set the GeoIP entries in a local-in policy for SSL-VPN
- (more complicated) host SSL-VPN from a loopback and do GeoIP filtering in the regular firewall policy on the <WAN> ==> <loopback> direction.
The part you quoted that's failing is something to do with a service object, but as we don't know what you're doing there, it's hard to comment on that. (what's the exact CLI definition of that service object?)
Maybe an illustration will help. Let's pretend that this is an imaginary simplified "diag sniffer" output:
client's public IP: 5.6.7.8
FortiGate's WAN IP: 1.2.3.4 (serving SSL-VPN on 10443)
client's assigned SSL-VPN IP: 10.212.134.203
client tries to connect to 192.168.0.12:80 through the tunnel
The sniffer can show something like this for this traffic flow:
wan1 in 5.6.7.8:55555 -> 1.2.3.4:10443 psh xxxxy ack yyyyy
ssl.root in 10.212.134.203 -> 192.168.0.12:80 syn qqqqq
lan out 10.212.134.203 -> 192.168.0.12:80 syn qqqqq
From this you can then deduce that a firewall policy for ssl.root->lan direction will need a source-address object matching that 10.212.134.203 in order to allow the traffic, not the client's public 5.6.7.8.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @danyal ,
I'm not sure why SSL VPN did not get down when you specified the Country address object in the SSL VPN firewall policy.
Did you run SSL VPN debug to collect outputs?
To limit the SSL VPN users for incoming sources, you may configure the "source-address" setting in "config vpn ssl settings" for a try.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like the issue with restricting access to specific hosts in SSL VPN settings might be related to the source IP addresses not being configured correctly or the Negate Source option being enabled unintentionally. This could explain why users are unable to connect or are getting disconnected shortly after logging in. When reverting to the previous configuration and applying restrictions under firewall policies, the connection works but access to local services is restricted, possibly due to misconfigured local-in policies. It's important to review and adjust the source addresses and policies to ensure proper connectivity and access control. Additionally, checking the firewall policies blocking countries and ensuring they are correctly configured could help in troubleshooting the connectivity issues and SSL VPN alerts.
Let us know if this helps.
Salon Raj Joshi
Salon Raj Joshi
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,750 -
FortiClient
1,778 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1737 | |
| 1108 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.