Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor II

Created on ‎01-03-2024 01:24 AM Edited on ‎02-26-2024 05:11 AM By Community Manager

allowing a country for IPsec remote access vpn

Hi

 

I have configured ipsec remote access vpn and I want to allow only IPs from united kingdom to be able to connect to my FGT. how can i do that?

Reza F.
Reza F.
Labels:
2268
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to rezafathi

Created on ‎01-03-2024 08:23 AM Edited on ‎01-03-2024 08:23 AM

Yes correct. You can not use multiple interfaces on the same local policy and there is no implicit deny preconfigured: "Unlike IPv4 policies, there is no default implicit deny policy."

For the deny rule you can use one entry: set intf "any" 
config firewall local-in-policy
 edit 2
  set intf "any"
  set srcaddr "all"
  set dstaddr "eth1" "eth0"
  set service "IKE"
  set schedule "always"

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

2140
11 REPLIES 11
b34rded-1der
New Contributor II

Created on ‎01-03-2024 01:38 AM

Hi Reza, 

 

You can create a new address object under Policy & Objects → Addresses, with type Geography, and select United Kingdom as the country. 

Screenshot 2024-01-03 113432.png

 

 

After creating the address object, you can restrict sources under VPN → SSL-VPN Settings using the object you created.  

Screenshot 2024-01-03 113507.png

 

1893
rezafathi
Contributor II
In response to b34rded-1der

Created on ‎01-03-2024 01:48 AM

Hi

 

Thanks. But I want a solution for ipsec remote access vpn.

Reza F.
Reza F.
1883
0 Kudos
ebilcari
Staff
Staff
In response to rezafathi

Created on ‎01-03-2024 01:51 AM Edited on ‎01-03-2024 01:51 AM

For IPSec you have to limit access using "local in" policies, as explained in this article.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1876
rezafathi
Contributor II
In response to ebilcari

Created on ‎01-03-2024 06:44 AM

Thanks. How can i see the blocked logs in logs and reports?

Reza F.
Reza F.
1806
0 Kudos
ebilcari
Staff
Staff
In response to rezafathi

Created on ‎01-03-2024 07:01 AM

The logs should be available under Local Traffic. You can also enable debugging as shown in the guide to check that the local policy is applied correctly.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1804
0 Kudos
rezafathi
Contributor II
In response to ebilcari

Created on ‎01-03-2024 07:39 AM

I have 2 wan interfaces for ipsec remote access. Do i need to create 2 allow policirs first and then 2 deny policies?

Reza F.
Reza F.
1795
0 Kudos
ebilcari
Staff
Staff
In response to rezafathi

Created on ‎01-03-2024 08:23 AM Edited on ‎01-03-2024 08:23 AM

Yes correct. You can not use multiple interfaces on the same local policy and there is no implicit deny preconfigured: "Unlike IPv4 policies, there is no default implicit deny policy."

For the deny rule you can use one entry: set intf "any" 
config firewall local-in-policy
 edit 2
  set intf "any"
  set srcaddr "all"
  set dstaddr "eth1" "eth0"
  set service "IKE"
  set schedule "always"

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2141
funkylicious
SuperUser
SuperUser

Created on ‎01-03-2024 01:50 AM

Hi,

You can use this link and achieve what you are trying.

https://yurisk.info/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ss...

 

Create the geo address for UK and use it in the local-in policy to permit IKE/ESP and then another rule which will deny everything else.

"jack of all trades, master of none"
"jack of all trades, master of none"
1879
0 Kudos
rezafathi
Contributor II
In response to funkylicious

Created on ‎01-03-2024 01:51 AM

Hi, thanks. can I achieve this by using firewall policy instead of local-in policy?

Reza F.
Reza F.
1873
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.