Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor II

allowing a country for IPsec remote access vpn

Hi

 

I have configured ipsec remote access vpn and I want to allow only IPs from united kingdom to be able to connect to my FGT. how can i do that?

Reza F.
Reza F.
1 Solution
ebilcari

Yes correct. You can not use multiple interfaces on the same local policy and there is no implicit deny preconfigured: "Unlike IPv4 policies, there is no default implicit deny policy."

For the deny rule you can use one entry: set intf "any" 
config firewall local-in-policy
 edit 2
  set intf "any"
  set srcaddr "all"
  set dstaddr "eth1" "eth0"
  set service "IKE"
  set schedule "always"

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

11 REPLIES 11
b34rded-1der
New Contributor II

Hi Reza, 

 

You can create a new address object under Policy & Objects → Addresses, with type Geography, and select United Kingdom as the country. 

Screenshot 2024-01-03 113432.png

 

 

After creating the address object, you can restrict sources under VPN → SSL-VPN Settings using the object you created.  

Screenshot 2024-01-03 113507.png

 

rezafathi

Hi

 

Thanks. But I want a solution for ipsec remote access vpn.

Reza F.
Reza F.
ebilcari

For IPSec you have to limit access using "local in" policies, as explained in this article.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
rezafathi

Thanks. How can i see the blocked logs in logs and reports?

Reza F.
Reza F.
ebilcari

The logs should be available under Local Traffic. You can also enable debugging as shown in the guide to check that the local policy is applied correctly.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
rezafathi

I have 2 wan interfaces for ipsec remote access. Do i need to create 2 allow policirs first and then 2 deny policies?

Reza F.
Reza F.
ebilcari

Yes correct. You can not use multiple interfaces on the same local policy and there is no implicit deny preconfigured: "Unlike IPv4 policies, there is no default implicit deny policy."

For the deny rule you can use one entry: set intf "any" 
config firewall local-in-policy
 edit 2
  set intf "any"
  set srcaddr "all"
  set dstaddr "eth1" "eth0"
  set service "IKE"
  set schedule "always"

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
funkylicious
SuperUser
SuperUser

Hi,

You can use this link and achieve what you are trying.

https://yurisk.info/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ss...

 

Create the geo address for UK and use it in the local-in policy to permit IKE/ESP and then another rule which will deny everything else.

"jack of all trades, master of none"
"jack of all trades, master of none"
rezafathi

Hi, thanks. can I achieve this by using firewall policy instead of local-in policy?

Reza F.
Reza F.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors