Hi guys,
I found many articles that help geo-block IP Addresses that try to connect on SSL VPN.
Now we face many attempts out of the TOR network. Fortigate has the TOR_Exit_node as an Internet Service Database, and it can also be added as external Connector, but local in Policies can't be configured with either.
Is there a way I miss? Fortigate has version 7.0.12/6.4.14.
Solved! Go to Solution.
Found a solution.
SSL VPN Hardening
Correct, local-in policies (traffic to the FortiGate itself) can't use more advanced objects like this. I have some customers front-end their SSL VPN firewall with a "perimeter" firewall to do just that.
Why not create a list of allowed countries and block all others like here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert...
Also getting around geo-blocks is trivially easy for an attacker. These type of attempts are better stopped at places like the MFA provider using device posture, etc.
I totally agree with you that geo-blocks are trivial. But I can't understand why Fortinet implement geo-blocks feature in 7.2 (GUI implement) but don't make it more flexible like use their own features (external connector lists and so on).
Yes, I can install a perimeter firewall in front of the fortigate that has SSL VPN active, but that's not as easy as configure the local in policy.
It seems like there is no way so far. Thank you as well.
Found a solution.
SSL VPN Hardening
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.