Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN goes down when limiting the access
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN goes down when limiting the access
Hello,
I'm working on a pre-configured Fortigate firewall and seeing too many logs under VPN Events, most of them SSL VPN alerts. I realized these logs are coming from other countries than the intended country. After looking for some solutions to minimize the logs, I came across this "limit access to specific hosts" option. I tried to add my country as the hosts, however, after applying the policy, it doesn't let anyone connect to the VPN. What I'm seeing under VPN logs when a user tries to connect is "Action: tunnel-up - Reason: login successfully", and a few minutes after I'm getting this "Action: tunnel-down - Reason: User requested termination of service". Additionally, on the client side, it app doesn't even ask for a token verification and just drops the connection.
I hope someone can let me know the reason for this issue and what I should do next.
Secondly, I tried to revert SSL VPN to the way it was and apply the restriction under firewall policies. This time, I was able to connect to the VPN even though it took longer time to let me in, however, it didn't let me to connect to the local services that I was supposed to have access to.
Just to clarify, when there is no policy at all, the VPN works just fine, but my concern is the SSL VPN alert. Also, you may want to point out to Local In Policy. I'd say yes, there are policies there that I'm not aware of their purposes. One more thing that may or may not help is that there is a firewall policy to block some countries from accessing any interfaces, and this policy also doesn't get any hits.
Thank you!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to share us what exactly you configured (hopefully CLI) to let us understand why you got the result.
If you don't want to see those random hack attempts around the world in the log, only way is to use local-in-policy with geo blocking or specific subnet blocking. The firewall policies are examined after passing the local-in. If something is already configured, you need to understand what exactly it's doing to avoid conflict you're intending to configure.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the VPN settings that is currently in effect:
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory"
set login-attempt-limit 3
set login-block-time 600
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 *.*.*.*
set dns-server2 *.*.*.*
set port ***
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set groups "SSLVPN Users"
set portal "tunnel-access"
next
end
end
There is no user defined Local-In-Policy.
And here is the firewall policy that causes the problem when I add the country to the source address.
config firewall policy
edit 2
set name "SSL VPN Tunnel"
set uuid d9ca79f2-de35-****-d5f4-*****
set srcintf "ssl.root"
set dstintf "lan"
set action accept
set srcaddr "all" \\Stops working when changing it to a specific country
set dstaddr "*** Subnets" "*** Subnets"
set schedule "always"
set service "***" \\Some services
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "Default IPS Policy"
set logtraffic all
set groups "SSLVPN Users"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @danyal,
If you are looking to limit the access to specific hosts on SSL VPN then you need to define it only under the VPN settings and not on the firewall policy
Please review below document as it goes in detailed steps to apply the same
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...
Also you can review the best practice guide on SSL VPN as it goes over other options to help reduce the attempts
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Ask - Use Fortigate - Web... 25 Views
- Issues Mapping Azure Files Storage After... 27 Views
- FG30E - restrict youtube not working 42 Views
- VPN IPSec - DNS 38 Views
- SSL Deep Inspection not working with... 132 Views
Labels
-
FortiGate
8,521 -
FortiClient
1,723 -
5.2
801 -
FortiManager
716 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
462 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
225 -
FortiWeb
200 -
5.0
196 -
IPsec
190 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
112 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
74 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
50 -
vlan
48 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
41 -
DNS
41 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
SSO
31 -
Interface
31 -
NAT
31 -
RADIUS
30 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
26 -
Web profile
26 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
21 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Intrusion prevention
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1665 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.