Hello,
I'm working on a pre-configured Fortigate firewall and seeing too many logs under VPN Events, most of them SSL VPN alerts. I realized these logs are coming from other countries than the intended country. After looking for some solutions to minimize the logs, I came across this "limit access to specific hosts" option. I tried to add my country as the hosts, however, after applying the policy, it doesn't let anyone connect to the VPN. What I'm seeing under VPN logs when a user tries to connect is "Action: tunnel-up - Reason: login successfully", and a few minutes after I'm getting this "Action: tunnel-down - Reason: User requested termination of service". Additionally, on the client side, it app doesn't even ask for a token verification and just drops the connection.
I hope someone can let me know the reason for this issue and what I should do next.
Secondly, I tried to revert SSL VPN to the way it was and apply the restriction under firewall policies. This time, I was able to connect to the VPN even though it took longer time to let me in, however, it didn't let me to connect to the local services that I was supposed to have access to.
Just to clarify, when there is no policy at all, the VPN works just fine, but my concern is the SSL VPN alert. Also, you may want to point out to Local In Policy. I'd say yes, there are policies there that I'm not aware of their purposes. One more thing that may or may not help is that there is a firewall policy to block some countries from accessing any interfaces, and this policy also doesn't get any hits.
Thank you!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to share us what exactly you configured (hopefully CLI) to let us understand why you got the result.
If you don't want to see those random hack attempts around the world in the log, only way is to use local-in-policy with geo blocking or specific subnet blocking. The firewall policies are examined after passing the local-in. If something is already configured, you need to understand what exactly it's doing to avoid conflict you're intending to configure.
Toshi
Here is the VPN settings that is currently in effect:
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory"
set login-attempt-limit 3
set login-block-time 600
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 *.*.*.*
set dns-server2 *.*.*.*
set port ***
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set groups "SSLVPN Users"
set portal "tunnel-access"
next
end
end
There is no user defined Local-In-Policy.
And here is the firewall policy that causes the problem when I add the country to the source address.
config firewall policy
edit 2
set name "SSL VPN Tunnel"
set uuid d9ca79f2-de35-****-d5f4-*****
set srcintf "ssl.root"
set dstintf "lan"
set action accept
set srcaddr "all" \\Stops working when changing it to a specific country
set dstaddr "*** Subnets" "*** Subnets"
set schedule "always"
set service "***" \\Some services
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "Default IPS Policy"
set logtraffic all
set groups "SSLVPN Users"
next
end
Hello @danyal,
If you are looking to limit the access to specific hosts on SSL VPN then you need to define it only under the VPN settings and not on the firewall policy
Please review below document as it goes in detailed steps to apply the same
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...
Also you can review the best practice guide on SSL VPN as it goes over other options to help reduce the attempts
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-...
Hello @parthpatel,
I would have appreciated it if you could try it first and then suggesting it to others :)
I wished you would have known that the local in policy does not accept any port number as a service.
FYI:
*service Service object from available options.
Error message:
# set service INT_PORT_NUM/STR_PORT_NUM
entry not found in datasource
value parse error before 'PORT_NUM'
Command fail. Return code -3
[INT: integer, STR: string]
Also, FYI, I know how to google!
I'm sorry that I'm treating you this way, however, as a staff you have to be able to address people issues correctly, or simply do not respond.
Thank you
SSL-VPN firewall policies (srcintf=ssl.<vdom>) process the inner tunelled traffic. So the srcip will be an "internal IP", belonging to one of the configured pools.(default: "SSLVPN_TUNNEL_ADDR1") Thus it will never match a GeoIP entry, so this is functionally a misconfiguration.
parthpatel's suggestion is correct, GeoIP restrictions can be configured in three possible ways:
- Set allowed addresses in general SSL-VPN settings
- Set the GeoIP entries in a local-in policy for SSL-VPN
- (more complicated) host SSL-VPN from a loopback and do GeoIP filtering in the regular firewall policy on the <WAN> ==> <loopback> direction.
The part you quoted that's failing is something to do with a service object, but as we don't know what you're doing there, it's hard to comment on that. (what's the exact CLI definition of that service object?)
Maybe an illustration will help. Let's pretend that this is an imaginary simplified "diag sniffer" output:
client's public IP: 5.6.7.8
FortiGate's WAN IP: 1.2.3.4 (serving SSL-VPN on 10443)
client's assigned SSL-VPN IP: 10.212.134.203
client tries to connect to 192.168.0.12:80 through the tunnel
The sniffer can show something like this for this traffic flow:
wan1 in 5.6.7.8:55555 -> 1.2.3.4:10443 psh xxxxy ack yyyyy
ssl.root in 10.212.134.203 -> 192.168.0.12:80 syn qqqqq
lan out 10.212.134.203 -> 192.168.0.12:80 syn qqqqq
From this you can then deduce that a firewall policy for ssl.root->lan direction will need a source-address object matching that 10.212.134.203 in order to allow the traffic, not the client's public 5.6.7.8.
Hi @danyal ,
I'm not sure why SSL VPN did not get down when you specified the Country address object in the SSL VPN firewall policy.
Did you run SSL VPN debug to collect outputs?
To limit the SSL VPN users for incoming sources, you may configure the "source-address" setting in "config vpn ssl settings" for a try.
It seems like the issue with restricting access to specific hosts in SSL VPN settings might be related to the source IP addresses not being configured correctly or the Negate Source option being enabled unintentionally. This could explain why users are unable to connect or are getting disconnected shortly after logging in. When reverting to the previous configuration and applying restrictions under firewall policies, the connection works but access to local services is restricted, possibly due to misconfigured local-in policies. It's important to review and adjust the source addresses and policies to ensure proper connectivity and access control. Additionally, checking the firewall policies blocking countries and ensuring they are correctly configured could help in troubleshooting the connectivity issues and SSL VPN alerts.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.